K-12 Cybersecurity Lessons Learned From 'Constant Barrage of Attacks'
When hackers struck one-third of North Dakota’s schools with a vicious malware attack last February, it highlighted the growing cyber threat facing America’s public-education sector—even in a state that’s ahead of the cybersecurity curve.
“It moved quickly, and it didn’t care what it hit,” said Sean Wiese, North Dakota’s chief information security officer. “Just like any corporate environment, we have a constant barrage of attacks at our front door.”
For this special report on K-12 cybersecurity challenges, Education Week spoke with state and local technology officials across North Dakota. We also surveyed the nation’s school technology leaders, in partnership with the Consortium for School Networking. The aim was to better understand both the nature of the cyber threats schools face, and the steps they are taking in response.
The results paint a mostly worrisome picture.
In North Dakota alone, for example, the state network used by K-12 schools, state universities, and other public agencies experiences 5.7 million known cyberattacks every month, officials said.
Nationwide, though, recognition of such dangers is still mostly low.
There is some good news that ed-tech leaders are getting their heads out of the sand: More than half of K-12 CTOs now say phishing scams are a significant or very significant problem, up from 48 percent last year, according to the Education Week/CoSN survey.
But when it comes to ransomware attacks, data breaches, distributed denial-of-service attacks, and even the kind of malware that slammed North Dakota, 70 percent or more of the respondents don’t see a serious threat. In many cases, the percentage of school technology leaders perceiving such hazards as a serious problem has actually declined since 2017.
A similar dynamic is at work when it comes to taking preventative action. School districts do seem to have gone on a spending spree: 59 percent of school tech leaders now say they are purchasing cybersecurity-related products and services, compared with just 29 percent a year ago.
But there have been only slight upticks in the percentages of school technology leaders who say they’re taking basic steps to improve their districts’ cyber hygiene, like monitoring network traffic in real-time. Nearly half of K-12 technology leaders say their districts don’t have a formal password policy that is widely followed. One in four don’t have a password policy at all.
“Relying solely on ad hoc efforts to manage school cybersecurity risk is like playing football without a helmet,” said Doug Levin, the CEO of consulting group EdTech Strategies, which operates the K-12 Cybersecurity Resource Center. “The digital threats facing schools today are greater than they have ever been, and it is only a matter of time before a preventable incident blindsides a member of the school community.”
‘Our First Line of Defense’
In North Dakota, cybersecurity is increasingly top-of-mind.
“In the old days, you didn’t wake up thinking about security,” said Casey Mueller, the director of core technology for the 13,000-student Bismarck school system, who started with the district as an intern back in 2001, when he was still in high school. “Now, you do a check first thing every day to make sure things are functioning as expected.”
This Education Week examination of K-12 cybersecurity is the second of three special reports focused on the needs of K-12 district technology leaders, including chief technology officers. Each report in the series features exclusive results of a new, nationally representative survey of CTOs, conducted by the Consortium for School Networking, an organization representing K-12 district technology officials.
That kind of vigilance helped Bismarck schools ward off the February 2018 malware attack that swept through the state. Mueller said the district is lucky to have the capacity and resources to tend to many cybersecurity basics.
“We make sure we stay up to date on security patches, we train users, and we enforce a password scheme,” he said. “When you start looking at rural North Dakota, though, you often have a tech coordinator who is also the baseball and wrestling coach. They don’t have the skill set or know-how to stay on top of these things.”
That fundamental staffing challenge is evident across the country: Overall, just 25 percent of K-12 schools have a full-time staff member dedicated to ensuring network security, according to the CoSN survey data. In rural schools, that figure plummets to 8 percent.
While North Dakota is the least-densely populated state in the continental U.S., it does have some advantages.
The state department of information technology manages a statewide broadband network known as STAGEnet. Each day, more than a quarter-million users across 400 separate public entities—including the state’s 227 K-12 school districts—use the network. Much of the work of monitoring and filtering incoming traffic is handled at the state level, taking some of the burden off under-resourced schools.
There’s also a push underway to get the North Dakota legislature to adopt a “one state, one security” approach that would consolidate cybersecurity strategy in the state’s information technology department.
K-12 districts face an array of threats from cyberattacks and security breaches. In this Education Week webinar, staff writer Benjamin Herold talks with guests about how district leaders can secure data and networks and insulate schools from bad actors.
Levin of EdTech Strategies said there’s “a lot that makes sense” about such a statewide approach to cybersecurity, less-comprehensive versions of which can also be found in Kansas, Missouri, North Carolina, and Utah. But it’s not a cure-all.
In Bismarck, the state-level support has complemented local work, said Mueller’s boss, district technology director Tanna Kincaid.
One of the biggest benefits, she said, has been helping elevate the sense of urgency within the district, which has helped smooth her team’s efforts on issues like improving staff members’ password practices.
“When you first start, people are like, ‘Why do I have to have a 14-character password?’ ” Kincaid said. “But most of our users now understand that’s our first line of defense.”
A big part of the K-12 cybersecurity challenge is technical.
But education and training are also huge—both for teachers for the present, and when it comes to preparing students for the future.
That’s especially crucial in North Dakota, where schools are all on a statewide network shared by other public agencies, said Matthew G. Scherbenske, a deputy director in the office of academic support in the state department of public instruction.
“It’s very important that we get our students to understand what their role is,” Scherbenske said.
To help make that happen, the state has adopted a K-20W Cyber Education initiative. It includes embedding cybersecurity throughout new statewide computer science standards, improving cybersecurity training for in-service teachers, and focusing on cybersecurity-workforce development.
Misti Werle has been on the frontlines of that work. In her work coordinating the school libraries in the 13,000-student Bismarck district, she’s long made digital citizenship and online safety points of emphasis.
Recently, though, Werle has also been on the state committee writing the new cybersecurity-heavy state computer-science standards. The focus starts in kindergarten and runs through high school, with specific grade-level standards around such cybersecurity strategies as password management, as well as broader skills like coding.
“We know not all students are going to be cybersecurity specialists in the future. But all of them will be dealing with day-to-day things like accessing medical and banking records,” Werle said. “These are skills all students are going to need.”
Start With Basic Steps
The K-12 Cybersecurity Resource Center documented 122 publicly reported cyberattacks on schools in 2018. Well over half resulted in the sensitive data of students or staff being compromised. That’s probably the tip of the iceberg.
Levin said it’s critical that districts not wait to take basic steps.
“Just like we know that eating right and exercising can lead to a healthier life, there are basic cyber hygiene practices—such as deploying anti-malware and anti-phishing technology, ensuring IT systems are backed up, implementing multi-factor authentication, and offering user training—that can make a big difference,” he said.
Still, national survey data suggests that remains a heavy lift.
More than one-third of K-12 tech leaders say their district either doesn’t have a password policy, or has a policy that isn’t widely followed. And just 40 percent of districts that do have password policies include monitoring of log-in attempts to district accounts, a common security measure, according to the nationally representative CoSN/Education Week Research Center survey.
Just 14 percent of respondents require multi-factor authentication. Only 19 percent have a cybersecurity plan. There wasn’t any increase from 2017 to 2018 in the percentage of K-12 CTOs who are training teachers and students around good cybersecurity practices.
Bismarck, at least, is working on that last piece.
But even North Dakota’s largest school district says it’s not where it would like to be. Despite the emphasis on greater password security, the district still doesn’t have an official password policy, Kincaid and Mueller said. Nor is it yet requiring multi-factor authentication on district accounts.
‘Ramp Up Our Efforts’
And in school systems like the 1,000-student New Town, N.D., district, the barriers are even more profound.
Located on the Fort Berthold Indian Reservation in the oil fields of the state’s northwestern corner, the New Town district serves a transient population of mostly Native American students living in poverty. It’s a huge challenge to retain or recruit technology talent, said Kara Four Bear, who recently became principal of the local middle school. There are also plenty of more immediately pressing needs.
“When I came on last year, the school was very much in need of some good old-fashioned love,” she said. “It needed somebody to care about the curriculum, the students and the teachers, even the building.”
Four Bear said she’s worked hard to make technology part of her transformation efforts. New Town Middle is trying to build a 1-to-1 program. Most classrooms have document cameras and smart televisions. Four Bear has arranged for her staff to receive training from the National Initiative for Cybersecurity Education, housed in the federal government. For extracurriculars, her students now take part in afterschool STEM clubs and NASA competitions.
“There’s no more bringing in the rodeo clown,” she said.
But such efforts don’t leave much time or money to focus on network security. Being able to rely on the state information technology department has helped. But cybersecurity is just one in a long line of priorities to worry about—and it rarely makes it to the top of the list.
“It’s an area where we really need to ramp up our efforts,” Four Bear said.“We can’t just be building managers anymore.”
Vol. 38, Issue 28, Pages 16-17Published in Print: March 19, 2019, as K-12 Cyber Threats Keep Mounting