Last month, the Los Angeles school district was targeted in a massive ransomware attack (see Education Week’s story here). Just weeks ago, Michigan’s South Redford school district was targeted by a cyberattack that closed its schools for two days. Educators and policymakers are justifiably rattled by such attacks and their increasing frequency. But what can they do about them? To answer that, I reached out to Doug Levin, who co-founded the K12 Security Information eXchange (K12 SIX) in 2020 to help schools with their cybersecurity challenges. Doug has tracked this issue closely for decades, having helped craft national educational technology plans for the Clinton, Bush, and Obama administrations. Here’s what he had to say about how to protect schools from cybersecurity attacks in the future.
—Rick
Rick: We’ve seen recent cyberattacks in Los Angeles and South Redford that have garnered national attention. For those of us who don’t usually track such things, what’s going on here?
Doug: The Los Angeles attack has captured our attention primarily because of the size of the district, but it is only the latest high-profile example of ransomware gangs victimizing school districts. Over the last few years, we’ve seen school systems of all sizes and types across all 50 states, including smaller districts like South Redford, fall prey to these attacks. Ransomware attacks are carried out by organized criminal groups operating overseas seeking to extort money from victims in exchange for the restoration of their IT systems and any sensitive data they may have been able to exfiltrate. They represent the single greatest cyber threat facing the K-12 sector.
Rick: How widespread is this kind of thing? And how big are the risks?
Doug: Ransomware attacks are just one of a range of cybersecurity risks for districts, given their reliance on technology and IT systems. Other common types of school cyber incidents include data breaches and leaks, phishing attacks, denial-of-service attacks, and the takeover and defacement of school websites, social media accounts, and email systems. These incidents have led to school closures, disruptions in teaching and learning, the loss of millions of taxpayer dollars, and identity theft of both students and school staff. Since 2016, we’ve documented over 1,300 publicly disclosed school cyber incidents, and—at least as far as we can tell—these incidents are growing both more frequent and more significant.
Rick: Is this something that all schools need to worry about, or just the biggest ones?
Doug: Frankly, cybersecurity risk management is an issue that any organization which relies on computers and IT systems for its operations needs to address. As schools have become more dependent on technology, they’ve introduced these risks to their communities. Having said that, it does appear that larger districts may be especially vulnerable. They manage more money, have more users, and manage far more devices and services than smaller districts—all of which increases their vulnerability to cyberattacks.
Rick: It seems like there should be more appealing targets for hackers. Given that, why go after schools?
Doug: This is among the biggest misconceptions held about school cyber incidents. Schools manage more than enough money to capture the attention of cyber criminals, to say nothing of the value of the data they hold. While most cyber criminals couldn’t care less about students’ algebra grades, it turns out that the identity information of minors is especially valuable to criminals interested in perpetrating credit and tax fraud. And, given that other kinds of organizations which may have more money or more valuable data tend to be much better protected, schools represent an attractive target for some criminal groups.
Rick: OK. So what makes a district more or less vulnerable?
Doug: The fact of the matter is that school district cybersecurity risk-management practices are highly variable from district to district. For all intents and purposes, there is no minimum cybersecurity standard for school districts. I’d hazard that parents, educators, and even superintendents themselves would be surprised at the gap between what experts recommend organizations should do to defend themselves and the actual practices of districts. For instance, the adoption of multi-factor authentication to protect against password compromise is a best practice that the K-12 sector has been slow to adopt. Some of this is a resource and capacity issue, but it also is an issue of priorities, culture, and governance.
Rick: How can district leaders strengthen their defense?
Doug: I can recommend a slew of cybersecurity technologies that would help, but this is mostly not a technical issue that the right firewall or anti-virus software can fix. This is not about district IT leaders needing to just “cyber” harder. Rather, we need to recognize that there are no 100 percent guarantees in cybersecurity, and this is an issue that the K-12 sector is going to be dealing with going forward. Just as schools deal with physical security risks on their campuses, they need to develop plans to prioritize and manage cybersecurity risks, resource these plans appropriately, and practice them. Over time, we can prevent many of these incidents, and the impact of those that still occur can be significantly muted.
Rick: Given that, I presume districts can’t do it all alone. So, how can districts work with external technology providers to strengthen security?
Doug: Over the last several years school districts have been decommissioning servers run on premises to take advantage of cloud-delivered software and services, whether for instructional, administrative, or operational purposes. And, while companies like Amazon, Google, and Microsoft—which operate the infrastructure that powers most education software and services—have far better IT security operations than schools ever will, not every vendor delivering their software via the cloud can say the same. For example, our cyber-incident tracking data has shown that ed-tech vendors—that are providing schools with custom instructional and administrative services—have been subject to a significant number of data-breach incidents affecting students and teachers. We’ve also seen K12 services interrupted because vendors have to respond to cyber incidents they’ve experienced themselves. Ultimately, it’s hard to see a way forward unless some of the responsibility for IT security services shifts to organizations that can work at scale. For this to take root, though, school leaders will need to demand better cybersecurity policies and practices from their vendors and suppliers.
Rick: What one or two things can policymakers do to help?
Doug: We need to enact disclosure requirements for school cyber incidents so there is a better research base about how and how frequently schools are being compromised and so potential victims can protect themselves in a timely manner from harms like identity theft and fraud. School districts and their vendors also need to be held to higher standards of cybersecurity risk management.
Rick: What else can we do?
Doug: The sector would benefit from more organizations that can provide schools with trusted, vendor-neutral advice on how to shore up their defenses. Moreover, unless we are willing to take something else off schools’ plates, districts would benefit from funding dedicated to helping schools develop and implement robust cybersecurity risk-management programs. Ultimately, everybody has a role to play. Use a password manager. Use multi-factor authentication. Keep your devices’ software up-to-date, and for Pete’s sake don’t click that dodgy link.
This interview has been edited and condensed for clarity.