Issues & Insights

Schools Are Under Growing Threat From Cyberattacks, Policymakers Must Act

Image by kalhh from Pixabay

Like parents around the country, I know firsthand how COVID-19 created unprecedented disruptions to K-12 education. But this year my family also encountered another viral threat endangering our schools.

In September, Fairfax County Public Schools, where my daughter is a student, suffered a cyberattack that exposed personnel and student records. Cyber criminals used what’s known as “ransomware” to obtain confidential information and threatened to publish it unless they received a ransom payment. 

The situation in Fairfax is still under investigation, but it’s clear that cyberattacks on K-12 schools are a growing problem nationwide that must be addressed. 

Since 2016, there were 1,017 cyberattacks that breached or seriously endangered K-12 systems, including 54 ransomware attacks this year alone. Microsoft Security Intelligence found 61%  of enterprise malware threats are in education, making it the most at-risk sector. 

Cybercriminals see schools as soft targets. In recent years, schools are relying more than ever on digital learning tools and electronic records—and COVID-19 has dramatically accelerated this trend. But security has not kept up. For example, only 1-in-5 school districts have a chief information security officer. Nearly half of school districts don’t even have a formal password policy that is widely followed, and most devices used for distance learning have out-of-date versions of their operating systems and software.

Given these vulnerabilities, the public is increasingly concerned about cybersecurity in education. A recent national survey from Touchdown Strategies and TechnoMetrica found that only 46% of Americans had confidence in schools to protect their data—far less than other institutions. By comparison, 78% had confidence in financial companies. 

So, what can be done to improve cybersecurity in schools? Addressing this threat requires engagement from federal and state policymakers, as well as school leaders and communities.

First, while Congress has already increased federal spending for school information technology, cybersecurity has been overlooked. Earlier this year, an education industry report found that schools IT leaders ranked cybersecurity as their top priority. But when Congress gave $31 billion to help public schools as part of the coronavirus relief package – including billions in grants focused on IT – none of it was allocated for cybersecurity. Congress must give schools flexibility to use IT-related funding on their priorities.     

For example, schools receive subsidies through the E-Rate program, which is managed by the Federal Communications Commission (FCC), to purchase IT services like broadband internet. Schools should be permitted to use part of this subsidy for their cybersecurity needs, which they currently cannot do. This proposal has already been endorsed by both Democrat and Republican members of the FCC and would require a simple regulatory change rather than a new law.

Better prioritization of public funds can help. But as Christy Wyatt, CEO of the IT firm Absolute, described  the cybersecurity challenge facing K-12 leaders: “This is not something that can be achieved by simply spending more money… especially when that money comes from public funds. The questions they each need to be asking are if they have the right foundational security measures in place, and whether the controls they have already invested in are working properly.” 

The federal government can help provide guidance to improve these security measures. The National Institute of Standards & Technology (NIST) has developed a cybersecurity framework to help organizations. The Department of Education, and state and local education leaders, could work with NIST to implement this framework in a way tailored to the needs of education. For example, NIST has expertise to guide organizations in adopting encryption for sensitive data, a practice which is currently in place for only 26% of school districts

States governments must take action as well, since they have a leading role in education policy and have cybersecurity resources that local governments often lack.

For instance, in 2019 Louisiana experienced a series of school cyberattacks. That crisis was quelled when the governor declared a state of emergency, allowing assistance from the state police and Louisiana National Guard which had more advanced capabilities. The National Governors Association has now recommended that all states appoint and properly empower state-level cybersecurity coordinators to help ensure effective cooperation among agencies before and during attacks. 

Schools will also need to look beyond government agencies to meet their cybersecurity needs. Given the proliferation of cyber threats, government agencies cannot handle all the possible risks on their own. That’s why businesses have formed industry consortiums – typically called Information Security and Analysis Centers (ISACs) – to share intelligence between companies and cooperate on responses and training. 

K-12 schools should establish a similar consortium, modeled on those created by businesses as well as the Research and Education Networks ISAC, which serves higher education.  

Finally, parents, teachers, and students can contribute by engaging with schools and school boards to re-assess and improve cybersecurity standards. Just as hand washing and face masks have been important in the fight against COVID-19, personal behavior is essential for addressing cyber threats. The attack in Fairfax was preceded by suspicious messages several days earlier that were not addressed. Schools should ensure their policies on “cyber hygiene”—like password strength and training on hazardous emails—are consistent with best practices.

Like threats to public health, cybersecurity risks will always be with us. But let’s use the increasing attacks on schools as a wake-up call to make education more secure and resilient. 

James Davis is the father or five and founder of Touchdown Strategies, a boutique PR firm.

We Could Use Your Help

Issues & Insights was founded by seasoned journalists from the IBD Editorials page. Our mission is to use our decades of experience to provide timely, fact-based reporting and deeply informed analysis on the news of the day.

We’re doing this on a voluntary basis because we think our approach to commentary is sorely lacking both in today’s mainstream media and on the internet. You can help us keep our mission going. If you like what you see, feel free to visit our Donations Page by clicking here. And be sure to tell your friends!

You can also subscribe to I&I: It's free!

Just enter your email address below to get started.

Subscribe to Issues & Insights via Email

Enter your email address to subscribe to I&I and you can receive notifications of new articles in your email. It’s simple, and free.

Join 4,516 other subscribers

Donations

If you like what you see, feel free to leave a donation. You can also set up regular donations if you like. Just click on the Tip Jar above. It will take you to a PayPal donations page. Your contributions will help us defray the cost of running this site. (Please note that we are not set up as a charitable organization, so donations aren't tax deductible.) Thank you!

About Issues & Insights

Issues & Insights is run by the seasoned journalists behind the legendary IBD Editorials page. Our goal is to bring our decades of combined journalism experience to help readers understand the top issues of the day. We’re doing this on a voluntary basis, because we believe the nation needs the kind of cogent, rational, data-driven, fact-based commentary that we can provide. 

%d bloggers like this: