Cyberattack strikes a school system told for years it was vulnerable
BCPS stonewalls County Council members at meeting over ransomware attack
“The attitude, the arrogance!” said a Baltimore County councilman after school officials refused to say whether data privacy and county finances are at risk
Above: After a malware attack, online learning is canceled for three days for Baltimore County Public Schools students.
Tempers flared during a virtual meeting when Baltimore County Council members grilled school officials over the recent ransomware attack, but got back few answers – and from some a haughty attitude.
“Some members of the Council were so mad they just began to talk and ask questions at the same time,” said Councilman Wade Kach, providing an account of the unpublicized Wednesday meeting that members voted to hold as an executive session, not open to the public.
“The attitude, the arrogance. ‘We’re simply not – not! – going to share it,’” Kach said, describing the school district’s stance. “They did not tell us anything!”
The District 3 Republican is hardly the only member expressing frustration with Baltimore County Public Schools’ refusal to provide information in the wake of the ransomware attack that struck last week.
Council Chairwoman Cathy Bevins said she understands the need to be cautious when discussing a criminal investigation, but argued that citizens and county officials deserve more transparency.
“Constituents have the right to know what is going on within the law,” said Bevins, a Democrat who represents District 6. “I believe some information can and should be shared with the public, but it is not.”
Unanswered Questions
The turbulent meeting was just one more indication of the way the pre-Thanksgiving malware attack has inflamed tensions among various county decision makers.
County Executive Johnny Olszewski Jr. has signaled he is not happy with school officials, chiding them for not sharing more information with his office and the public.
In a stern letter, County Attorney James R. Benjamin Jr. warned BCPS against paying the hackers ransom money, lest the school district run afoul of federal rules making it an offense to enable groups on a list of sanctioned cyber-criminals.
Questions not answered by BCPS: How much was the ransom? Was the ransom paid? Who are the hackers?
The Wednesday session was held on the day when online learning resumed via a work-around, but as critical uncertainties remained.
Kach said school officials refused to answer pretty much all of the questions he and his council colleagues asked, including: “How much was the ransom? Was the ransom paid? Who are the hackers?”
He and other attendees said the stonewalling spiraled the meeting into somewhat of a melee, where anger was directed at BCPS administration and, especially, its general counsel, Margaret-Ann F. Howie.
“She grew more and more irritated,” Kach said, arguing that – despite the sensitive investigation – school officials could provide some information in order to “allay public fears.”
Asked to respond on behalf of Howie, spokesman Charles Herndon replied, saying “As the meeting was closed, we will have no response.”
Additional questions about whether student and staff data privacy was breached and whether it remains encrypted also went unanswered, he and others said.
Kach took pains to note that it was primarily Howie who displayed a hostile attitude, not Superintendent Darryl L. Williams or School Board Chair Kathleen Causey and Vice Chair Julie Henn, who were among the meeting participants.
Accountability Concerns
In addition to data security questions, Council members expressed concern over fiscal issues and accountability matters.
Councilman Israel “Izzy” Patoka said his top priority is ensuring that student learning continues. The District 2 Democrat told The Brew he also wonders about the fiscal impact of the cyber attack.
“If there is a cost to this event, how does it impact our ability to deliver quality education? Not only this year, but all years to follow?” he asked.
“The people who knew what was wrong and didn’t do anything about it, I think heads need to roll” – Councilman Wade Kach.
At the meeting, school officials reportedly were asked if the county had cyber-attack insurance, and they didn’t answer.
“In my 10 years on the County Council, it may have been the most frustrating conference call I have ever had on such an important subject,” Councilman David Marks said.
“The Council is the fiscal authority for Baltimore County, and we would presumably need to approve any appropriation not covered by insurance,” the District 5 Republican observed.
Kach said he brought up another issue that elicited few answers – the fact that, as The Brew reported on Monday, school officials were warned by state auditors about the system’s extreme vulnerability not only this year but in 2015.
“It’s so disgusting that there are repeat findings,” he said. “The people who knew what was wrong and didn’t do anything about it, I think heads need to roll.”
• To reach this reporter @ac@ohana-home.com. By phone at 410-419-9620 or through the Signal App