Avi Rubin, professor of computer science, technical director of the Johns Hopkins University Information Security Institute (ISI), was featured on Fox45 News below on the vulnerability of schools’ cyber infrastructure.

BALTIMORE COUNTY, Md. (WBFF) — School systems have become prime targets for hackers, according to experts who say they are particularly vulnerable to ransomware attacks.

It’s been two years since Baltimore County Public Schools was hit with ransomware that shut down much of the school system. The timing could not have been worse. On November 24, 2020, as every Baltimore County Public Schools student was learning virtually, the attack crippled the district.

“We are going to continue to do what we need to do to support our students and staff,” said Baltimore County Schools Superintendent Dr. Darryl Williams during a December 2020 news conference.

For several days, America’s 24th largest school system was shut down. The disruption to distance learning lasted weeks while also impacting financial operations, including retiree benefits. To this day, the district has never publicly identified the attackers or their demands. Fox45 News knows that as of November 2021, the hack cost the district nearly $10 million. But BCPS has not released an updated amount.

“I wasn’t surprised,” said Avi Rubin, a computer science professor at Johns Hopkins University. “I thought it was just a matter of time before we saw the school system get hit. Nowadays, everybody is getting hit.”

Ransomware attackers look for two things when choosing a target, according to Rubin. First, a target with a lot of money. Second, a target that can easily be hacked and may pay a ransom to get back encrypted files and information. Rubin says school systems provide both opportunities.

“If they are able to completely cripple and shut down a school system, such a large school system, then it is very likely that the school system would pay because they need to operate,” Rubin told Project Baltimore. “They need to teach children.”

The United States government has taken notice. In September, the FBI issued a warning that ransomware attacks on schools may increase as hackers see schools as “particularly lucrative targets.” Over this past Labor Day weekend, the second largest school system in America, the Los Angeles Unified School District, experienced a ransomware attack. District administrators said the hack caused a “significant disruption.”

Baltimore County Schools declined an interview with Project Baltimore to discuss the hack from two years ago. But, in a statement, the district said it had implemented new technology and security processes, which include network safety training and new software with 24/7 monitoring, while “mission-critical services” have been moved to the cloud.

“Everybody and everything is being targeted, and that’s because the attackers have become quite sophisticated in the last two years,” said Rubin.

Protection against those sophisticated attacks takes money. BCPS has about a $2 billion budget. In 2021, the district spent roughly $23 million on IT. The current 2023 budget spends about the same. Despite the hack, the system does not seem to be investing more money into IT.

“I think that it is a concern that they haven’t increased their budget, given that there’s more to do and the security risks are increasing,” Rubin told Project Baltimore.

Baltimore City Schools is spending less, going from $21 million in 2021 to $16 million in the current budget. But Howard County has increased IT spending by $5 million over the last two years.

Rubin says the amount of money being spent is just as important as how it’s being spent. Is a school system focused on the right software? Does it have the right tools? Are their computers and systems updated and backed up? Are their employees educated on how to stop a hack before it happens?

“In a school system such as the Baltimore County School System, you typically don’t find the level of sophisticated security in it that you would, say, in a bank or in a large corporation,” explained Rubin. “I think the key is training, awareness, and then getting the right system administrators in the right place and appreciating what the threats really are.”