A top Baltimore County official has warned school administrators not to pay ransom to the cyber-criminals who infected the Baltimore County Public Schools computer network last week, pointing out the group could be on a federal government watch list.
The school system’s apparent willingness to engage the hackers has created tension with others, including Baltimore County Executive Johnny Olszewski, who feels his administration has been shut out of the process, multiple sources tell The Brew.
The county’s top lawyer informed BCPS in a letter that acceding to ransom demands could expose Baltimore County, as well as the school system, to “severe penalties” by the federal government.
The letter was sent to school system General Counsel Margaret-Ann F. Howie by County Attorney James R. Benjamin Jr.
Benjamin’s letter included a copy of an advisory from the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued last month. It cautioned that paying ransom could violate federal law if the payees were on a federal list of sanctioned cyber criminals.
Sean Naron, a spokesman for Olszewski, said the county law office “provided information to BCPS counsel to ensure they were aware of newly issued federal guidance regarding ransomware payments.”
He did not respond to questions about how much information school officials have shared with the administration or how Olszewski feels about BCPS’ negotiations with the hackers.
Multiple phone and email queries sent to Benjamin have not been returned.
A message left for Howie at her office also has not been returned. (A staffer there cautioned that the Brew’s email might not be received because email addresses have changed as a result of the ransomware attack.)
UPDATE: BCPS spokesman Charles Herndon called on behalf of Howie, saying “we are not discussing aspects of the investigation at the advice of the experts who are conducting it.”
Olszewski Chides BCPS
It’s unclear if BCPS officials actually know the identity of the hackers who struck last week, prompting the shutdown of the computer network for the 115,000-student school district.
Also unclear is whether BCPS has already reached any agreements with them.
Administrators have refused to provide details of the attack they said has triggered a wide-ranging probe, aided by information security experts and multiple law enforcement agencies, including the FBI.
“We are still in the midst of an investigation,” Superintendent Darryl L. Williams told reporters yesterday. “I cannot speak to the investigation.”
But Benjamin’s letter suggests that the county government has been left in the dark about the sufficiency of the school system’s data backups and the need – if any – to pony up money to untangle the district’s network from encryption.
Olszewski chided BCPS on Monday for not being more open to county residents – and to him – about the cyber attack.
“We certainly have more resources that can be brought to bear to help lead a response that has not yet been activated,” Olszewski told WYPR. “We’ll continue making ourselves available and we’ll keep pushing the school system to give us more information as well as the public.”
Meanwhile, BCPS’ Herndon described a smooth relationship, telling WYPR that the county executive’s office has been “a great help in helping us get out information and both of our IT teams [are] working together to resolve this.”
Feds: Paying Enables
Explaining its new mandate, the Treasury Department noted that “in recent years ransomware attacks have become more focused, sophisticated, costly and numerous.”
Paying the attackers, the advisory says, would enable these groups and “encourage future ransomware payment demands.” Doing so, even if unaware that an attacker is on the government’s list of “designated cyber attackers,” could trigger penalties.
“OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC,” the letter read.
In his letter, Benjamin asked Howie to err on the side of caution since he seemed not to be informed of the hackers’ identities or the status of BCPS’ current network problem.
Following the attack, school officials canceled classes last Wednesday and warned staff and students against logging into devices.
The shutdown paralyzed the district just before the Thanksgiving break and as the deadline approached for many college applications. Classes were also canceled yesterday and Monday.
Williams summoned the media to BCPS headquarters yesterday to ask the public for “patience” and to announce “the good news” that classes would be resuming for students today, even while warning that “instruction may look and feel different.”
The technology team had found an alternative cloud-based means for teachers and students to engage through Schoology and Google Meet, the system’s learning management system.
BCPS has modified its initial guidance, stating that the Chromebooks issued to faculty and students were spared from any harm done by the ransomware.
Those with HP Revolve computers, however, were asked to perform a “confidence check” by testing the devices for malware or trading them in for a replacement.
Despite the resumption of classes, students, staff and families remained uncertain about what personal data may have been compromised.
Speaking yesterday, James Corns, BCPS’ executive director of technology, said students’ assignments and grades are “still present.”
But he did not indicate whether they had been lost and then restored, or whether the district paid the hackers ransom to decrypt any of the data that allowed the school system to resume classes today.
• To reach this reporter: @firstname.lastname@example.org. By phone at 410-419-9620 or through the Signal App.