(Washington, DC) — More needs to be done to protect schools, hospitals, and other institutions from cybercrimes that place data and people at-risk. A familiar face in the Navarro and Judson school districts was among those who testified about this issue during a congressional hearing held Wednesday in Washington, DC.
Dr. Lacey Gosch, who currently serves on the Navarro ISD Board of Trustees, was part of the panel that participated in the Joint Hearing on Combating Ransomware Attacks. Dr. Gosch knows firsthand about the challenges of ransomware attacks. She’s an elected member of the Navarro ISD school board, but her day job is as an assistant superintendent in the Judson ISD. The San Antonio area school district suffered a major ransomware attack on June 17, 2021.
“I represent the Judson Independent School District as the assistant superintendent of technology and I’m here to share our experience with ransomware. My primary professional role and the events related to the testimony are from my experience as the leader of the technology department, serving over 24,000 students and 4,500 employees across seven municipalities in the San Antonio, Texas area. I also serve as an elected school board member for the Navarro Independent School District. Therefore, my passion for seeking school support and combating cybercrime runs very deep,” said Gosch.
All of the district’s data was compromised by the attack. Gosch says they would later find out that it was an attack conducted by a group using a well-known piece of malware that allowed the attackers to gain access to Judson’s data.
“The ransom note stated that all data on all devices and all servers was encrypted, including our backup systems. We immediately contacted law enforcement and the Federal Bureau of Investigations (FBI). The threat actors were identified as PYSA, a variant of the Mespinoza strain of malware, commonly leveraged in high paying assaults and victim selections based on their ability to pay. In 2021, PYSA was the third most prevalent ransomware strain, with primary targets of higher education and K-12 schools. The group was most notably known for their double extortion involving publicizing stolen information should victims refuse to comply with their demands,” said Gosch.
The Judson ISD had the ability to recover its network, but that would not have removed the threat to all of the personal information that had been stolen as part of the attack. This is how many of these ransomware attacks work, and why so often victims end up making a payment to their attackers.
“The recovery of our network was not our primary concern. We had ample resources to restore our systems. Our concern was the security of the data…and preventing the release of that personal identifiable information of our constituents. Consequently, the district made the difficult decision to pay the negotiated amount of ransom, totaling $547,000 on June 29. Our recovery took more than a year and the district continues to make improvements,” said Gosch.
The situation in the Judson ISD is a perfect example of the threat that exist with these kind of ransomware attacks. Dr. Gosch says even after paying the ransom, it was a major undertaking to get the network fully restored. There was no outside support from state or federal agencies, and the district was effectively on its own.
“The restoration of the network was only possible through the efforts of my technology team’s perseverance, key vendor partners and some school district friends that assisted us in communications and business operation functions — when others were too scared to even take our calls. Thankfully, there are companies and school district partners who saw our situation as an opportunity to learn. We learned that the cavalry does not come, and we must rely on our own resources. No state or federal agency ever visited or offered recovery assistance to us,” said Gosch.
Dr. Gosch’s story was like others on the panel. Most of the members of the committee spoke about the need for policy considerations to help with these kinds of cyberattacks. Dr. Gosch says the case in the Judson ISD points to the overall vulnerability that exists for school, hospitals and other organizations that are often targeted during these ransomware attacks.
“I was hired only 34 days prior to this attack in the school district. The state of the district’s technology was not unlike thousands of school districts across the nation. It was outdated, out of support, and included antiquated systems and hardware that included outdated infrastructure that could not support the changes brought about by COVID-19. These factors are attributed to our vulnerability and in the continued concerns for many K-12 leaders. Schools are often forced to balance the needs for student curriculum, personnel resources, facilities, and other operations on limited budgets. Therefore, funding for solutions to prevent attacks and protect data and upgrade equipment is pushed aside for more visible and tangible items. Recovery and mitigation programs for cybersecurity have not been formally developed for schools, but we would recommend potentially discount programs, similar to things like E-Rate and other federally supported programs. Additionally, there are other measures, such as standards for network security, requirements for making Social Security numbers masked in all systems training and educational programs, and social and emotional programs for affected individuals is also needed,” said Gosch.
Dr. Gosch was one of three people to testify during Wednesday’s hearing. The others were Grant Schneider, senior director of cybersecurity Services at Venable LLP; and Dr. Stephen Leffler, president and COO, of UVM Medical Center.
The joint hearing was called by Subcommittee on Cybersecurity, Information Technology, and Government Innovation Chairwoman Nancy Mace (R-S.C.) and Economic Growth, Energy Policy, and Regulatory Affairs Chairman Pat Fallon (R-Texas), and focused on combating ransomware attacks. The hearing demonstrated the damage caused by ransomware attacks and the difficult choices confronted by victims. It also looked at the sources of these attacks, and what the appropriate role should be for the federal government when it comes to preventing and responding to these attacks.