Know your weaknesses. Assess your network. Prepare for what you can’t see. These are the repeated recommendations of one cybersecurity expert, but there’s only so much that can be done at the district level.
Additional federal coordination is necessary to improve K-12 cybersecurity, according to a brief released this week by the U.S. Government Accountability Office. There are no formal communication channels between schools and agencies for addressing such incidents, despite the fact that ransomware attacks have affected over 2.6 million students between 2018 and 2021, according to the report. Additionally, these agencies don’t measure or gather feedback on whether their services are adequate for preventing cyberattacks.
The pandemic forced many districts to rely on their technology services to maintain their methods of instruction via remote learning. However, that opened the door for cybercriminal organizations like Vice Society, the group responsible for compromising confidential student data from the second-largest school district in the country, Los Angeles Unified in California.
Given this amplification in cybersecurity risk, the report mentions, federal agencies must understand their roles in bolstering protection for America’s K-12 education institutions or risk losing vital resources and progress toward academic recovery.
The impact these attacks have on students’ learning is substantial. “Cyberattacks can cause monetary losses for targeted schools due to the downtime and resources needed to recover from incidents,” the brief reads. Such an interruption, according to officials from state and local entities highlighted in the report, can cause a loss of learning ranging from three days to three weeks with recovery taking up to nine months.
Federal guidance is the next step, specifically from the Department of Education, the report suggests.
“The Department of Education is the lead agency, or sector risk management agency, for the subsector,” it reads. “As such, Education and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are to coordinate K-12 cybersecurity efforts with federal and nonfederal partners. In addition, the FBI is to provide criminal investigative support.”
Cybersecurity-related guidance services are available to K-12 schools to take advantage of. For example, James Turgal, vice president of Optiv’s Cyber Risk, Strategy and Board Relations and former chief information officer for the FBI, spoke of The K12 Security Information eXchange (K12 SIX) in a previous interview with District Administration.
“It is basically an information-sharing exchange for K-12 types of schools,” he said. “I’ve been involved throughout my FBI career in a number of different information-sharing and analysis centers, and it’s basically that industry getting together and sharing data about the tactics, techniques and procedures that they’re being attacked with.” Doing so, he said, allows law enforcement agencies that are also members of these groups to identify and respond to these incidents.
Additionally, CISA released a warning in September for schools to look out for an increase in cybersecurity incidents this school year in response to Vice Society’s growing presence.
In an effort to #StopRansomware, the #FBI and @CISAgov issued a joint #CybersecurityAdvisory about the Vice Society ransomware threat. It recommends steps organizations should take to reduce the likelihood of ransomware incidents. https://t.co/APJRyz2eTx pic.twitter.com/qHgeQBBns5
— FBI (@FBI) September 6, 2022
However, schools have essentially zero pathways for communication with prominent cybersecurity agencies. “Education and CISA offer cybersecurity-related products and services to K-12 schools, such as online safety guidance,” the brief reads. “However, they otherwise have little to no interaction with other agencies and the K-12 community regarding schools’ cybersecurity.”
Why is this the case? A government coordinating council, the brief suggests, must be established to facilitate proper communication and coordination.
“This, in turn, can enable federal agencies to better address the cybersecurity needs of K-12 schools,” it reads. “Regarding the products and services they do offer to schools, Education and CISA do not measure their effectiveness. Doing so would provide further input on the needs of the schools.”