Opinion Blog


Rick Hess Straight Up

Education policy maven Rick Hess of the American Enterprise Institute think tank offers straight talk on matters of policy, politics, research, and reform. Read more from this blog.

Privacy & Security Opinion

Why Are Schools a Target for Cyberattacks?

As schools have become more dependent on technology, the frequency of these attacks has increased
By Rick Hess — October 06, 2022 6 min read
Image shows a multi-tailed arrow hitting the bullseye of a target.
  • Save to favorites
  • Print

Last month, the Los Angeles school district was targeted in a massive ransomware attack (see Education Week’s story here). Just weeks ago, Michigan’s South Redford school district was targeted by a cyberattack that closed its schools for two days. Educators and policymakers are justifiably rattled by such attacks and their increasing frequency. But what can they do about them? To answer that, I reached out to Doug Levin, who co-founded the K12 Security Information eXchange (K12 SIX) in 2020 to help schools with their cybersecurity challenges. Doug has tracked this issue closely for decades, having helped craft national educational technology plans for the Clinton, Bush, and Obama administrations. Here’s what he had to say about how to protect schools from cybersecurity attacks in the future.

—Rick

Rick: We’ve seen recent cyberattacks in Los Angeles and South Redford that have garnered national attention. For those of us who don’t usually track such things, what’s going on here?

Doug: The Los Angeles attack has captured our attention primarily because of the size of the district, but it is only the latest high-profile example of ransomware gangs victimizing school districts. Over the last few years, we’ve seen school systems of all sizes and types across all 50 states, including smaller districts like South Redford, fall prey to these attacks. Ransomware attacks are carried out by organized criminal groups operating overseas seeking to extort money from victims in exchange for the restoration of their IT systems and any sensitive data they may have been able to exfiltrate. They represent the single greatest cyber threat facing the K-12 sector.

Rick: How widespread is this kind of thing? And how big are the risks?

Doug: Ransomware attacks are just one of a range of cybersecurity risks for districts, given their reliance on technology and IT systems. Other common types of school cyber incidents include data breaches and leaks, phishing attacks, denial-of-service attacks, and the takeover and defacement of school websites, social media accounts, and email systems. These incidents have led to school closures, disruptions in teaching and learning, the loss of millions of taxpayer dollars, and identity theft of both students and school staff. Since 2016, we’ve documented over 1,300 publicly disclosed school cyber incidents, and—at least as far as we can tell—these incidents are growing both more frequent and more significant.

Rick: Is this something that all schools need to worry about, or just the biggest ones?

Doug: Frankly, cybersecurity risk management is an issue that any organization which relies on computers and IT systems for its operations needs to address. As schools have become more dependent on technology, they’ve introduced these risks to their communities. Having said that, it does appear that larger districts may be especially vulnerable. They manage more money, have more users, and manage far more devices and services than smaller districts—all of which increases their vulnerability to cyberattacks.

Rick: It seems like there should be more appealing targets for hackers. Given that, why go after schools?

Doug: This is among the biggest misconceptions held about school cyber incidents. Schools manage more than enough money to capture the attention of cyber criminals, to say nothing of the value of the data they hold. While most cyber criminals couldn’t care less about students’ algebra grades, it turns out that the identity information of minors is especially valuable to criminals interested in perpetrating credit and tax fraud. And, given that other kinds of organizations which may have more money or more valuable data tend to be much better protected, schools represent an attractive target for some criminal groups.

Rick: OK. So what makes a district more or less vulnerable?

Doug: The fact of the matter is that school district cybersecurity risk-management practices are highly variable from district to district. For all intents and purposes, there is no minimum cybersecurity standard for school districts. I’d hazard that parents, educators, and even superintendents themselves would be surprised at the gap between what experts recommend organizations should do to defend themselves and the actual practices of districts. For instance, the adoption of multi-factor authentication to protect against password compromise is a best practice that the K-12 sector has been slow to adopt. Some of this is a resource and capacity issue, but it also is an issue of priorities, culture, and governance.

Rick: How can district leaders strengthen their defense?

Doug: I can recommend a slew of cybersecurity technologies that would help, but this is mostly not a technical issue that the right firewall or anti-virus software can fix. This is not about district IT leaders needing to just “cyber” harder. Rather, we need to recognize that there are no 100 percent guarantees in cybersecurity, and this is an issue that the K-12 sector is going to be dealing with going forward. Just as schools deal with physical security risks on their campuses, they need to develop plans to prioritize and manage cybersecurity risks, resource these plans appropriately, and practice them. Over time, we can prevent many of these incidents, and the impact of those that still occur can be significantly muted.

Rick: Given that, I presume districts can’t do it all alone. So, how can districts work with external technology providers to strengthen security?

Doug: Over the last several years school districts have been decommissioning servers run on premises to take advantage of cloud-delivered software and services, whether for instructional, administrative, or operational purposes. And, while companies like Amazon, Google, and Microsoft—which operate the infrastructure that powers most education software and services—have far better IT security operations than schools ever will, not every vendor delivering their software via the cloud can say the same. For example, our cyber-incident tracking data has shown that ed-tech vendors—that are providing schools with custom instructional and administrative services—have been subject to a significant number of data-breach incidents affecting students and teachers. We’ve also seen K12 services interrupted because vendors have to respond to cyber incidents they’ve experienced themselves. Ultimately, it’s hard to see a way forward unless some of the responsibility for IT security services shifts to organizations that can work at scale. For this to take root, though, school leaders will need to demand better cybersecurity policies and practices from their vendors and suppliers.

Rick: What one or two things can policymakers do to help?

Doug: We need to enact disclosure requirements for school cyber incidents so there is a better research base about how and how frequently schools are being compromised and so potential victims can protect themselves in a timely manner from harms like identity theft and fraud. School districts and their vendors also need to be held to higher standards of cybersecurity risk management.

Rick: What else can we do?

Doug: The sector would benefit from more organizations that can provide schools with trusted, vendor-neutral advice on how to shore up their defenses. Moreover, unless we are willing to take something else off schools’ plates, districts would benefit from funding dedicated to helping schools develop and implement robust cybersecurity risk-management programs. Ultimately, everybody has a role to play. Use a password manager. Use multi-factor authentication. Keep your devices’ software up-to-date, and for Pete’s sake don’t click that dodgy link.

This interview has been edited and condensed for clarity.

Related Tags:

The opinions expressed in Rick Hess Straight Up are strictly those of the author(s) and do not reflect the opinions or endorsement of Editorial Projects in Education, or any of its publications.

Events

Teaching Profession K-12 Essentials Forum New Insights Into the Teaching Profession
Join this free virtual event to get exclusive insights from Education Week's State of Teaching project.
Jobs Virtual Career Fair for Teachers and K-12 Staff
Find teaching jobs and K-12 education jubs at the EdWeek Top School Jobs virtual career fair.
Mathematics K-12 Essentials Forum Helping Students Succeed in Math

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security PowerSchool Paid a Hacker's Ransom. Now Cyber Criminals Are Threatening Schools
More extortion attempts are possible, and districts affected by the data breach should be prepared.
The New York Stock Exchange is decorated on July 28, 2021 for the first day of public trading of the cloud-based educational software maker, PowerSchool.
The New York Stock Exchange is decorated on July 28, 2021, on the first day of public trading of the cloud-based educational software maker, PowerSchool.
Richard B. Levine/Alamy
Privacy & Security 4 Things to Know About School Cybersecurity and Trump Funding Cuts
Schools stand to lose significant cybersecurity support as the Trump administration and DOGE slash and rearrange the federal government.
uturistic digital technological background with hexagonal elements, yellow glowing warning signs and binary code. Encryption your data. Big data security. Safe your data. Cyber internet security and privacy concept.
iStock/Getty
Privacy & Security Could Trump Budget Cuts Lead to More Cyberattacks Against Schools?
Schools stand to lose vital cybersecurity support as the Education Department is forced to suspend a cybersecurity initiative.
Illustration of setting computer security settings. Vector illustration of computer privacy management.
iStock/Getty
Privacy & Security Schools Face an Uphill Battle in Protecting Student Data in the Age of AI
A report from the Consortium for School Networking examines the state of districts' student data privacy practices.
3 min read
Blue Illustration of an open laptop displaying a badge and lock icon.
iStock/Getty