Howard University was forced to cancel all of its online and hybrid undergraduate classes on Tuesday and Wednesday after a ransomware attack compromised its networks and rendered the school Wi-Fi network unusable. The attack, which came just as universities around the country were gearing up for the start of the fall semester, was a reminder of all the ways that online classes’ benefits—offering schools a way to deal with some less high-tech threats like snowstorms and pandemics—come with a vulnerability to disruption.
The Howard story is a sobering one for those of us at universities hoping for a relatively smooth return to something resembling normal operations this year. It’s also a stark warning of just how much work all organizations, not just college campuses, need to be doing right now to prepare for the possibility of ransomware attacks. That preparation goes beyond just creating back-ups of crucial data and systems—it means also running regular drills for how to get critical networks back up and operating using only those back-ups. Without a clear and practiced procedure for resuming operations in the wake of a ransomware attack, the fallout can be immensely disruptive and continue for days, or even weeks, as organizations scramble to set up alternative systems.
Howard has released relatively few details about the origins and nature of the attack they are facing, but the announcements it has made about the campus response offer several clues about what systems were affected. For instance, the university extended the add/drop deadline for courses because students were unable to access the wireless network and the campus BisonWeb portal. In-person classes met on Wednesday, Sept. 8, when online classes were canceled for a second consecutive day, but students were warned that “course lecture content requiring internet access on campus may not be available.” Meanwhile, faculty who had access to “alternative Wi-Fi connection options” (presumably at their homes or using personal hotspots) were told on Wednesday that they should be able to access online academic apps and could coordinate class convenings—but it’s not clear how exactly their students would join those classes so long as the campus wireless access remained shut off. The university announced it was deploying “an alternative Wi-Fi system” on campus but that it would take several days for that network to be up and running.
College campus networks are notoriously insecure, in part because there a lot of different people and visitors need to connect to the network and in part because universities tend to place a premium on open collaboration and access to information. So it’s no surprise that colleges—like so many other institutions including hospitals and local governments—have seen more ransomware attacks in recent years. Up until the COVID-19 pandemic, however, it was not always the case that these attacks meant a school actually had to shut down classes and disrupt student learning. Many other functions would still be disrupted in the wake of a ransomware attack—including, payroll, email, course registration, to name a few—but I could still teach my classes without any wireless access, or even if the projectors and computers in the classroom didn’t work. Arguably, I could teach a better class if none of my students were able to get online during it.
The shift to online learning in the midst of the pandemic changed that calculus. If students living on campus can’t get online and therefore attend class, the effects of a ransomware attack are far more devastating. Even as schools largely resume in-person operations this fall, online and hybrid classes are occurring on many campuses—and all of us are acutely conscious that we may be forced to go back to teaching online at any moment. There are a lot of lessons for all of us to draw from the past year and a half about how to do that well and prepare for that possibility, but one of the most crucial lessons is that we must be prepared for the kind of attack that Howard is currently recovering from.
It’s not clear what precautions Howard had taken to protect against these types of attacks—clearly, it had a plan of some sort to stand up an alternative wireless network, but that plan does not appear to have been tested sufficiently to allow for rapid deployment of that alternative network. Since no data appears to have been compromised, at least according to its statements so far, we don’t know very much about what back-ups were required or how well Howard had backed up its existing systems and data.
We do know, though, that even in cases when companies—including high-profile targets like Colonial Pipeline—have had thorough backups, they have still sometimes succumbed to attackers’ ransom demands for fear that restoring their systems could take too long. (Ironically, Colonial ended up using its backups anyway because the decryption tool the attackers provided was even slower!)
As cybersecurity experts have been saying for years, part of preparing for ransomware attacks means creating regular backups of all the course management systems and other key databases universities rely on. (These services are often outsourced to third-party companies in which case colleges need to have detailed incident response plans from those vendors about their back-up and recovery procedures.) But it also means planning drills to figure out how quickly a college campus can get its wireless networks, websites, and other online systems back up and running in the wake of a complete shutdown. Just having back-ups is not enough. Often, ransomware victims like Colonial Pipeline decide that it would take too long to restore their systems using those backups or they’re not sure how to do that and they end up paying the ransoms or taking days and days to recover (or both!).
Colonial Pipeline and Howard both experienced days-long interruptions to their operations from ransomware, but every school (and organization) should be prepared to reset their critical computer systems from nothing in a matter of hours. Any university that has not actually practiced doing that a few times to simulate a real ransomware recovery is unprepared for the year ahead and failing to learn the right lessons from Howard’s misfortune and that of so many universities, hospitals, and other ransomware victims before it.