How schools struggle with cyber, and how Washington can help

With help from Maggie Miller and John Sakellariadis 

— Schools lack the money, expertise and board support to protect their valuable data from hackers. If the White House wants to help, a new report offers a guide.

HAPPY MONDAY, and welcome to Morning Cybersecurity! I’m your host, Eric Geller, filling in for John. I thought I was the team’s resident pun master, but some of John’s MC greeting messages have threatened my sense of dominance and spurred me to redouble my efforts.

On an unrelated note, covering major hacks sometimes fills me with a sense of futility. It reminds me of what I say to myself when I realize, with a feeling of resignation, that I have to venture out into a cold winter day: “Sigh, brrrr.”

Got tips, feedback or other commentary? John will be back tomorrow, so email him at [email protected]. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

The Information Technology and Innovation Foundation holds a virtual discussion about the costs and benefits of proposed European Union cyber regulations for consumer products. 9 a.m.

FAILING GRADE — Biden administration officials view K-12 schools as a top priority for expanded cybersecurity support, and a new report on the digital shortcomings plaguing those schools offers a roadmap for how the government can help.

“The K-12 sector is improving in its cybersecurity capabilities over time, though the sector lags behind other sectors when comparing cybersecurity program maturity,” reads a report published today by the Center for Internet Security, which collects data on threats facing schools and other state and local government institutions through its Multi-State Information Sharing and Analysis Center.

In data collected from 197 school districts during the 2021-2022 academic year, schools scored 3.55 out of 7 on a cyber maturity scale that CIS uses to gauge organizations’ progress in implementing basic practices like multi-factor authentication, employee training and incident response planning.

— Major struggles: The report found that 81 percent of schools hadn’t fully implemented MFA, with 29 percent not using MFA at all. Schools also registered poor marks when it came to encrypting USB flash drives, maintaining logs of network activity, creating data recovery processes, and reviewing their service providers’ cybersecurity practices.

— The resource question: At nearly one-fifth of schools, cybersecurity accounts for less than 1 percent of the IT budget, CIS found. The average school only spent 8 percent of its IT budget on cybersecurity.

— Chicken and egg: It’s reasonable to guess that schools might fare better if their school boards paid closer attention to cybersecurity. Karen Sorady, VP of member engagement at CIS, told MC that boards’ interest in and understanding of cyber issues varies, but that “the interest/awareness tends to be higher in more resourced districts.” That raises the question of whether board interest leads to better security or whether schools with better security promote the issue to their boards.

— That’s … odd: Interestingly, 83 percent of schools held cyber insurance policies — a questionable expense at a time when cheaper investments in routine security practices can close the vast majority of the gaps that lead to incidents requiring insurance payouts.

“Our empirical data shows that implementation of basic security controls … are successful in stopping between 77-91% of the top cyberattacks,” Sorady said.

— Policymakers, take note: The findings in CIS’ report highlight plenty of ways for CISA and lawmakers to help schools protect themselves from hackers, such as grant funding, training programs and board engagement.

— Speaking of which: A 2021 law (S. 1917) required CISA to study, report on and produce guidance to address cyber threats to K-12 schools, but CISA still hasn’t completed those tasks.

CYBER MIA — Cybersecurity is likely to fall by the wayside in Bali this week as leaders from the United States and almost two dozen other nations gather for the annual G-20 summit and as President Joe Biden is set to meet with Chinese President Xi Jinping on the sidelines.

Biden is set to travel to Indonesia for the summit without any administration cybersecurity officials accompanying him, according to White House spokesperson Samantha Reposa. Cybersecurity was also not among the topics White House officials teased would be discussed in the run-up to the summit, which takes place Tuesday and Wednesday.

— Still in the spotlight: Cybersecurity may not be entirely absent at the summit. Indonesia has the G-20 presidency, and one of its three pillars for 2022 was a focus on digital transformation.

Even if the G-20 representatives fail to bring up cybersecurity issues, it’s already been a major focus on the international stage in recent weeks following the second annual meeting of the Counter Ransomware Initiative at the White House last week and NATO’s Cyber Defense Pledge Conference last week in Rome, both of which featured the involvement of dozens of countries. Cyber was also a focus during the Group of Seven, or G-7, meeting earlier this year.

— Biden meets Xi: Cybersecurity and tech issues are more likely to come to the forefront during Biden’s meeting today with Xi, the first time the leaders have met in person since Biden took office. National security adviser Jake Sullivan said last week that Biden would raise the issue of “Chinese economic practices,” which could cover Beijing’s extensive cyber-enabled intellectual property theft operations.

PICKING IT UP — Authorities in Australia are pushing a new and aggressive set of tools to thwart ransomware groups and cybercriminals, following a widespread and particularly harmful ransomware attack against one of the country’s largest health insurance providers.

On Saturday, Attorney General Mark Dreyfus and Minister for Cybersecurity Clare O’Neil announced that Australia is setting up a 100-person “permanent joint operation” between the country’s top spy agency and its federal law enforcement agency to “hack the hackers.” The next day, O’Neil also revealed the government is considering a ban on all ransom payments in the country.

The moves come days after Australian authorities blamed Russia for offering safe harbor to the criminals behind the recent extortion attempt against health insurer Medibank, which holds data on nearly 8 million Australians, or a third of its population.

— Back-up: At a press conference on Friday, the commissioner of Australia’s Federal Police, Reece Kershaw, revealed law enforcement authorities there had determined the individuals behind the Medibank hack are Russian. He also warned the incident deserves ”a response that matches the malicious and far-reaching consequences that this crime is causing.”

TALL TASK — While Australia appears hot on the trail of the Medibank hackers, ransomware in general is becoming increasingly difficult to track, according to new data from Recorded Future analyst Allan Liska.

Speaking at the BRUNCHCON cybercrime conference on Friday, Liska said Recorded Future detected 223 new ransomware variants over the past year as digital extortionists increasingly “go it alone” and eschew more established extortion gangs.

— Mixed bag or unintended consequence?: The splintering of the ransomware ecosystem is the result of law enforcement turning up the heat on extortionists, according to Liska.

Cybercriminals are breaking into groups of only four to five people, Liska said, because they have “grown skittish” about working in large gangs that draw attention from authorities.

SAFE FOR NOW — All but one of the election-denier candidates running for governor and secretary of state in battleground states have lost their elections, suggesting that voters had little appetite for conspiracy theories about hacked voting machines and rigged contests.

The results are sure to hearten Biden administration officials who might have worried that a surge in election administrators with far-right views would complicate the vital partnership between federal and state officials on election security.

— Nearly clean sweep: Mark Finchem and Jim Marchant’s weekend defeats in the secretary of state races in Arizona and Nevada, respectively, capped a string of losses for the election-denier movement. Previously, Doug Mastriano lost the Pennsylvania governor’s race and Kristina Karamo lost the Michigan secretary of state election.

— Glaring exception: In Indiana, voters chose as their new secretary of state Diego Morales, who called the 2020 election a “scam.” Morales previously worked for the office before twice leaving after negative performance reviews.

CJ Dixon recently joined DHS as a cyber policy adviser in the Office of Cyber, Infrastructure, Risk, and Resilience. He was previously a cyber risk specialist master at Deloitte.

Former CISA Director Chris Krebs recalls some of the highlights of his experience on Twitter, including one rather notable one.