Privacy & Security

Education Dept. Slow to Recognize Seriousness of Cyberattacks, GAO Watchdog Report Finds

By Alyson Klein — October 25, 2022 3 min read
 abstract digital key with technology interface, cybersecurity, key, lock, cellphone, fingerprint, and cloud computing icons
  • Save to favorites
  • Print

Cyberattacks on K-12 schools are becoming an increasingly serious problem, costing districts money and lost learning time. But the federal government, including the U.S. Department of Education, has largely dropped the ball on some key steps to help schools prevent, plan for, and deal with these attacks.

That’s the message of a report released Monday by the Government Accountability Office, Congress’ investigative arm. It’s the third report in as many years that points to the escalating nature of K-12 cyberattacks and the second in a row that criticizes the federal response. It comes on the heels of one of the most high-profile cyberattacks yet, on the Los Angeles Unified school district, the nation’s second largest.

Cyberattacks have cost districts anywhere from three days to three weeks in lost instructional time, while recovery times tend to range from two to nine months, the GAO reported. It’s tough to know the exact number of attacks that have occurred, because many aren’t publicly reported, the agency noted. (The K12 Security Information Exchange, or K12 SIX, found that there have been more than 1,330 publicly disclosed attacks since 2016, when the nonprofit first began tracking these incidents.)

The Education Department is supposed to be serving as a communications and collaboration hub among K-12 districts and federal agencies that work on cybersecurity, including the Cybersecurity Infrastructure Security Agency (CISA), GAO said. But right now, it’s falling down on the job, the watchdog reported.

“The biggest issue we found is that there needs to be better coordination between the federal-level and the actual K-12 organizations,” said David Hinchman, the acting director of the GAO’s information technology and cybersecurity team, in an interview with GAO’s podcast. “There’s very little actual direct interaction between the agencies or with the K-12 community.”

That disconnect, he said, may be happening in part because the Education Department hasn’t acted on federal guidelines that call for it to create a government coordinating council, to help the feds and school districts collaborate and share information on attacks.

The GAO formally recommended the department create the council or find another way to ensure there’s continuing coordination and communication among school districts and the feds on cybersecurity. In response, the Education Department told the GAO it had begun informal coordination with other agencies, to which the GAO reiterated its recommendation for a more formal approach.

What’s more, while the Education Department and CISA have some products and services aimed at helping schools with cybersecurity, neither agency measures the effectiveness of those resources, GAO said. That’s something the GAO recommended the agencies get started on, noting that “doing so would provide further input on the needs of the schools.” CISA agreed.

The Education Department, on the other hand, promised only to explore what kinds of metrics would be best for measuring the effectiveness of its cybersecurity resources.

Finally, the GAO wrote that the Education Department should figure out how to help districts cope with challenges like inadequate staff, limited funding, and difficulty getting cybersecurity insurance. The department said it would.

Reading between the lines of the report, Doug Levin, the national director of K12 SIX, was stunned by what he saw as the department’s lackadaisical response to a major K-12 threat.

“I think that we have had more than enough evidence that this issue is serious and that schools need support specifically targeted to their context, their unique circumstances,” he said. Despite multiple letters from members of Congress, K12 SIX’s reports, and more, he doesn’t “see any sense of urgency by the federal agencies who are best positioned to help. I just think that there is a leadership void here.”


This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Budget & Finance Webinar
Innovative Funding Models: A Deep Dive into Public-Private Partnerships
Discover how innovative funding models drive educational projects forward. Join us for insights into effective PPP implementation.
Content provided by Follett Learning
Budget & Finance Webinar Staffing Schools After ESSER: What School and District Leaders Need to Know
Join our newsroom for insights on investing in critical student support positions as pandemic funds expire.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Student Achievement Webinar
How can districts build sustainable tutoring models before the money runs out?
District leaders, low on funds, must decide: broad support for all or deep interventions for few? Let's discuss maximizing tutoring resources.
Content provided by Varsity Tutors for Schools

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Privacy & Security Quiz
Quiz Yourself: How Much Do You Know About Cybersecurity For Schools And Districts?
Answer 6 questions about actionable cybersecurity solutions.
Content provided by FlexPoint Education Cloud
Privacy & Security What Schools Need to Know About These Federal Data-Privacy Bills
Congress is considering at least three data-privacy bills that could have big implications for schools.
5 min read
Photo illustration of a key on a digital background of zeros and ones.
Privacy & Security A New Federal Taskforce Targets Cybersecurity in Schools
The “government coordinating council" aims to provide training, policies, and best practices.
3 min read
Illustration of computer and lock.
iStock / Getty Images Plus
Privacy & Security Q&A Why One Tech Leader Prioritizes Explaining Student Data Privacy to Teachers
Jun Kim, the director of technology for an Oklahoma school district, helped build a statewide database of vetted learning platforms.
3 min read
Jun Kim, Director of Technology for Moore Public Schools, poses for a portrait outside the Center for Technology on Dec. 13, 2023 in Moore, Okla.
Jun Kim, is the director of technology for the Moore school district in Moore, Okla., He has made securing student data a priority for the district and the state.
Brett Deering for Education Week