NSW Education’s current hack exposes the cybersecurity lessons not learned

It came at perhaps the worst time imaginable, but the 8 July 2021 hack of Australia’s largest education system will have been no surprise to government auditors that have spent years urging the education sector to adopt better cybersecurity practices.

Cyberattack forces shutdown of NSW school systems

Just as it was racing to reintroduce remote learning with just a few days’ notice from a government scrambling to contain New South Wales’s exploding COVID-19 outbreak, the NSW Department of Education (DoE) was crippled by a cyberattack that forced it to shut down a broad range of key systems.

NSW DoE took numerous systems offline in response to the attack—which came just two days after DoE asked schools to be ready to implement home learning at short notice. Teachers were left unable to accessa range of learning resources, the department’s online portal, and even collaboration tools like Zoom.

Acknowledging that “the timing of this creates considerable challenges for staff as we prepare for the start of Term 3,” NSW Education secretary Georgina Harrisson said technical teams at the department—which manages delivery of primary and secondary education to more than 1.2 million students at more than 3,100 government schools across the expansive state—“have been able to isolate the issues and we are working to reactivate services as soon as possible”.

As department technical staff worked across the weekend to restore services, learning materials had been loaded onto NSW DoE’s public website just in case services had not been restored in time for the resumption of classes on 12 July.

And despite some indications of progress—NSW Teachers Federation president Angelo Gavrielatos thanked “pretty exhausted staff [who] worked around the clock under very trying conditions over the last few days to restore the NSW Education portal”—the attack could not have been worse timed for educators given just days to prepare for remote learning.

Schools not learning cybersecurity lessons despite a history of vulnerability

Motives for the cyberattack were unclear—as were details of exactly what had happened and whether a ransom was paid or even requested—but its timing is a reminder that cybercriminals often seize upon times of immense change when they perceive that an attack would be particularly problematic for the target.

The volume of cyberattacks on schools globally increased dramatically what one report called a “record-breaking” 2020, with 408 publicly notified school cyberattacks in the US last year alone—and a schools survey noting that only one in five school districts in that country has a full-time staff member dedicated to cybersecurity.

Australian educational organisations have also fared poorly, with regular Notifiable Data Breach (NDB) reports, issued by the Office of the Australian Information Commissioner (OAIC), recording 40 breaches of private educational organisations during the second half of 2020 alone.

Thirteen of these were attributed to malicious or criminal attacks, including two phishing breaches, one case of compromised credentials, four incidents of hacking, two brute-force attacks, three rogue employee breaches, and one case of theft of paperwork or a data storage device.

Fully 80% of breaches against education providers were identified within 30 days—well ahead of finance (68%) and Australian government bodies (61%) but behind legal services (87%) and health service providers (88%).

NSW DoE was one of dozens of NSW government agencies whose cybersecurity resilience practices were deficient and needed to be improved “as a matter of urgency”, state auditor-general Margaret Crawford concluded upon the December 2020 release of a far-reaching audit of departmental risk management practices.

Observed security deficiencies “may impact on the ability of agencies to detect and respond to a cyber incident”, the audit found, flagging “limited progress” against NSW Cyber Security Policy requirements that all departments comply with Australian Signals Directorate’s Essential Eight guidelines.

Fully 72 of 103 agencies were classed as being as ‘maturity level 0 in the Essential Eight category of application whitelisting—indicating that they had made no progress towards achieving maturity levels 1, 2, or 3—with similarly worrying results in areas including user application hardening (45 agencies at maturity level 0), application patching (30), operating system patching (33), multifactor authentication (32), and Microsoft Office macro controls (23).

The only area where agencies seemed to be largely mature was in making daily backups, with 67 of 101 reporting agencies rating their maturity as being of the highest level.

That report—which came months after a high-profile hack compromised Service NSW, the state’s central digital-government agency—was the second time agencies had been required to report their progress in implanting the Essential Eight, with Crawford issuing identical warnings after the inaugural report a year earlier.

A recently established global partnership among educational institutions in Australia, Canada, the UK, and the US will facilitate automated threat sharing across the sector—but translating that investment into better security outcomes for bodies like NSW DoE will take time.

Given the industry’s history of regular attacks, the latest hack of NSW DoE came as no surprise to Ajay Unni, CEO of security consultancy StickmanCyber and a member of the NSW government’s 2020 Cyber Security Task Force. “As the department was forced to deactivate its systems as a precaution, it seems like the attack was persistent,” Unni said.

He warned that cyberhygiene had become as essential to cyberresilience as physical hygiene had become in managing during the COVID-19 pandemic. “Akin to the COVID-19 pandemic, we have to find ways to live with cyberattacks and keep on top of it every second, minute, and hour. … Cybercriminals do not and will not discriminate based on size or industry, and do not follow a standard business-hours work schedule. [Even] if you are doing everything right to protect against cyberattacks, this does not mean you are immune—but have to continue to keep a close eye on everything you do to ensure you don’t become a victim.”