June 21, 2021

States Newsroom/NH Bulletin: Cyberattack on New Hampshire School District Illustrates Growing Threat to States and Localities

WASHINGTON – In case you missed it, States Newsroom, which includes the New Hampshire Bulletin, reported on a U.S. Senate hearing led by Senator Maggie Hassan last week on the need to address the threat of cyberattacks on state and local entities. Sunapee School District’s Superintendent, Russell Holden, was one of the witnesses and discussed the ransomware attack that hit Sunapee School District in 2019.


For coverage highlights of the hearing in States Newsroom, see below or click here.


States Newsroom/NH Bulletin: Cyberattack on New Hampshire school district illustrates growing threat to states and localities

By Laura Olson


WASHINGTON — In October 2019, officials at a small western New Hampshire school district suddenly realized they had a problem on their hands.


The Sunapee School District’s servers, documents and other internal information systems had been locked down by an outside entity demanding a ransom payment.


A cyberattack, like the Colonial Pipeline one that spurred days of shuttered gas stations this spring, had seized the 430-student school district, which has just one full-time IT staffer and a part-time technician.


System backups meant the school district eventually was able to resume its operations without paying ransom to the attackers. But the recovery took nine days and cost more than $40,000 in fees, materials and hardware, according to Russell Holden, the district’s superintendent.


The incident could have resulted in months of lost data if the district hadn’t recently upgraded its backup system, he added.


Holden described the district’s ransomware experience during a Senate hearing Thursday, where he and other state and local officials told lawmakers they need more money and communication from the federal government to better mitigate the growing threat of cyberattacks.


The recent ransomware attacks that temporarily paralyzed Georgia-based Colonial Pipeline and major meat producer JBS have highlighted the supply-chain risks of companies falling prey to cyber assaults.


But state and local governments also have been grappling with these threats for years, said Sen. Maggie Hassan, D-N.H., who leads the Senate Homeland Security and Governmental Affairs subcommittee that held Thursday’s hearing.


She cited a 2020 report from cybersecurity services firm BlueVoyant that found a 50 percent increase in cyberattacks on state and local governments between 2017 and 2019, with a tenfold increase during that period in the amount of ransom being demanded to regain access to critical systems.


Successful attacks on those systems can jeopardize critical resources and services. State government agencies maintain databases of citizen data used by law enforcement, and municipalities are responsible for drinking-water systems and 911 call centers.


But as cyber threats have become increasingly common, the money available for preventing and recovering from such attacks has remained sparse. Most states spend only 1 percent to 3 percent of their IT budgets on cybersecurity, compared to 16 percent by federal agencies, according to a survey by Deloitte and the National Association of State Chief Information Officers.


“More investment is needed at all levels of government to strengthen cyber defenses,” Hassan said.


To that end, Hassan pushed a provision that was included in last year’s National Defense Authorization Act that provides each state with a designated cybersecurity coordinator who will act as a bridge to federal cybersecurity resources.


So far, those coordinators have been selected for 30 states, according to a spokeswoman for the federal Cybersecurity and Infrastructure Security Agency.


Hassan also is working to craft a new dedicated grant program for cybersecurity support to state and local governments.


During Thursday’s hearing, local officials said more funding that’s specifically designated for combating cyberattacks would allow for better planning and investment.


[…] Holden, the Sunapee superintendent, said that when the school district was attacked, the local and state police were not able to provide much assistance. It was the district’s insurance company that ultimately aided in connecting them with cyber experts and lawyers. […]