“If you’re having trouble getting your data, call this number and we’ll charge you $50,000 for getting it fixed,” said Jim Parker, Chief Information Officer for the North Carolina Community College System, explaining the concept to the State Board of Community Colleges Thursday.
Parker said that the money was not paid and that after extensive work by the system office, the college, the FBI, the National Guard, and others, Richmond is almost back to normal. But the incident has highlighted the vulnerability of community colleges to such attacks.
“This is not the first time it has happened to us,” Parker said. “It will not be the last.”
The attack came in late July, between the summer and fall semesters.
“This was a critical point,” said System President Peter Hans. “You’re right before registration, not sure if you’re going to be able to take students in for the semester.”
The college, with a variety of helpers, managed to keep registration on track and began to slowly rebuild its IT infrastructure without capitulating to the hackers’ demands. But Parker said community colleges probably will continue to be affected by such incidents.
“We are not big enough to act like Bank of America,” Parker said. “Ergo, we are a perfect target for something that, frankly, most high school students are learning how to work and manipulate.”
Parker told the State Board that the system is working on measures to mitigate the effect of such attacks in the future.
“We need to recognize that our definition historically of community … is not the same as it was 20, 50 years ago,” Parker said. “It is a global community.”
He said his team is working with college presidents and others to figure out how to best shape IT at the colleges to improve effectiveness. His team is also recommending relatively simple things, like keeping data in the cloud rather than in servers, and not using thumb drives.
Parker is also working with the state Department of Information Technology to establish a joint security operations capability. This will help colleges know whom to contact and what to do in the event of another cyber emergency.
“Our colleges are really set up to run, but when things happen, we need a lot of help,” he said. “They’re running really lean.”
Training and educating college personnel, not just IT staff, is key to reducing the possibility of successful cyberattacks.
“It’s always the people component that is the weakest link,” he said.
State Board member Burr Sullivan asked Parker whether community colleges have the money they need to make the necessary changes to combat cyberattacks.
Parker said the short answer is no, but that doesn’t mean they’re helpless.
“There are things that they can definitely do within the funds that are available,” he said.
Hans said the incident also highlights why it’s important that the IT resources of the community college system not be consolidated with those of the state Department of Information Technology, something the legislature has been pushing for in recent years. Given the assistance provided by the system office to Richmond Community College, he said, it’s important that the system be able to respond directly to colleges in need.
“Our capabilities in this area need to be responsive to the community colleges at a moment’s notice,” he said.
Instead of consolidation, the system is working on a memorandum of understanding that will lay out coordination between the system office and the Department of Information Technology. The provision that allows that alternative is in the standalone community college budget bill that has passed the House and is waiting to be heard in the Senate.
Parker said the state’s 58 community colleges are essentially 58 multimillion-dollar businesses, which makes them vulnerable to cyberattacks. But he said he thinks Richmond wasn’t an isolated target in this instance but rather got caught up in a larger, perhaps nationwide, attack.
Jennifer Haygood, chief of staff for the community college system, said it’s important that in future cyberattacks, college presidents know to follow the example of Richmond in how they respond to ransom demands.
“Not only did the college not pay the ransom, but it’s correct that our guidance to the colleges is not to pay the ransom,” Haygood said.
Parker added: “It’s something about giving a mouse a cookie. They always want a glass of milk.”