IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

The Road to Restoration: Baltimore Schools Rise from Cyber Attack

District leaders from Baltimore County Public Schools reflect on their ongoing cybersecurity efforts and lessons learned in the course of recovering from a crippling cyber attack in 2020.

Cyberattack_shutterstock_673258504
More than two years after a cyber attack brought Baltimore County Public Schools to a standstill, the district’s IT chief boils down the exhaustive recovery, system restoration and continuing security improvements to this advice: Multifactor authentication (MFA) is an absolute must for everyone.

“That’s the most important step to take,” said Jim Corns, executive director for the district's division of information technology. “Everyone must buy into the shared belief for MFA. Sell the upshot, not the burden.”

MFA is the multistep process for accessing an app or website through more than one verification step. For example, in addition to logging onto a site with a username and password from their computer, users might also be required to receive a text or a phone call from their cellphone or landline to see or hear a code that would then be used as the second step of verification.

Corns spoke with Government Technology Thursday and recently discussed his experience at the K12 Security Information eXchange in Austin, Texas. The Nov. 25, 2020, cyber attack on the nation’s 25th largest K-12 school system affected 115,000 students, 12,000 teachers and 176 different sites. The event was called a ransomware attack, though the district never engaged with the culprits. Schools were closed for three days as files were encrypted. Faculty, staff and students could not log on into the system. All operations were frozen, from payroll and finance, to curriculum and instruction, to student grades and demographics.

“The first few days, we all worked almost around the clock,” Corns said of his technical staff, made up of about 200 employees. “And the next six months the average day clocked was about 14 hours.”

At the time, the schools were still operating virtually due to the COVID-19 pandemic, making the restoration effort even more challenging, Corns recalled. The 26 high school buildings were opened for the purpose of switching out laptops or wiping the infected computers clean and re-installing operating systems. District employees set appointment times and waited outside in their cars. Many employees who were not on the technical staff volunteered to help with laptop duties. Two workers even pushed back their retirement dates to join the triage effort, Corns said.

“Everyone stepped up,” he said. “You can’t name one person who did something important without naming them all.”

The district worked with its vendors, including Google, Microsoft, PowerSchool and Focus, to access the backed-up data locations and rebuild systems. Online instruction was restored using Google Meet. Most servers were moved to the cloud; the building security, heating and air conditioning, and video surveillance servers have remained onsite.

“My local data center is not mission-critical to the function of the system anymore," Corns said. “We have a stronger level of partnership with cloud vendors. We’ve diminished our reliance on local resources in order to lean into the individuals for their security.”

In addition to the MFA functions, the district requires employees to use much more complex passwords compared to what was acceptable before the cyber attack, and those passwords are bounced off of known compromised password lists before they can be set. The upside of this process, however, is that users don't have to change the password unless they feel there is a chance it has been compromised, Corns said. In addition to cloud storage efforts, district leaders now document all business processes, rather than relying on institutional knowledge. They also evaluate all software programs used on a regular basis and discard anything that does not fit the district’s needs.

A year after the attack, Corns detailed to the Baltimore County Public Schools the response of his team and their ongoing cybersecurity efforts. The district's Chief Academic Officer Mary Boswell-McComas urged school officials, employees and students to take a personal interest in cybersecurity and view it as a requirement, not a convenience.

“And ultimately we must provide security as an ongoing part of our budget process year upon year,” Boswell-McComas said, according to the board of education meeting transcripts. “ I think in the end … we all need to remember to be the porcupine, right?”

Now, more than two years later and at a time these lessons learned are shared with education and IT leaders across the nation, Corn implores his colleagues to remain vigilant in the cybersecurity war.

“We are recovering,” he wrote in an email to Government Technology. “But there’s no clear transition from recovery to regular business operations. Cybersecurity is a marathon with no finish line.”

Editor's note: This story has been updated to include a more specific quote from Jim Corns about the school district's business operations, which have resumed in full but in a different system than before the cyber attack.
Aaron Gifford is a former staff writer for the Center for Digital Education.