A teenage student, age 16, was arrested for orchestrating a number of cyberattacks and network outages that happened in Florida’s largest county during the first week of school, according to authorities on Thursday.
Police in the district believe other people were involved in the cyberattacks that are plaguing the Miami-Dade schools since their reopening on Monday and students started receiving online instructions during the ongoing coronavirus pandemic.
“We will not rest until every one of them is caught and brought to justice,” Edwin Lopez, police chief for the schools said.
Superintendent of Schools Alberto Carvalho stated the attacks are “disheartening that one of our own students has admitted to intentionally causing this kind of disruption.”
Lopez said the South Miami Senior High School student told police he is responsible for eight attacks on the school computer system “designed to overwhelm district networks.” The teen is charged with using a computer in an attempt to defraud, and it’s a felony; the teen is also charged with misdemeanor interference with an educational institution.
The name of the student was not released because he’s a minor. It’s unclear if he has an attorney to represent him.
Officials previously revealed that Carvalho had never signed a contract with the online platform for $15.3 million that’s at the center of the crisis. The Miami-Dade County school district’s chief financial officer named Ron Steiger announced on Wednesday at a school board meeting that discussed the failures of K12′s online platform and My School Online, according to The Miami Herald.
The ongoing coronavirus pandemic delayed officials from starting classes between mid-August to August 31. But many teachers and students have been unable to access the online system and the school board is being overwhelmed with complaints.
The school district’s chief academic officer named Marie Izquierdo said problems with the K12 platform are happening throughout the U.S., and officials are working to resolve the problems. The company emailed a statement to the Herald that network outages were affecting the platform.
Izquierdo said that in the meantime, one option is to revert to the plan that was working when the pandemic started earlier in the year this spring when all teachers used whichever online platform they were most comfortable with using.
Parents made complaints at the time, saying it was too confusing to navigate multiple platforms. Also, the district was only able to measure one-time log-ins, not sustained participation, which is one of the features that My School Online offers.
Republican U.S. Senator Marco Rubio has requested a briefing with the Department of Homeland Security regarding cybersecurity that relates to school districts.
DDoS Attacks, Foreign IP Addresses, and an FBI-Assisted Probe
The disruptions that crippled the nation’s fourth-largest school district were distributed denial-of-service (DDoS) attacks — floods of internet traffic engineered to knock a network offline. The arrested junior admitted to launching eight of them using an online application, and investigators traced the activity by following the IP address back to his home in South Miami. The felony count, computer use in an attempt to defraud, is a third-degree felony that could have carried up to five years in prison had prosecutors moved the case to adult court, alongside the second-degree misdemeanor of interfering with an educational institution.
Carvalho stressed that the teen was only one piece of a wider barrage. At a news conference, he said that beyond the local attack, additional disruptions appeared to originate from foreign nations including Russia, Ukraine, China, and Iraq — while cautioning that the geographic origin of an IP address does not prove who is behind it, since such disruptive services can be rented cheaply on the dark web. Local detectives worked the case with help from the FBI, the U.S. Secret Service, and the Florida Department of Law Enforcement. Officials maintained that the district’s servers were not breached and that no student data was accessed.
Independent experts were skeptical that the meltdown could be blamed on hackers alone. Justin Cappos, a computer-science professor at NYU’s Tandon School of Engineering, noted the district had been struggling with its systems before the attacks, pointing to outdated software and capacity problems as evidence that basic cybersecurity hygiene had been neglected.
Miami-Dade Fires K12 and Dumps the $15.3 Million Platform
The fallout landed hardest on the technology vendor. After a marathon school board meeting that ran roughly 13 hours and heard from some 400 public speakers — many of whom blasted My School Online as a “disaster” — the board voted in the early hours of September 10, 2020, to cancel the $15.3 million no-bid contract with K12 (the company now known as Stride, Inc.), effective immediately. Teachers across grades 6 through 12 scrambled back to the Zoom and Microsoft Teams setup that had carried the district through the spring. The episode left lasting questions about how a district that never even fully executed its multimillion-dollar contract had staked the education of more than 270,000 students on a platform that buckled within days.
For more of our coverage from the same period, see our reporting on a Florida school policing controversy in Key West, and read more in the public record of the 2020 Miami-Dade Public Schools cyberattack.
