Opinion Blog


Rick Hess Straight Up

Education policy maven Rick Hess of the American Enterprise Institute think tank offers straight talk on matters of policy, politics, research, and reform. Read more from this blog.

Privacy & Security Opinion

Why Are Schools a Target for Cyberattacks?

As schools have become more dependent on technology, the frequency of these attacks has increased
By Rick Hess — October 06, 2022 6 min read
Image shows a multi-tailed arrow hitting the bullseye of a target.
  • Save to favorites
  • Print

Last month, the Los Angeles school district was targeted in a massive ransomware attack (see Education Week’s story here). Just weeks ago, Michigan’s South Redford school district was targeted by a cyberattack that closed its schools for two days. Educators and policymakers are justifiably rattled by such attacks and their increasing frequency. But what can they do about them? To answer that, I reached out to Doug Levin, who co-founded the K12 Security Information eXchange (K12 SIX) in 2020 to help schools with their cybersecurity challenges. Doug has tracked this issue closely for decades, having helped craft national educational technology plans for the Clinton, Bush, and Obama administrations. Here’s what he had to say about how to protect schools from cybersecurity attacks in the future.

—Rick

Rick: We’ve seen recent cyberattacks in Los Angeles and South Redford that have garnered national attention. For those of us who don’t usually track such things, what’s going on here?

Doug: The Los Angeles attack has captured our attention primarily because of the size of the district, but it is only the latest high-profile example of ransomware gangs victimizing school districts. Over the last few years, we’ve seen school systems of all sizes and types across all 50 states, including smaller districts like South Redford, fall prey to these attacks. Ransomware attacks are carried out by organized criminal groups operating overseas seeking to extort money from victims in exchange for the restoration of their IT systems and any sensitive data they may have been able to exfiltrate. They represent the single greatest cyber threat facing the K-12 sector.

Rick: How widespread is this kind of thing? And how big are the risks?

Doug: Ransomware attacks are just one of a range of cybersecurity risks for districts, given their reliance on technology and IT systems. Other common types of school cyber incidents include data breaches and leaks, phishing attacks, denial-of-service attacks, and the takeover and defacement of school websites, social media accounts, and email systems. These incidents have led to school closures, disruptions in teaching and learning, the loss of millions of taxpayer dollars, and identity theft of both students and school staff. Since 2016, we’ve documented over 1,300 publicly disclosed school cyber incidents, and—at least as far as we can tell—these incidents are growing both more frequent and more significant.

Rick: Is this something that all schools need to worry about, or just the biggest ones?

Doug: Frankly, cybersecurity risk management is an issue that any organization which relies on computers and IT systems for its operations needs to address. As schools have become more dependent on technology, they’ve introduced these risks to their communities. Having said that, it does appear that larger districts may be especially vulnerable. They manage more money, have more users, and manage far more devices and services than smaller districts—all of which increases their vulnerability to cyberattacks.

Rick: It seems like there should be more appealing targets for hackers. Given that, why go after schools?

Doug: This is among the biggest misconceptions held about school cyber incidents. Schools manage more than enough money to capture the attention of cyber criminals, to say nothing of the value of the data they hold. While most cyber criminals couldn’t care less about students’ algebra grades, it turns out that the identity information of minors is especially valuable to criminals interested in perpetrating credit and tax fraud. And, given that other kinds of organizations which may have more money or more valuable data tend to be much better protected, schools represent an attractive target for some criminal groups.

Rick: OK. So what makes a district more or less vulnerable?

Doug: The fact of the matter is that school district cybersecurity risk-management practices are highly variable from district to district. For all intents and purposes, there is no minimum cybersecurity standard for school districts. I’d hazard that parents, educators, and even superintendents themselves would be surprised at the gap between what experts recommend organizations should do to defend themselves and the actual practices of districts. For instance, the adoption of multi-factor authentication to protect against password compromise is a best practice that the K-12 sector has been slow to adopt. Some of this is a resource and capacity issue, but it also is an issue of priorities, culture, and governance.

Rick: How can district leaders strengthen their defense?

Doug: I can recommend a slew of cybersecurity technologies that would help, but this is mostly not a technical issue that the right firewall or anti-virus software can fix. This is not about district IT leaders needing to just “cyber” harder. Rather, we need to recognize that there are no 100 percent guarantees in cybersecurity, and this is an issue that the K-12 sector is going to be dealing with going forward. Just as schools deal with physical security risks on their campuses, they need to develop plans to prioritize and manage cybersecurity risks, resource these plans appropriately, and practice them. Over time, we can prevent many of these incidents, and the impact of those that still occur can be significantly muted.

Rick: Given that, I presume districts can’t do it all alone. So, how can districts work with external technology providers to strengthen security?

Doug: Over the last several years school districts have been decommissioning servers run on premises to take advantage of cloud-delivered software and services, whether for instructional, administrative, or operational purposes. And, while companies like Amazon, Google, and Microsoft—which operate the infrastructure that powers most education software and services—have far better IT security operations than schools ever will, not every vendor delivering their software via the cloud can say the same. For example, our cyber-incident tracking data has shown that ed-tech vendors—that are providing schools with custom instructional and administrative services—have been subject to a significant number of data-breach incidents affecting students and teachers. We’ve also seen K12 services interrupted because vendors have to respond to cyber incidents they’ve experienced themselves. Ultimately, it’s hard to see a way forward unless some of the responsibility for IT security services shifts to organizations that can work at scale. For this to take root, though, school leaders will need to demand better cybersecurity policies and practices from their vendors and suppliers.

Rick: What one or two things can policymakers do to help?

Doug: We need to enact disclosure requirements for school cyber incidents so there is a better research base about how and how frequently schools are being compromised and so potential victims can protect themselves in a timely manner from harms like identity theft and fraud. School districts and their vendors also need to be held to higher standards of cybersecurity risk management.

Rick: What else can we do?

Doug: The sector would benefit from more organizations that can provide schools with trusted, vendor-neutral advice on how to shore up their defenses. Moreover, unless we are willing to take something else off schools’ plates, districts would benefit from funding dedicated to helping schools develop and implement robust cybersecurity risk-management programs. Ultimately, everybody has a role to play. Use a password manager. Use multi-factor authentication. Keep your devices’ software up-to-date, and for Pete’s sake don’t click that dodgy link.

This interview has been edited and condensed for clarity.

Related Tags:

The opinions expressed in Rick Hess Straight Up are strictly those of the author(s) and do not reflect the opinions or endorsement of Editorial Projects in Education, or any of its publications.

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Reading & Literacy Webinar
(Re)Focus on Dyslexia: Moving Beyond Diagnosis & Toward Transformation
Move beyond dyslexia diagnoses & focus on effective literacy instruction for ALL students. Join us to learn research-based strategies that benefit learners in PreK-8.
Content provided by EPS Learning
Classroom Technology Live Online Discussion A Seat at the Table: Is AI Out to Take Your Job or Help You Do It Better?
With all of the uncertainty K-12 educators have around what AI means might mean for the future, how can the field best prepare young people for an AI-powered future?
Special Education K-12 Essentials Forum Understanding Learning Differences
Join this free virtual event for insights that will help educators better understand and support students with learning differences.

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security Download A Tip Sheet to Help Teachers Prevent and Respond to Doxxing
Teachers can be a target for malicious actors. Use this tip sheet to prevent and respond to doxxing.
1 min read
Image of digital safety against doxxing and privacy invasion.
Laura Baker/Education Week via Canva
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Privacy & Security Quiz
Quiz Yourself: How Much Do You Know About Cybersecurity For Schools And Districts?
Answer 6 questions about actionable cybersecurity solutions.
Content provided by FlexPoint Education Cloud
Privacy & Security What Schools Need to Know About These Federal Data-Privacy Bills
Congress is considering at least three data-privacy bills that could have big implications for schools.
5 min read
Photo illustration of a key on a digital background of zeros and ones.
E+
Privacy & Security A New Federal Taskforce Targets Cybersecurity in Schools
The “government coordinating council" aims to provide training, policies, and best practices.
3 min read
Illustration of computer and lock.
iStock / Getty Images Plus