Cyberattacks are an increasing threat to businesses, governments, and organizations of all kinds. Schools are no exception. Last month, the Los Angeles Unified School District, the nation’s second largest school system, was victimized by a massive ransomware attack. In late September, Michigan’s South Redford school district was targeted by a cyberattack that closed schools for two days.
These attacks aren’t isolated incidents. The explosion in online learning during the pandemic only exacerbated these challenges. In 2020, the K–12 Cybersecurity Center reported a record-breaking number of incidents, with 408 reported across 377 school districts in 40 states.
Last winter, Eileen Belastock, chief of technology and information in a Massachusetts school system, explored the cybersecurity risks facing America’s schools and noted how ill-prepared schools are for the challenge. She observed, “Of the 17 industries studied by information-security company SecurityScorecard, the education sector ranked as the least secure in 2018.”
How can schools respond as these attacks grow more frequent and disruptive? On that count, I recently talked with Doug Levin, co-founder of the K12 Security Information eXchange (K12 SIX), who had a hand in crafting national educational technology plans during the Clinton, Bush, and Obama administrations.
For starters, Levin points out that the issue for schools isn’t just ransomware, but a range of cyber incidents including data breaches, phishing attacks, denial-of-service attacks, “and the takeover and defacement of school websites, social media accounts, and email systems.” The consequences are significant, including, school closures, disruptions in teaching and learning, millions in taxpayer funds, and identity theft of students and staff. Since 2016, he notes, there have been more than 1,300 publicly disclosed incidents of this ilk.
Levin explains that these attacks are typically the work of “criminal groups operating overseas seeking to extort money from victims in exchange for the restoration of their IT systems and [sensitive data].” Since 2019, he says, districts across the U.S. have been increasingly targeted. Asked why schools would be attractive to these criminal enterprises, Levin says, “Schools manage more than enough money to capture the attention of cyber criminals.”
Moreover, while Levin notes that hackers “could care less about students’ algebra grades, it turns out that the identity information of minors is especially valuable to criminals interested in perpetrating credit and tax fraud.” The Consortium for School Networking’s 2019 K-12 IT Leadership Survey Report has noted that hackers are shifting from firms “which are devoting increased resources to cyber defenses” to “more vulnerable sectors like school districts, universities, and nonprofits.”
So, what can schools do?
There are several things schools can do to better protect themselves. Levin says, “This is mostly not a technical issue that the right firewall or anti-virus software can fix. This is not about district IT leaders needing to just ‘cyber’ harder.” Rather, “Just as schools deal with physical security risks on their campuses, they need to develop plans to prioritize and manage cybersecurity risks, resource these plans appropriately, and practice them.”
Of particular import, Levin notes that school districts have been shifting away from local servers to take advantage of cloud-delivered software and services, for a slew of instructional, administrative, and operational needs. This is so important, he says, because “while companies like Amazon, Google, and Microsoft—which operate the infrastructure that powers most education software and services—have far better IT security operations than schools ever will, not every vendor delivering their software via the cloud can say the same.”
The result, Levin observes, is that the ed-tech vendors providing schools with customized instructional and administrative services have been hit by “a significant number” of data-breach incidents that affect students and teachers, even as services have been interrupted as vendors are forced to address cyber incidents of their own. In the end, he says, the solution will require educational leaders to demand “better cybersecurity policies and practices from their vendors and suppliers.”
There are also common sense measures that need to be taken. Levin stresses, “Ultimately, everybody has a role to play. Use a password manager. Use multi-factor authentication. Keep your devices’ software up-to-date, and for Pete’s sake don’t click that dodgy link.” As for how policymakers can help, Levin suggests that one priority should be better disclosure requirements for school cyber incidents that will yield a more comprehensive “research base about how and how frequently schools are being compromised.”
Especially after three years in which schools have become increasingly dependent on technology for instructional delivery and operations, cybersecurity must become a priority for educational leaders.