College to close after severe ransomware attack

Originally published at: College to close after severe ransomware attack | Boing Boing

…

Are most Colleges living semester to semester, so to speak?

Not surprised, just more depressed than anything.

Ransomware attacks are usually random and opportunistic, but I wonder if this was a targeted case of white supremacist terrorism.

A lot of small private American colleges (esp. liberal arts ones) are in dire financial straits.

It’s an interesting case. Most universities now carry insurance specifically for ransomware losses.

What seem sot have hurt them most is the timing, coming during the application/admission/notification season. And, also, the context of other financial and enrollment troubles they were having.

Yep. I was just reading this news before I clicked back over to BB.

https://www.hsu.edu/news/2022/may/02/henderson-chancellor-proposes-exigency-plan-academ/

Henderson State University Chancellor Chuck Ambrose today announced an academic reorganization recommendation designed to enhance student success, address community-based workforce needs and produce critical financial savings for the institution’s future.

From their statement it really seems like the pandemic was the larger factor, with the ransomware attack putting them over the edge.

I expect that fallout from the pandemic will continue to hurt a lot of colleges’ fundraising efforts for many years to come. People who paid full price tuition for elite schools but were stuck doing remote learning from home for their final two years probably don’t feel as deep of an emotional connection to their alma mater, and may be less likely to make generous donations down the road than alumni who got to party on campus for a full four years. I doubt that schools that are exclusively “distance learning” based have ever had anywhere near the donor base that schools with physical campuses have.

Please harden your perimeter.
Please enroll your folks in security training.
Please backup your infrastructure - encrypted and with off-site encrypted copies.

I can tell you that the higher education sector in Ireland, as a whole, has been under constant ransomware attack from around the same time as the health system was hacked in 2020. Two colleges lost significant portions of their systems in mid 2020. I don’t remember much since then though we all assumed that it would go back into overdrive from the start of the invasion of Ukraine this year (Ukrainian refugees are funded by the state to continue their studies here where possible).

It might well be white supremacist, but it’s absolutely wholesale here and non-stop. And it’s not primarily of domestic origin but rather from Russian aligned former Soviet states.

How about we stop treating education like a business, and maybe fewer schools would have to close…

We treat them like businesses, so yes.

We should stop expecting them to turn a profit…

Ack! No. Education and health should not be “sectors”… nor should housing or food for that matter.

And we wonder why our societies are falling apart…

I certainly don’t expect them to. But Lincoln is/was a private college. So they have to have some kind of financial model that allows them to at least break even. Their enrollment has apparently been declining for years, so the ransomware attack likely sped up what was already sadly inevitable. With regard to public institutions, I wholeheartedly agree, though that ship has sailed, is over the horizon, docked in a new port, and been seized by oligarchs.

The head of IT here on my campus tells me that we get thousands of attacks (apart from phishing attempts) every day, though that has decreased since the war in Ukraine began.

I just think we should all probably push harder on this issue, rather than treating it like a fait accompli. The damage being done to higher ed (private and public institutions) is pretty significant, as we all know.

I doubt that. In the digital domains, evidence as to the origins of an attack is sketchy at best, who can enter your system can also delete or fake their traces. If you can’t watch people in the act, what hard evidence do you have?

You don’t need much to launch those kinds of attack, so they would come from all over the world, not just from a few specific places.

If you want to have an education system that actually educates people, that is the only viable option.

Even though organizations (not just in education, everywhere) are to blame for having no clue about IT in general and security in particular, and they should be held accountable for the consequences, there is also a larger systemic issue here:

When you’re rely on proprietary software (Windows, Office, AD, learning management systems, “security software” etc.), you’re still mostly fucked, because that software is simply bad quality, and the vendor is not liable even if their software was explicitly to blame. Even software sold to increase security (malware scanners, firewalls etc.) typically are riddled with exploitable problems, increasing the surface for an attack instead of making things better.

So opposed to the education system, which should not be treated as a business, developing “IT solutions” should be treated as a business, and be liable for the consequences of defects and vulnerabilities in their products.

That would ultimately make a better case for free and open source software, as it doesn’t skew the costs in favor of paid products.

Public ones too. The community college where I teach just had to lay off about 50 faculty members this week after years of declining enrollment largely caused by the pandemic.

How many of those are going to be replaced by part timers?

In our case, not many. Employment for part-timers has been cut back here as well.

I agree. In the case of Henderson, though, the institution had been mismanaged from the top, with horrible financial decisions being made for years. But faculty, regular staff, and students are the ones suffering.

I suspect if things improve, the classes will end up being taught by part-timers.

As always. And it circles back to my first point about treating education like a business.

This is a great question. There are a few different categories of answer.

There are maybe 10-12 schools, not all of them private, whose endowment is so large that they’re not only Too Big To Fail, they’re legitimately Too Big To Be Capable Of Failing. Harvard ($41B) could heat its dorms by burning bundles of twenties and never notice it. And the topline numbers don’t really reflect the full extent of their wealth. The presidents of these kinds of schools are roughly equivalent in power to the governor of a small state.

Beneath them is a tier of schools that are not nearly as wealthy in absolute numbers, but who still have a very high endowment per student. Being a small college doesn’t mean you have lower operating costs; in fact, quite the opposite. But it does mean that you were one fantastic bequest in the late 1940s away from basically never having to worry about paying the bills. (That such schools are often incredibly expensive isn’t an inherently bad thing, since they can afford to discount lavishly for non-wealthy students. That they are also often incredibly stingy in every other respect is… just one of those things.)

Next you come to another tranche of small- to medium-sized schools very similar to the above, but who never got that windfall three generations ago when it might have done some good. On paper, they have more money than any single rich alumnus. In practice, they are sending out memos demanding that department chairs crack down on paper clip wastage. They’re not in financial jeopardy, but they are in the hundred-year-flood zone and they don’t have insurance.

Then there are small universities, mostly equal parts public branch campuses and Catholic colleges founded at the turn of the 20th century, that have already begun to suffer from malaise. Back in the 1950s, an English degree from St. Cuthbert’s was a sign that your working-class family had done right by you, their bookish child. Now it means you didn’t get into anything but your safety school. On the other hand, their two-year nursing program with guaranteed certification or your tuition back™… that’s hot shit. So they’re surviving, but they make the headlines every now and again when their last 97-year-old tenured philosophy professor dies mid-lecture and suddenly there aren’t any humanities courses at what used to be a regional liberal arts powerhouse. (My God, John Crowe Ransom himself gave the keynote address at the 1947 St. Cuthbert Festival of Literature!)

Beneath them you have a weird small tier of nuclear craters, schools that didn’t have to fail for financial reasons but did. There are a few reasons this happens: chronic mismanagement, outright theft, catastrophic misreading of the zeitgeist, regional depopulation. Antioch College is one example that comes to mind (although they’ve risen from the grave, sort of).

Then there are schools like this one. They were founded poor, they got poorer, they got leaner, they had one good decade when their one famous alum showed them a little love, and now they’re dying by the scores—and the reason is not that they didn’t have ANY money, or because they weren’t providing good educations, but because it became literally impossible to run a school on the cheap. Why that is the case is an even longer post, and I’m supposed to be doing something else right now (at the middle-tier college I work for).

So no, most schools aren’t paying last week’s bills out of this week’s receipts. But very, very few schools are not highly attuned to the prospect of their own mortality. The endowment crunch/tuition spiral that kills you might take fifty years to finish you off, but it’s still a grim fucking prospect that keeps admins up at night. (I hope.)

Quite possibly. In the meantime though I have had longtime adjunct faculty begging me to let them teach one of the courses on my schedule just to stay on the payroll. I’ve had to turn them down because I need the units too.

Welp, yeah, just count me in on the Mindysan train then, education should not be a business. Not that I didn’t already think that, it’s just I’m trying hard to not to talk about things I really know far too little about…baby steps.