Government Cybersecurity: Forces Align to Fix K-12 Schools’ Cybersecurity Problem
America’s Public Schools Are Straining Under A Wave Of Cyberattacks. A New Law In Washington Is Just One Step Toward Shoring Up Their Defenses.
- President Joe Biden recently signed the K-12 Cybersecurity Act into law, as cyberattacks on schools reach a new high.
- Biden’s move comes amid a flurry of calls for solutions ranging from K-12 cybersecurity standards to funding for cash-strapped schools.
- A basic cybersecurity framework is emerging for schools to plan their response.
Will 2022 be the tipping point for cybersecurity in America’s public schools?
In the past two years, remote learning drove K-12 schools’ use of technology to new highs — without addressing their chronic shortcomings in protecting devices, systems and data. No wonder local news channels were filled with reports of classes canceled, student IDs stolen, ransomware demanded and other disturbing incidents.
With digital learning here to stay, forces are aligning to better protect K-12 schools and students from ongoing cyberattacks. Recent developments include:
- Legislation: In early October, President Biden signed the K-12 Cybersecurity Act into law to deliver analysis, guidelines and tools. Some see this as a step toward federally mandated K-12 standards.
- Funding: Advocacy groups and policymakers have been working to free up funding for K-12 cybersecurity.
- Tools: The K12 Security Information Exchange (K12 SIX) — a nonprofit membership organization for schools to share security alerts, best practices and other information — recently released a cybersecurity framework streamlined for their ease of use.
Legislating Change in K-12 Cybersecurity
By April, the K-12 Cybersecurity Act calls for the Cybersecurity and Infrastructure Security Agency to issue new guidelines for schools, followed by the development of tools to implement them. While the law stops short of requiring schools to act, some Washington observers suggest they prepare for the eventual imposition of minimum K-12 cybersecurity standards.
The Biden administration, which has been gradually imposing minimum cyber standards across sectors such as energy and transportation, called the new K-12 law part of its “whole-of-nation effort to confront cyber threats.” Meanwhile, schools must comply with the 40-year-old Family Educational Rights and Privacy Act (FERPA), last updated in 2002. Though the law does not specify security controls, the Department of Education states that a cyber breach could lead to a FERPA violation and loss of federal funding. In addition, some states have also been advancing K-12 privacy and cybersecurity standards.
Advocacy groups and legislators say more is needed — calling for government cybersecurity to allocate funds to K-12. A letter signed by six members of Congress emphasized that “While studies and best practices can help inform our national response … Congress must act by putting real resources on the table.” In a study commissioned by Mimecast, Osterman Research also concurred that “With the education sector being chronically under-resourced for cybersecurity, the high-level change required is greater funding.”
A petition before the Federal Communications Commission proposes adding cybersecurity provisions to the agency’s e-rate program, which helps pay for broadband access at most K-12 schools.
The Cyber Assault on Public Schools
Public schools reported more than two cyber incidents per school day last year, resulting in school closures, millions in stolen taxpayer dollars, student identity theft and related credit fraud, according to The State of K-12 Cybersecurity: Year in Review. The K-12 Cyber Incident Map below illustrates the extent of the problem.
Source: Visit K-12 Cybersecurity Resource Center for interactive map.
K-12 schools fall prey for several reasons:
- Prized data: K-12 Social Security numbers are among the most valuable on the dark web. These stolen identities can be used by criminals without raising red flags — sometimes for years — since students under 18 are not typically monitored by credit reporting agencies. The State of K-12 Cybersecurity estimated that breaches at school districts and their vendors exposed the personal information of tens of millions of K-12 students between 2016 and 2020.
- Easy targets: Public school budgets and staffing are usually stretched, making schools a far easier target than, say, a Fortune 500 company. Techies who set up school projectors and troubleshoot issues across typically outdated networks might also handle cybersecurity. Fewer than one-quarter of school districts have a full-time employee dedicated to network security.
- Landing and expanding: Attackers sometimes gain entry to wider government cybersecurity networks through weak points in school systems.
- Student hacks: Schools fight cyberattacks by criminal gangs on one side and teens on the other, with some students trying to change grades, “break stuff” or show what they can do. Recently, 14-year-old “WhiteHoodHacker” gained control over projectors and bell schedules across an Illinois school district, launching a synchronized prank.
- Cloud and vendor risks: Schools transitioning to cloud networking don’t always secure their side of the arrangement. What’s more, a single attack on an ed-tech vendor in the cloud can impact multiple school districts. In one incident, the breach of a learning assessment platform simultaneously exposed students’ personally identifiable information in 135 school districts.
- Parental pressure: School administrators need to keep school in session or answer to parents — a sense of urgency that criminal gangs exploit when they cripple school systems for ransom. In addition, a recent study showed that a large majority of K-12 parents support ransomware payments to keep their children’s records safe.
Tools for Schools
K12 SIX — which is part of the larger Global Resilience Federation of some 7,000 organizations across the world — recently released a significant new addition to school cybersecurity toolkits: The K12 SIX Essential Cybersecurity Protections describes a dozen basic measures. The new framework distills best practices and state and federal guidance, such as the National Institute for Standards and Technology’s cybersecurity framework. The measures are divided into four categories:
- Sanitize network traffic to/from the internet.
- Safeguard student, teacher and staff devices.
- Protect the identities of students, teachers and staff.
- Perform regular maintenance.
“There are many quite elaborate cybersecurity risk management frameworks that already exist, but they are overcooked for school districts’ capacity, for their needs, for the amount of money and resources they have available to them,” said K12 SIX National Director Doug Levin.
And according to Kit Huynh, senior sales engineering manager at Mimecast, “IT directors at schools are in over their heads, but we’re seeing groups like K12 SIX outline a simple way for them to get more of a handle on the situation.” Companies including Mimecast are also tailoring solutions that cover K-12 cybersecurity basics, such as email security, web security, data archiving, teacher training and integration across the range of IT and security tools.
The Bottom Line
Everyone from local parents to President Biden is calling for solutions to the ongoing wave of cyberattacks against America’s public schools. The K-12 Cybersecurity Act, recently signed into law, is putting the spotlight on schools’ most urgent needs and how to fill them.
 “Modernizing the E-rate Program for Schools and Libraries,” Consortium for School Networking et al
 “The State of K-12 Cybersecurity: 2020 Year in Review,” K-12 Cybersecurity Resource Center
 “Recent K-12 Data Breaches Show that Students Are Vulnerable to Harm,” U.S. Government Accounting Office
 “Guide to the NIST Cybersecurity Framework: A K-12 Perspective,” K-12 Cybersecurity Resource Center
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!