The number of ransomware attacks in the U.S. so far this year is up by 62 percent over the same period in 2020, according to the Federal Bureau of Investigation. That amounts to just over 2,000 complaints with losses totaling $16.8 million — a 20 percent increase in damages, the agency said.

"This does not include the costs associated with business disruption and remediation, which can dwarf the ransom itself," Sarah Ruane, public affairs specialist for the FBI's Albany, N.Y., headquarters, wrote in an email to Seven Days. The Albany office covers Vermont.

Nor do the figures include all attacks, Ruane pointed out in a subsequent phone call. They are simply those reported to the FBI's Internet Crime Complaint Center, known as IC3.

"While the numbers are staggering," Ruane wrote, "they are likely just a fraction of what's out there."

Vermont is not immune, as last year's crippling attack on the University of Vermont Medical Center proved. Ruane couldn't discuss specific investigations but confirmed: "The number of cases we are opening in Vermont lately certainly aligns with the national increase." Victims include businesses and organizations of every sort, from government agencies and hospitals to law offices and ski areas, according to the FBI.

For students who are studying cybersecurity in college, however, the surge in cybercrime has a silver lining: guaranteed employment. In each of the last five years, every student from Champlain College who majored in cybersecurity or digital forensics has had a job in their field when they graduate, said Adam Goldstein, director of the school's information technology and sciences program.

Roughly half had positions lined up before starting their senior year, he said. While starting pay averages around $70,000, some new graduates earn six-figure salaries, Goldstein said.

Junior Miranda Pagarelski has a job waiting for her at the U.S. Army Cyber Command in the state of Georgia. The cybersecurity major from Mountain Top, Pa., will start after she graduates from Champlain in the spring of 2023.

"I had a couple of interviews from different facilities," Pagarelski, 20, said. "They were my top one."

Through a scholarship-for-service program called Science, Mathematics and Research for Transformation, aka SMART, her future employer pays for two years of college tuition, plus health benefits and a monthly stipend, in exchange for Pagarelski's promise to stay on the job for two years.

"It's very, very generous," Pagarelski said.

She is one of 211 students at Champlain majoring in cybersecurity or digital forensics, Goldstein said. About 70 more minor in those subjects or take relevant classes.

The program, established in 2007, started with 35 or 40 cybersecurity majors. It has grown apace with demand for workers trained to stay one step ahead of cybercriminals all over the world.

"For young people who are looking for something exciting and in demand, it's a great field," Goldstein said. The major draws students who are interested in technology, but he said it's also a good match for people who enjoy solving puzzles, working with systems, understanding how things work and analyzing how they break.

"There are so many different ways that individuals can engage in this system," Goldstein said. Potential areas of application include criminal justice, human behavior and psychology, business, risk management, and systems analysis.

Several Vermont colleges provide instruction in this area. Vermont Technical College and the University of Vermont offer a certificate in cybersecurity, according to their websites. Champlain and Norwich University, in Northfield, are both designated as National Centers of Academic Excellence in Cybersecurity — a stamp of approval from the National Security Agency.

Norwich's program has experienced a comparable surge in interest and enrollment. Currently, 240 students are studying cybersecurity, computer science and data analytics, according to Phil Susmann, the university's vice president of strategic partnerships. In 2010, that number was about 60.

"Ten years ago, people didn't understand what cybersecurity was," Susmann said.

He recalled trying to persuade people who work in the financial sector to protect their computers about 12 years ago. "You've got to be able to practice [a response] in case they get in," Susmann advised them. "And people said, 'That won't happen.'"

In late September, Norwich and five other universities received a joint $18.5 million grant from the National Security Agency to train students for cybersecurity jobs with the U.S. Department of Defense.

In Susmann's view, the nation desperately needs a workforce that can help protect its infrastructure, which he characterizes as "on its own" and vulnerable. "There is no one between the infrastructure and our adversaries. They have to be able to withstand that first punch and fight through the problem until help can come."

The cybersecurity curriculum at Norwich includes studying what's known as "information advantage." It involves teaching students to recognize and evaluate disinformation or propaganda disseminated online.

"If we look at the most recent revelations by Facebook, we see that the large tech companies are vying for your attention on their platforms, and that's how they generate revenue, gobs of revenue," Susmann said.

Students learn about and attempt to understand the "social media echo chamber," he said, "and pulling out those component pieces that are driven by specific groups trying to tear at our democracy."

As he thinks in these global terms, Susmann also takes personal precautions in his computer use. He has two computers. One is reserved solely for financial activity; he never sends an email on it or uses it for any form of social media, because those activities can compromise the system. Still, he set up every account on that computer to require multifactor authentication: Susmann types in his username and password and waits to receive a verification code by text, which he enters in the computer before he uses it. On his other computer, which hosts his Twitter and LinkedIn accounts, Susmann doesn't use multifactor authentication. (When he used Facebook, he said, he had two friends: his kids.)

"Don't click the button that says 'remember this computer,'" Susmann advises. "Be very careful about online retailers that you use. Always use your credit card, never use your debit card." The latter account can be wiped out, he said.

If that happens, contact someone such as Kaya Overholtzer, 21, a senior at Champlain who studies digital forensics. Overholtzer became interested in computer networking and cybersecurity at York County School of Technology, the high school she attended in Pennsylvania.

She likes the challenge. "You're trying to investigate and see what happened," Overholtzer said. "You have to poke around and look in weird places. It's a lot of curiosity and perseverance and clicking through hundreds of gigabytes of data to find what you're looking for."

Pagarelski, the Champlain junior, is similarly motivated.

"The field is gigantic, and you're not going to know everything," she said. "As long as you have that willingness to learn and adapt throughout, you'll pretty much be set, because you'll be learning new things daily."

Representatives from Norwich University will be available to answer questions about its programs at the Vermont Tech Jam on Saturday, October 23, at Hula in Burlington from 10 a.m. to 1 p.m. and 1:30 to 3:30 p.m. To attend the event, register at techjamvt.com.

Protect Yourself: Seven Security Tips

Here are a few simple things you can do to keep your money and your personal information safe from cybercriminals, according to Champlain College students Kaya Overholtzer, a senior digital forensics major, and Miranda Pagarelski, a junior cybersecurity major.

Use Two-Factor Authentication for any application that offers this option. That means you'll need two separate devices to log in to your accounts. How it works: After you enter your username and password on your laptop, you might get a text on your phone with a code you type in to get access. You can also purchase a device designed specifically for this purpose, such as a Yubikey.

Make it a habit to use sites such as haveibeenpwned.com to see if your information has been leaked in a data breach.

Close accounts you no longer use; they could become a source of attacks. 

If purchasing from a site that you aren't familiar with or one whose validity you question, see if your credit card can generate a temporary card number that you can use for the transaction, so as to hide your real card number. Citi and Capital One both have this option.

Think before you click. Hover your cursor over a link. The website address where the link takes you will pop up in the bottom left-hand corner of your browser window. Check it for spelling errors and make sure this is the site you intend to visit. Never open an email attachment without confirming its authenticity with the sender.

Use a password manager. Password managers are a safe place to store all the login information you use to get into various websites. They can generate strong and unique passwords that are different for every account you use. That way, you only have to remember one master password or a PIN. Popular password managers include 1Password, Bitwarden and LastPass.

Be a guest user. Operating a computer as an administrator, with access to make changes to the system, makes you more vulnerable to cyberattacks. If you can, choose the guest or normal, non-administrator option when you log in.