WASHINGTON, D.C. – Today, during a hearing of the Homeland Security and Governmental Affairs Committee’s Subcommittee on Federal Spending Oversight (FSO), U.S. Senator Jacky Rosen (D-NV) questioned Brandon Wales, Acting Director of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, on the increasingly prevalent and sophisticated cyber threats that states and local entities face during the COVID-19 pandemic. This hearing follows a recent ransomware attack targeted against Nevada’s Clark County School District, the fifth-largest school district in the United States. A transcript of the Senator’s full exchange can be found below, and a video of the Senator’s full exchange can be found here.

ROSEN: During the COVID-19 pandemic, the number of cyberattacks have significantly increased. Cyberattacks can be expensive and debilitating, especially for small organizations, like schools, hospitals, and local governments. I’m glad we’re coming together in a bipartisan way to talk about how we can protect vulnerable communities in this challenging time.

Elementary and secondary schools face many challenges as they transition to online learning during the pandemic, including constrained budgets, bridging the digital divide, ensuring the health and safety of students and faculty, and continuing to educate and support our students. As schools struggle to meet these challenges, they also remain particularly vulnerable to hostile cyber actors. Earlier this spring, the FBI warned that K-12 institutions “represent an opportunistic target” to hackers, as many school districts lack the budget and expertise to dedicate to network integrity. 

Last August, Clark County School District, Nevada’s largest school district and our country’s fifth-largest school district, was the victim of a ransomware attack. The hacker published documents online containing sensitive information, including Social Security numbers, student names, addresses, and grades. This is unacceptable, and the Federal government must help schools obtain the tools and resources to protect and combat cyber threats, something I have raised with both CISA and the Department of Education.

Mr. Wales, what steps is CISA taking to ensure cyberattacks, including ransomware attacks, against K-12 schools and school districts do not take place or lead to significant data breaches in the future?

WALES: Thank you, Senator, and I know that some members of the CISA team along with the Department of Education are planning on briefing you and your office later this week on this topic. In the meantime, the first thing I would say is we have expanded our focus on K-12 education from the beginning of the pandemic, putting information on how schools can improve their cybersecurity with their distance learning. 

In addition, we are encouraging schools to participate through the information-sharing mechanisms that have been created, for example, the Multi-State Information Sharing and Analysis Center, the Multi-State ISAC, which is a free resource available that we have invested in, from the Department, for state and local governments. 

Today, 2,000 school districts, schools, and IT service organizations are part of that Multi-State ISAC. There are additional resources and tools that states and school districts can take part in that can help them ensure their protection against ransomware and other attacks. For example, the MS-ISAC offers malicious domain blocking so that no malicious domains that are used by ransomware operators would be blocked from activity on those networks. Still, only about 120 schools are actively using that service that’s offered for free today. 

What I want to see is, much like we’ve done in the past four years in the election security context, how do we build a national community with the school districts to get them focused on the security aspects related to their networks. That’s not going to go away even after the pandemic is over. 

We need to arm them with the same information, the same resources, and that’s going to start with them taking advantage of the no-cost services that are currently offered across the country to state and local governments and the entities that exist within them. This is obviously a big problem; there are over 13,000 school districts across the country. It is going to take time, attention, and focus. But, I am confident that if the executive branch and Congress work together, we can find creative ways of leveraging the capabilities that we have and getting more schools signed up for these services.

ROSEN: Well, I appreciate that, because I was going to ask you, I know you said 2,000 school districts are using it; in some cases now only hundreds of schools or schools districts out of the 13,000. You talked about malicious-ware or ransomware. 

We have small school districts, rural school districts who may not have the capacity or any expertise even to take advantage of these free services. Are there grant programs -- what kind of support can we give or can you give to be sure that the folks who are sitting in those administrative offices can take advantage of what you’re offering? We need to get it out there to 13,000 school districts for sure, but not all of them have somebody who is even technically – knows enough to really take advantage of it. So what kind of programs are you offering for training for people who work in these schools.

WALES: Sure, we have recognized long that the small and medium-sized businesses and government entities have unique challenges. What we had put in place earlier this year is called CISA Cyber Essentials. These are the bare minimum basic things that you need to put in place to get some baseline level of cybersecurity. It is geared for the small and medium-sized businesses. It’s also geared for large companies to send to their smaller suppliers to get some baseline security. 

Over the past several months, we’ve been issuing monthly modules, tool kits that could be used, step by step guides for how to put in place the baseline level of cybersecurity; what are those things you need to do to have challenging passwords or two-factor authentication, how to set that up on your network to make it a little bit more clear and easy for you to walk through. 

But, if states, if cities, if communities pushed that kind of information out even to their smaller school districts, this is the kind of information that’s powerful in the hands of those small companies because the reality is these ransomware operators are looking to make money quickly. So, they’re going to find whoever is most vulnerable. So, if you’ve done some of the basics, if you’ve put in place the bare minimum level of cybersecurity, there is a good chance that the ransomware operator will move on to the next victim – they’re not going to target you. So, by investing a small amount of energy in putting in place cybersecurity at even a bare level, you can have a significant impact and dividend for your overall level of security.

ROSEN: Well, I appreciate that. My next question, I know I’m out of time. We need the same kinds of things for our small businesses around the country as well. I look forward to speaking to you offline about how we can get your message out for this training and these programs and all of the cyber-hygiene tools to as many folks as possible because we can’t afford not to communicate your hard work and get people to take advantage of these programs. Thank you.

WALES: Absolutely. I think any help we can get in amplifying the work that is already out there, the tools and resources that Congress has already invested in through CISA is available for all of the country to utilize, and we want more people to take up and use the. Anything you can do to get that message out there and amplify the work we’re doing, our agency is going to be grateful for.

ROSEN: Thank you.

 ###

Issues