A report by the Government Accountability Office (GAO) says cybersecurity offerings for schools are not always tailored to current threats.
According to data from K-12 Security Information Exchange, schools publicly reported 62 ransomware incidents in 2019, compared to 11 ransomware incidents reported in 2018. Bearing in mind that remote learning increased exponentially in 2020 and 2021 as a result of the COVID-19 pandemic, the number of ransomware attacks are likely to be much higher now. In fact, GAO says that at least 408 cyber incidents – not isolated to ransomware attacks – at K-12 schools were publicly reported in 2020.
As well as accidental breaches and weak cybersecurity, a more sinister threat has emerged. The 2019 U.S. Intelligence Community Worldwide Threat Assessment and the 2020 Homeland Threat Assessment both state that foreign nations and criminal groups pose the greatest cyber attack threats to critical infrastructure. In addition, K-12 cybersecurity is also at risk from insiders, including students, staff, and vendors. K-12 Security Information Exchange data notes that 75 percent of all data breaches at K-12 schools in 2020 were carried out on schools’ vendors, and that these attacks further increased during the COVID-19 pandemic.
Federal guidance, such as the National Infrastructure Protection Plan (National Plan), specify the roles and responsibilities of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Department of Education’s Office of Safe and Secure Schools (OSSS), and the Federal Bureau of Investigation to assist school districts in protecting against cyber threats. These agencies have provided programs, services, and support to assist kindergarten through 12th grade (K-12) schools in defending against cyber threats. Examples of such support include incident response assistance, network monitoring tools, and guidance for parents and students on preparing for the cyber threats that students face online.
The Department of Education’s plan for addressing risks to schools was issued in 2010 and last updated in 2015. GAO says this needs an update to deal with changing cybersecurity risks. Officials from OSSS told GAO that they have no plans to update the sector-specific plan (SSP) because CISA has not directed them to do so. OSSS has also not determined whether sector-specific guidance is warranted.
During GAO’s review, officials from both CISA and OSSS acknowledged that the cybersecurity risks facing K-12 schools have changed since the last issuance of their SSP. Officials from CISA said that cyber incidents, like ransomware, are particularly challenging for K-12 schools because of the schools’ limited resources, lack of qualified IT and security personnel, and difficulties assessing and evaluating risks.
OSSS officials told GAO that while the Department of Education is not in a position to respond directly to cyber threats at the school level, they recognize more can be done in terms of planning for and coordinating the implementation of appropriate information security controls throughout the Education subsector. The officials stated that the department is considering capacity and staffing needs to expand their ability to address cybersecurity threats at K-12 schools.
The government watchdog has recommended that the Secretary of Education should initiate a meeting with the Director of CISA to determine how to update its sector-specific plan (SSP) for the Education subsector. GAO says the plan should assess and prioritize federal actions to assist K-12 schools in protecting themselves from cyberattacks.
Further, GAO recommended that the Secretary of Education should make a determination, in consultation with the Director of CISA and based on current cybersecurity risks, on whether subsector-specific guidance is needed for the Education subsector.
The Department of Education concurred but stated that it has no legal authority to require general information security standards for K-12 schools and that CISA is the primary federal agency for addressing K-12 cybersecurity. The department also stated that, in the area of information security, its authority outside of privacy is generally limited to supporting the efforts of CISA.
GAO reminded the Department that guidance requires OSSS to update the SSP every three years and asserted that OSSS should take the lead to update the SSP in coordination with CISA.
In October, President Biden signed the K-12 Cybersecurity Act. The bipartisan act directs CISA to collaborate with teachers, school administrators, other federal agencies, and private sector organizations to conduct a study of the cybersecurity risks facing K-12 educational institutions.