Like parents around the country, I know firsthand how COVID-19 created unprecedented disruptions to K-12 education. But this year my family also encountered another viral threat endangering our schools.
In September, Fairfax County Public Schools, where my daughter is a student, suffered a cyberattack that exposed personnel and student records. Cyber criminals used what’s known as “ransomware” to obtain confidential information and threatened to publish it unless they received a ransom payment.
The situation in Fairfax is still under investigation, but it’s clear that cyberattacks on K-12 schools are a growing problem nationwide that must be addressed.
Since 2016, there were 1,017 cyberattacks that breached or seriously endangered K-12 systems, including 54 ransomware attacks this year alone. Microsoft Security Intelligence found 61% of enterprise malware threats are in education, making it the most at-risk sector.
Cybercriminals see schools as soft targets. In recent years, schools are relying more than ever on digital learning tools and electronic records—and COVID-19 has dramatically accelerated this trend. But security has not kept up. For example, only 1-in-5 school districts have a chief information security officer. Nearly half of school districts don’t even have a formal password policy that is widely followed, and most devices used for distance learning have out-of-date versions of their operating systems and software.
Given these vulnerabilities, the public is increasingly concerned about cybersecurity in education. A recent national survey from Touchdown Strategies and TechnoMetrica found that only 46% of Americans had confidence in schools to protect their data—far less than other institutions. By comparison, 78% had confidence in financial companies.
So, what can be done to improve cybersecurity in schools? Addressing this threat requires engagement from federal and state policymakers, as well as school leaders and communities.
First, while Congress has already increased federal spending for school information technology, cybersecurity has been overlooked. Earlier this year, an education industry report found that schools IT leaders ranked cybersecurity as their top priority. But when Congress gave $31 billion to help public schools as part of the coronavirus relief package – including billions in grants focused on IT – none of it was allocated for cybersecurity. Congress must give schools flexibility to use IT-related funding on their priorities.
For example, schools receive subsidies through the E-Rate program, which is managed by the Federal Communications Commission (FCC), to purchase IT services like broadband internet. Schools should be permitted to use part of this subsidy for their cybersecurity needs, which they currently cannot do. This proposal has already been endorsed by both Democrat and Republican members of the FCC and would require a simple regulatory change rather than a new law.
Better prioritization of public funds can help. But as Christy Wyatt, CEO of the IT firm Absolute, described the cybersecurity challenge facing K-12 leaders: “This is not something that can be achieved by simply spending more money… especially when that money comes from public funds. The questions they each need to be asking are if they have the right foundational security measures in place, and whether the controls they have already invested in are working properly.”
The federal government can help provide guidance to improve these security measures. The National Institute of Standards & Technology (NIST) has developed a cybersecurity framework to help organizations. The Department of Education, and state and local education leaders, could work with NIST to implement this framework in a way tailored to the needs of education. For example, NIST has expertise to guide organizations in adopting encryption for sensitive data, a practice which is currently in place for only 26% of school districts.
States governments must take action as well, since they have a leading role in education policy and have cybersecurity resources that local governments often lack.
For instance, in 2019 Louisiana experienced a series of school cyberattacks. That crisis was quelled when the governor declared a state of emergency, allowing assistance from the state police and Louisiana National Guard which had more advanced capabilities. The National Governors Association has now recommended that all states appoint and properly empower state-level cybersecurity coordinators to help ensure effective cooperation among agencies before and during attacks.
Schools will also need to look beyond government agencies to meet their cybersecurity needs. Given the proliferation of cyber threats, government agencies cannot handle all the possible risks on their own. That’s why businesses have formed industry consortiums – typically called Information Security and Analysis Centers (ISACs) – to share intelligence between companies and cooperate on responses and training.
K-12 schools should establish a similar consortium, modeled on those created by businesses as well as the Research and Education Networks ISAC, which serves higher education.
Finally, parents, teachers, and students can contribute by engaging with schools and school boards to re-assess and improve cybersecurity standards. Just as hand washing and face masks have been important in the fight against COVID-19, personal behavior is essential for addressing cyber threats. The attack in Fairfax was preceded by suspicious messages several days earlier that were not addressed. Schools should ensure their policies on “cyber hygiene”—like password strength and training on hazardous emails—are consistent with best practices.
Like threats to public health, cybersecurity risks will always be with us. But let’s use the increasing attacks on schools as a wake-up call to make education more secure and resilient.
James Davis is the father or five and founder of Touchdown Strategies, a boutique PR firm.