The United States has experienced an increase in cyberattacks that have targeted the nation’s schools in recent years. In the 2022-23 academic year alone, at least eight K-12 school districts throughout the country were impacted by significant cyberattacks – four of which left schools having to cancel classes or close completely.
Not only have these attacks disrupted school operations, but they also have impacted students, their families, teachers, and administrators. Sensitive personal information – including, student grades, medical records, documented home issues, behavioral information, and financial information – of students and employees were stolen and publicly disclosed. Additionally, sensitive information about school security systems was leaked online as a result of these attacks.
Today, Secretary of Education Miguel Cardona and Secretary of Homeland Security Alejandro Mayorkas, joined First Lady Jill Biden, to convene school administrators, educators and private sector companies to discuss best practices and new resources available to strengthen schools’ cybersecurity, protect American families and schools, and prevent cyberattacks from disrupting U.S. classrooms.
According to a 2022 U.S. Government Accountability Office report, the loss of learning following a cyberattack ranged from three days to three weeks, and recovery time can take anywhere from two to nine months. Further, the monetary losses to school districts following a cyber incident ranged from $50,000 to $1 million..
The Administration is taking additional action and committing resources to strengthen the cybersecurity of the nation’s K-12 school systems, including:
- Federal Communications Commission Chairwoman Jessica Rosenworcel is proposing establishing a pilot program under the Universal Service Fund to provide up to $200 million over three years to strengthen cyber defenses in K-12 schools and libraries in tandem with other federal agencies that have deep expertise in cybersecurity.
- The U.S. Department of Education will establish a Government Coordinating Council (GCC) that will coordinate activities, policy, and communications between, and amongst, federal, state, local, tribal, and territorial education leaders to strengthen the cyber defenses and resilience of K-12 schools. By facilitating formal, ongoing collaboration between all levels of government and the education sector, the GCC will be a key first step in the Department’s strategy to protect schools and districts from cybersecurity threats and for supporting districts in preparing for, responding to, and recovering from cybersecurity attacks.
- The U.S. Department of Education and the Cybersecurity and Infrastructure Security Agency (CISA) jointly released K-12 Digital Infrastructure Brief: Defensible & Resilient, the second in a series of guidance documents to assist educational leaders in building and sustaining core digital infrastructure for learning. Additional briefs released by the U.S. Department of Education include Adequate and Future-Proof and Privacy-Enhancing, Interoperable and Useful.
- CISA is committing to providing tailored assessments, facilitating exercises, and delivering cybersecurity training for 300 new K-12 entities over the coming school year. CISA plans to conduct 12 K-12 cyber exercises this year, averaging one per month, and is currently soliciting exercise requests from government and critical infrastructure partners, including the K-12 community.
- The Federal Bureau of Investigation (FBI) and the National Guard Bureau are releasing updated resource guides to ensure state government and education officials know how to report cybersecurity incidents and can leverage the federal government’s cyber defense capabilities.
Additionally, several education technology providers are committing to providing free and low-cost resources to school districts, including:
- Amazon Web Services (AWS) is committing the following: $20 million for a K-12 cyber grant program available to all school districts and state departments of education; free security training offerings tailored to K-12 IT staff delivered through AWS Skill Builder; and no-cost cyber incident response assistance through its Customer Incident Response Team in the event a school district experiences a cyberattack. AWS will also provide free well-architected security reviews to U.S. education technology companies providing mission-critical applications to the K-12 community.
- Cloudflare, through its Project Cybersafe Schools, will offer a suite of free Zero Trust cybersecurity solutions to public school districts under 2,500 students, to give small school districts faster, safer Internet browsing and email security.
- PowerSchool, a provider of cloud-based K-12 software in the United States for 80% of school districts, will provide new free and subsidized “security as a service” courses, training, tools and resources to all U.S. schools and districts.
- Google released an updated “K-12 Cybersecurity Guidebook” for schools on the most effective and impactful steps education systems can take to ensure the security of their Google hardware and software applications.
- D2L, a learning platform company, is committing to: providing access to new cybersecurity courses in collaboration with trusted third-parties; extending its information security review for the core D2L integration partners; and pursuing additional third-party validation of D2L compliance with security standards.
These commitments are intended to help ensure the nation’s schools are in the best position to secure their networks to keep their students, educators, and employees safe.