New Mexico school districts are again a target of cyber attacks. These unwanted and unfriendly breaches of computer systems effectively shut down many schools. 

As a result of the dependence upon remote learning due to COVID-19, current cyber attacks are particularly damaging, not just to the pocketbooks of school systems but also to the students who depend upon school system computers to learn. “Hackers have capitalized on the chaos caused by this transition [to remote learning] by finding new ways to attack students and teachers who are now more vulnerable than ever,” states an article posted at TheEducatorOnline.com. 

In the last 60 days, separate attacks have crippled several New Mexico school systems. In Albuquerque 75,000 students have had their classes canceled. The problem, however, is not limited to Albuquerque; other school districts in the state have recently suffered major cyberattacks. One district is still suffering from a cyber attack that hit just after Christmas.

The small Central New Mexico town of Truth or Consequences discovered a cyber attack on Dec. 28 and still has not gained back control of its computer systems. “We’re not out of the woods yet,” said Mark Torres, the information technology director for the Truth or Consequences school system. 

Schools Provide a Soft Target

Nationwide schools have long been a fairly soft target for cybercriminals. As other soft targets have hardened through the strengthening of internal security, schools have lagged behind, causing the opportunity for hackers to focus on launching attacks against school systems.

According to the K-12 Cybersecurity Resource Center, nearly 350 cyber attacks on school districts or educational agencies were publicly reported in 2019. This figure equates to three times more incidents than the previous year of 2018.

In 2020 the number of publicly disclosed computer attacks on schools increased to a record breaking 408, states a report (PDF) compiled by the K-12 Security Information Exchange, a non-profit that tracks such incidents. Many experts consider the figures compiled by K-12 inaccurate, erring on the low side. These experts substantiate their findings, concluding that many school attacks go unreported.

With the relaxing of COVID-19 restrictions, schools are reopening across the country for in-person instruction. Many, however, are expected to retain virtual learning as an option. All of this means more access points for potential intrusion with financial consequences for school districts that are already facing increased costs incurred by bringing students back to in-class learning.

Experts conclude that school districts often do not have the money to hire necessary cybersecurity experts and/or to invest in needed outside services. Such experts and services are pivotal in preventing ransomware and other cybersecurity attacks. Coupled with this factor and as a result of the coronavirus pandemic, school districts are additionally vulnerable because they have had no choice but to fast-track new remote learning models. 

Serious Risks

Where many risks are nothing more than a major annoyance — denial of service, breaking into zoom meetings, changing settings — serious risks felt by both students and their families have long-reaching effects and are costly to remediate. 

Ransomware attacks tend to get more reporting as these effectively shut down whole systems until a ransom is paid. Unfortunately, the ransom is paid out of taxpayer dollars that should go straight to teaching and to students, not to cybercriminals. 

One other serious risk with long-term consequences is the reality that schools store a vast amount of personal information about students and their families. Data breaches that compromise this information can put parents and students at risk long after the actual event and even after the student no longer attends the school. 

“Technology changes quickly, and big organizations like school systems don’t always keep up,” said Clayburn Griffin, a cyber security expert in Lovington. Laws often fall behind too.

Two Proposed Bills

During the current legislative session, state lawmakers from both sides of the aisle have introduced new legislation to help defend the state’s schools against cyber threats. 

Representative Rebecca Dow (R. – District 38) and Senator Michael Padilla (D. – District 14) have each filed non-competing cybersecurity bills in a bid to ensure additional attack prevention measures are implemented within the state.

Dow’s proposed legislation

Rep. Dow’s proposed legislation, HB122 (PDF), was filed to a House committee on Monday, January 21. Her bill is focused on increasing the cybersecurity of New Mexico’s public schools.

“The last thing we need while students are learning remotely is a cybersecurity breach. This further disrupts learning,” said Rep. Dow. “Dollars need to go to improving student outcomes, not to paying ransoms.”

Dow’s proposed legislation would require the introduction of a School Cybersecurity Program for the statewide education technology infrastructure network by the end of fiscal year 2026. 

“It will cost about 43 million dollars to address the needs of all 87 school districts, and that’s based on a cybersecurity task force that we requested them to investigate and report back to us,” said Sen. Dow. “Now it’s time for us to fund that.”

Senator Padilla’s, Proposed Legislation 

Sen. Padilla’s proposed legislation, HB98 (PDF), was filed on Wednesday, January 19. The bill would allocate $1 million to create an Office of Cybersecurity within New Mexico’s state government. The office would include a team of cybersecurity experts led by a chief. 

About the Office of Cybersecurity Sen. Padilla said that the office would act as “a repository for all best practices” and would “save districts money, time, and energy.” Summarizing, he said, “You have a place to better spend the dollars that are utilized and available to fight cybersecurity attacks.”

According to the terms of the legislation, on or before September 1, 2022, the cybersecurity office would be required to develop and present to Governor Lujan Grisham and the appropriate legislative interim committee a preliminary five-year statewide cybersecurity plan. 

“The preliminary plan shall include an assessment of cybersecurity services for governmental agencies and public educational institutions across the state compared to the standards established by various federal requirements for research grants or education or cybersecurity assistance programs,” states the bill.

Importantly, input for the plan will be requested from each local and tribal government within the state of New Mexico.

Federal Cybersecurity Support

In October U.S. President Joe Biden signed the K-12 Cybersecurity Act. This act calls for the federal cybersecurity agency to make recommendations about how to help K-12 school systems better protect themselves.
“The global pandemic has impacted an entire generation of students and educators and underscores the importance of safeguarding their sensitive information, as well as for all Americans,” said Pres. Biden. “This law is an important step forward to meeting the continuing threat posed by criminals, malicious actors, and adversaries in cyberspace.”

Photos by Tima Miroshnichenko // Pexels & Bermix Studio // Unsplash