Opinion Blog


Rick Hess Straight Up

Education policy maven Rick Hess of the American Enterprise Institute think tank offers straight talk on matters of policy, politics, research, and reform. Read more from this blog.

Privacy & Security Opinion

Why Are Schools a Target for Cyberattacks?

As schools have become more dependent on technology, the frequency of these attacks has increased
By Rick Hess — October 06, 2022 6 min read
Image shows a multi-tailed arrow hitting the bullseye of a target.
  • Save to favorites
  • Print

Last month, the Los Angeles school district was targeted in a massive ransomware attack (see Education Week’s story here). Just weeks ago, Michigan’s South Redford school district was targeted by a cyberattack that closed its schools for two days. Educators and policymakers are justifiably rattled by such attacks and their increasing frequency. But what can they do about them? To answer that, I reached out to Doug Levin, who co-founded the K12 Security Information eXchange (K12 SIX) in 2020 to help schools with their cybersecurity challenges. Doug has tracked this issue closely for decades, having helped craft national educational technology plans for the Clinton, Bush, and Obama administrations. Here’s what he had to say about how to protect schools from cybersecurity attacks in the future.

—Rick

Rick: We’ve seen recent cyberattacks in Los Angeles and South Redford that have garnered national attention. For those of us who don’t usually track such things, what’s going on here?

Doug: The Los Angeles attack has captured our attention primarily because of the size of the district, but it is only the latest high-profile example of ransomware gangs victimizing school districts. Over the last few years, we’ve seen school systems of all sizes and types across all 50 states, including smaller districts like South Redford, fall prey to these attacks. Ransomware attacks are carried out by organized criminal groups operating overseas seeking to extort money from victims in exchange for the restoration of their IT systems and any sensitive data they may have been able to exfiltrate. They represent the single greatest cyber threat facing the K-12 sector.

Rick: How widespread is this kind of thing? And how big are the risks?

Doug: Ransomware attacks are just one of a range of cybersecurity risks for districts, given their reliance on technology and IT systems. Other common types of school cyber incidents include data breaches and leaks, phishing attacks, denial-of-service attacks, and the takeover and defacement of school websites, social media accounts, and email systems. These incidents have led to school closures, disruptions in teaching and learning, the loss of millions of taxpayer dollars, and identity theft of both students and school staff. Since 2016, we’ve documented over 1,300 publicly disclosed school cyber incidents, and—at least as far as we can tell—these incidents are growing both more frequent and more significant.

Rick: Is this something that all schools need to worry about, or just the biggest ones?

Doug: Frankly, cybersecurity risk management is an issue that any organization which relies on computers and IT systems for its operations needs to address. As schools have become more dependent on technology, they’ve introduced these risks to their communities. Having said that, it does appear that larger districts may be especially vulnerable. They manage more money, have more users, and manage far more devices and services than smaller districts—all of which increases their vulnerability to cyberattacks.

Rick: It seems like there should be more appealing targets for hackers. Given that, why go after schools?

Doug: This is among the biggest misconceptions held about school cyber incidents. Schools manage more than enough money to capture the attention of cyber criminals, to say nothing of the value of the data they hold. While most cyber criminals couldn’t care less about students’ algebra grades, it turns out that the identity information of minors is especially valuable to criminals interested in perpetrating credit and tax fraud. And, given that other kinds of organizations which may have more money or more valuable data tend to be much better protected, schools represent an attractive target for some criminal groups.

Rick: OK. So what makes a district more or less vulnerable?

Doug: The fact of the matter is that school district cybersecurity risk-management practices are highly variable from district to district. For all intents and purposes, there is no minimum cybersecurity standard for school districts. I’d hazard that parents, educators, and even superintendents themselves would be surprised at the gap between what experts recommend organizations should do to defend themselves and the actual practices of districts. For instance, the adoption of multi-factor authentication to protect against password compromise is a best practice that the K-12 sector has been slow to adopt. Some of this is a resource and capacity issue, but it also is an issue of priorities, culture, and governance.

Rick: How can district leaders strengthen their defense?

Doug: I can recommend a slew of cybersecurity technologies that would help, but this is mostly not a technical issue that the right firewall or anti-virus software can fix. This is not about district IT leaders needing to just “cyber” harder. Rather, we need to recognize that there are no 100 percent guarantees in cybersecurity, and this is an issue that the K-12 sector is going to be dealing with going forward. Just as schools deal with physical security risks on their campuses, they need to develop plans to prioritize and manage cybersecurity risks, resource these plans appropriately, and practice them. Over time, we can prevent many of these incidents, and the impact of those that still occur can be significantly muted.

Rick: Given that, I presume districts can’t do it all alone. So, how can districts work with external technology providers to strengthen security?

Doug: Over the last several years school districts have been decommissioning servers run on premises to take advantage of cloud-delivered software and services, whether for instructional, administrative, or operational purposes. And, while companies like Amazon, Google, and Microsoft—which operate the infrastructure that powers most education software and services—have far better IT security operations than schools ever will, not every vendor delivering their software via the cloud can say the same. For example, our cyber-incident tracking data has shown that ed-tech vendors—that are providing schools with custom instructional and administrative services—have been subject to a significant number of data-breach incidents affecting students and teachers. We’ve also seen K12 services interrupted because vendors have to respond to cyber incidents they’ve experienced themselves. Ultimately, it’s hard to see a way forward unless some of the responsibility for IT security services shifts to organizations that can work at scale. For this to take root, though, school leaders will need to demand better cybersecurity policies and practices from their vendors and suppliers.

Rick: What one or two things can policymakers do to help?

Doug: We need to enact disclosure requirements for school cyber incidents so there is a better research base about how and how frequently schools are being compromised and so potential victims can protect themselves in a timely manner from harms like identity theft and fraud. School districts and their vendors also need to be held to higher standards of cybersecurity risk management.

Rick: What else can we do?

Doug: The sector would benefit from more organizations that can provide schools with trusted, vendor-neutral advice on how to shore up their defenses. Moreover, unless we are willing to take something else off schools’ plates, districts would benefit from funding dedicated to helping schools develop and implement robust cybersecurity risk-management programs. Ultimately, everybody has a role to play. Use a password manager. Use multi-factor authentication. Keep your devices’ software up-to-date, and for Pete’s sake don’t click that dodgy link.

This interview has been edited and condensed for clarity.

Related Tags:

The opinions expressed in Rick Hess Straight Up are strictly those of the author(s) and do not reflect the opinions or endorsement of Editorial Projects in Education, or any of its publications.

Events

Mathematics Live Online Discussion A Seat at the Table: Breaking the Cycle: How Districts are Turning around Dismal Math Scores
Math myth: Students just aren't good at it? Join us & learn how districts are boosting math scores.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Student Achievement Webinar
How To Tackle The Biggest Hurdles To Effective Tutoring
Learn how districts overcome the three biggest challenges to implementing high-impact tutoring with fidelity: time, talent, and funding.
Content provided by Saga Education
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Student Well-Being Webinar
Reframing Behavior: Neuroscience-Based Practices for Positive Support
Reframing Behavior helps teachers see the “why” of behavior through a neuroscience lens and provides practices that fit into a school day.
Content provided by Crisis Prevention Institute

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security Q&A Why One Tech Leader Prioritizes Explaining Student Data Privacy to Teachers
Jun Kim, the director of technology for an Oklahoma school district, helped build a statewide database of vetted learning platforms.
3 min read
Jun Kim, Director of Technology for Moore Public Schools, poses for a portrait outside the Center for Technology on Dec. 13, 2023 in Moore, Okla.
Jun Kim, is the director of technology for the Moore school district in Moore, Okla., He has made securing student data a priority for the district and the state.
Brett Deering for Education Week
Privacy & Security A Massive Data Leak Exposed School Lockdown Plans. What Districts Need to Know
More than 4 million records held by school safety software company Raptor Technologies were left inadvertently exposed online.
5 min read
Concept image of security breach, system hacked alert with red broken padlock icon showing vulnerable access.
Nicolas Herrbach/iStock/Getty
Privacy & Security As Cyberattacks Mount, Lawmakers Double Their Efforts to Protect Schools
But the legislative push is not matched by funds to build better cyber defenses.
2 min read
Conceptual illustration of computer with a pixelated lock on screen.
Nanzeeba Ibnat/iStock/Getty Images Plus
Privacy & Security 3 Superintendents Share Cybersecurity Best Practices
Cyberattacks cause major disruptions to learning, but school districts are still struggling to put in place effective protections.
3 min read
Image of a red glowing caution sign over a dark field of data.
Getty