Cyberattack on New Hampshire school district illustrates growing threat to states and localities

WASHINGTON — In October 2019, officials at a tiny western New Hampshire school district suddenly realized they had a problem on their hands.

The Sunapee School District’s servers, documents and other internal information systems had been locked down by an outside entity demanding a ransom payment.

A cyberattack, like the Colonial Pipeline one that spurred days of shuttered gas stations this spring, had seized the small, 430-student school district, which has just one full-time IT staffer and a part-time technician.

System backups meant the school district eventually was able to resume its operations without paying ransom to the attackers. But the recovery took nine days and cost more than $40,000 in fees, materials and hardware, according to Russell Holden, the district’s superintendent.

The incident could have resulted in months of lost data if the district hadn’t recently upgraded its backup system, he added.

Holden described the district’s ransomware experience during a Senate hearing Thursday, where he and other state and local officials told lawmakers they need more money and communication from the federal government to better mitigate the growing threat of cyberattacks.

The recent ransomware attacks that temporarily paralyzed Georgia-based Colonial Pipeline and major meat producer JBS have highlighted the supply-chain risks of companies falling prey to cyber assaults.

But state and local governments also have been grappling with these threats for years, said Sen. Maggie Hassan, (D-N.H.), who leads the Senate Homeland Security and Governmental Affairs subcommittee that held Thursday’s hearing.

She cited a 2020 report from cybersecurity services firm BlueVoyant that found a 50% increase in cyberattacks on state and local governments between 2017 and 2019, with a tenfold increase during that period in the amount of ransom being demanded to regain access to critical systems.

Successful attacks on those systems can jeopardize critical resources and services. State government agencies maintain databases of citizen data used by law enforcement, and municipalities are responsible for drinking-water systems and 911 call centers.

But as cyber threats have become increasingly common, the money available for preventing and recovering from such attacks has remained sparse. Most states spend only 1% to 3% of their IT budgets on cybersecurity, compared to 16% by federal agencies, according to a survey by Deloitte and the National Association of State Chief Information Officers.

“More investment is needed at all levels of government to strengthen cyber defenses,” Hassan said.

To that end, Hassan pushed a provision that was included in last year’s National Defense Authorization Act that provides each state with a designated cybersecurity coordinator who will act as a bridge to federal cybersecurity resources.

So far, those coordinators have been selected for 30 states, according to a spokeswoman for the federal Cybersecurity and Infrastructure Security Agency.

Hassan also is working to craft a new dedicated grant program for cybersecurity support to state and local governments.

During Thursday’s hearing, local officials said more funding that’s specifically designated for combating cyberattacks would allow for better planning and investment.

Stephen Schewel, mayor of Durham, N.C., where the public school system suffered a devastating cyberattack in 2009 and the city government also was attacked in March 2020, said one-time grants won’t provide enough help to tiny municipalities to conduct adequate training for staffers and upkeep on security systems.

“Every day, there are cybersecurity attacks on the city of Durham, and we are able to fend them off. But all the hackers have to do is to be successful once,” Schewel said. “So our needs in this area are going to be greater and greater. We’re going to need funding that is not competitive.”

Karen Huey, assistant director of Ohio’s Department of Public Safety, also urged more funding specifically for cybersecurity, saying that of the $6.7 million in federal Homeland Security dollars that Ohio receives, less than $340,000 is for cybersecurity uses.

The prospect of allocating new money for cybersecurity programs drew pushback from Sen. Rand Paul, (R-Ky.), the ranking Republican on the panel.

Citing testimony from an expert with the Lincoln Network, a libertarian think tank focused on technology policy, Paul said he wants more details on why some Homeland Security grants intended for state cybersecurity programs have gone unused before approving additional dollars.

He also urged reallocating money from other programs if cybersecurity is deemed the most-pressing threat.

“If we think that cybersecurity is a pressing issue, which it sounds like it is, let’s take it from maybe less-pressing issues and try to force some of the money toward that, without necessarily expending more money,” Paul said.

As that hearing was underway, two other senators — Virginia Democrat Mark Warner and Maine Republican Susan Collins — released a letter urging the Department of Education to allow school districts to use some COVID-19 relief funds they’ve received for bolstering cybersecurity programs.

“School systems must have strong cybersecurity resources available to protect themselves against cyber and ransom attacks,” Warner and Collins wrote in the letter. “With the increasingly persistent attacks on our schools, they simply cannot wait until they are a target to take action.”

Holden, the Sunapee superintendent, said that when the school district was attacked, the local and state police were not able to provide much assistance. It was the district’s insurance company that ultimately aided in connecting them with cyber experts and lawyers.

Other officials, including Schewel, said they’ve had a useful working relationship with federal cybersecurity experts at the FBI and other agencies.

As they and other localities attempt to better safeguard against threats, the panel said their best strategies are straightforward but would be time- and resource-intensive: staying current on potential threats; ongoing training for staffers; and having systems in place that frequently back up key data.