Iowa school officials are refusing to tell taxpayers how much they paid in ransom to cybercriminals. (Photo by Matt Cardy/Getty Images)
These days, I stand in front of audiences and engage in what is politely called “public speaking” more often than even Mr. Gentry ever imagined when I showed up at his office door 55 years ago with a bug-eyed expression of concern.
Mr. Gentry was the guidance counselor at Davis County High School. He was in charge of class scheduling. What brought me to his doorstep was noticing I would be taking “Speech” class that semester.
Before I could say anything, however, he presciently said, “You probably are wondering about the Speech class. You will thank me someday.” That “someday” has arrived. You were correct, Mr. Gentry.
Public speaking is an important part of my professional life. I have spoken to groups large and small as an advocate for citizen engagement in state and local governments. Speeches are an important way to get my message to lots of people. But just as important is hearing what is on their minds when I invite them to ask questions.
When the audience is made up of elected officials and government employees, I expect them to pepper me with challenging scenarios about public meetings and public records. I have not spoken to any school groups recently. But when the opportunity comes along, I expect them to grill me with some of the real-life challenges that confront school administrators and their governing boards.
One such real-life headache is ongoing in the Cedar Rapids Community School District. It played out a year ago at Des Moines Area Community College. And the Linn-Mar Community School District in Marion may have the same headache, too.
The issue is cybersecurity and ransomware attacks that are carried out by unknown criminals. These people hack their way into an institution’s computer network and try to steal personal information of employees and, potentially, private student information, too.
The Cedar Rapids district was hit by just such an attack on July 2, forcing the cancellation of summer school the following week. A month later, the Linn-Mar district announced it was investigating the source of a problem that took down its telephones and knocked out its computer systems.
At DMACC, a cyber incident in the summer of 2021 forced the Ankeny college to shut down parts of its computer network, ending online classes, delaying students from signing up for new classes, and knocking out internet service for several weeks.
It should surprise no one that cybercriminals are attacking government institutions and trying to extract a ransom. Businesses in Iowa have been hit this way, too, costing them significant amounts of money and extra labor.
There is an important difference between private businesses and government institutions, however. One belongs to the people of Iowa. The other does not.
The Cedar Rapids school district did pay a ransom in an effort to protect the personal information of its employees — 8,790 people, in all. The information that may have been compromised includes employees’ full names, Social Security numbers, driver license numbers, banking account and routing numbers, and their personal medical information.
My government transparency radar goes off when I hear that school officials have refused to disclose how large the ransom was, to whom it was paid or how it was paid. The school is offering a free year’s worth of credit monitoring services to employees to see if their personal information is used.
The attackers who struck DMACC last year also demanded payment of a ransom. The college refused. But administrators now also refuse to tell the Cedar Rapids Gazette how much ransom was sought or how much the college actually spent to combat the security breach — for outside experts, for new equipment and repaired equipment, and for higher cyber insurance premiums.
Linn-Mar officials have not said whether any personal information on employees or students was compromised. Nor have they even confirmed whether a cyberattacker was responsible for that district’s computer problems.
Were I standing in front of the School Administrators of Iowa or the Iowa Association of School Boards to address their members, I would expect to be grilled like a cheap steak about my position on the intersection of Iowa’s public records laws and information about these cybersecurity incidents.
I would remind these officials that Iowa’s public records law allows school districts or other government entities to keep confidential their cybersecurity procedures and their emergency response procedures. That is just common sense.
No one expects them to be required to make public what the records law describes as the vulnerability assessments made on their computer networks, the information contained in security and response plans, or the passwords and security codes needed to access certain parts of their computer networks.
But it is common sense, too, that administrators would be expected to make public, upon request, basic information that the taxpaying public is interested in: That would include the amount of ransom that was sought or that was paid in response to an intrusion by cybercriminals, as well as an accounting of how much a school district or community college paid to clean up its computer networks after a cyberattack.
It would be detailed enough so the public can determine whether their local school district or college is taking all reasonable precautions to guard against such an attack. The public is entitled to know whether their local school is show to adopt recommended security precautions.
After all, the cybercriminals who struck the Cedar Rapids school district’s computers already know how much ransom they received and how it was paid. The only people being kept in the dark now are the taxpayers in the district and the parents of its 15,800 students.
Even if a school’s lawyers show how these details could legally be kept confidential, I would remind school officials that secrecy is never a good way to build public trust and confidence in the management of a district or college.
Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.