The Government Accountability Office (GAO) says federal agencies should coordinate with each other better to protect schools against cyber threats.
U.S. schools rely on information technology for many operations and the COVID-19 pandemic forced schools across the nation to increase their reliance on IT to deliver educational instruction to students. This amplified the vulnerability of Kindergarten through grade 12 (K-12) schools to potentially serious cyber attacks. Such incidents, like ransomware attacks, could significantly affect everything from educational instruction to school operations.
K-12 schools have reported significant educational impact due to cybersecurity incidents. Officials from state and local entities have said that the loss of learning following a cyber attack ranged from three days to three weeks, and recovery time ranged from two to nine months. Comparitech conducted research on the impact of ransomware attacks at K-12 schools between 2018 and 2021 and found that millions of students were impacted, and school districts experienced both lengthy downtimes and substantial monetary losses.
In December 2021, a vendor for Chicago Public Schools was a victim of a ransomware attack in which more than 500,000 students’ and staff members’ personal information was disclosed. The data included students’ names, schools, dates of birth, genders, school identification numbers, state student identification numbers, and course information from previous school years.
Denial-of-service is another method often used to target schools. In February 2021, Winthrop Public Schools was a victim of a denial-of-service attack that disrupted learning and teaching on the district’s networks and web-based systems, including email, learning platforms and video conferencing services. And in September 2020, Miami-Dade County Public Schools was a victim of a series of denial-of-service attacks that also disrupted learning and teaching on the district’s networks and web-based systems.
GAO says the precise national magnitude of the impact of cyber incidents on K-12 schools is unknown, in part, due to limited reporting requirements. There are no federal requirements for school districts to report incidents to federal agencies and only two states under GAO’s review had established requirements to centrally report cyber-related incidents.
Three federal agencies assist schools in protecting against cyber threats. Under the National Infrastructure Protection Plan (National Plan), the Department of Education is the lead agency, or sector risk management agency, for the subsector. As such, Education and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) coordinate K-12 cybersecurity efforts with federal and non-federal partners. In addition, the Federal Bureau of Investigation (FBI) provides criminal investigative support.
But GAO has found that there are no formal channels for how agencies coordinate with each other or with K-12 schools to address cybersecurity risks or incidents.
“Education and CISA offer cybersecurity-related products and services to K-12 schools, such as online safety guidance,” GAO’s October 24 report notes. “However, they otherwise have little to no interaction with other agencies and the K-12 community regarding schools’ cybersecurity.” The watchdog attributes this, in part, to Education not establishing a government coordinating council, as called for in the National Plan. “Such a council can facilitate ongoing communication and coordination among federal agencies and with the K-12 community,” the report continues. “This, in turn, can enable federal agencies to better address the cybersecurity needs of K-12 schools.”
It is worth noting here that Federal Communications Commission officials said that, as of fall 2021, they were in discussions with CISA to create a portfolio of CISA cybersecurity resources that the FCC could direct school districts to use to address their cybersecurity risks. FCC officials indicated in July 2022 that they were initiating coordination with Education, the FBI and other independent and executive branch regulators.
During the course of GAO’s review, officials from selected entities that are knowledgeable about K-12 cybersecurity told the watchdog that K-12 school districts face a variety of challenges to protect their schools from, and to be able to respond to, cyber threats. Those challenges include having a lack of resources and staff, implementing cybersecurity controls and practices, and communicating the cybersecurity risks to leadership at school districts. In addition, these officials identified various opportunities for the federal government that could possibly better assist K-12 school districts in regards to cybersecurity. Those opportunities include providing further funding, training, and resources, as well as more incident response support, and enhancing awareness of school cybersecurity issues and coordination with K-12 schools.
GAO determined that the agencies don’t measure or obtain feedback on whether their cybersecurity-related services are effective. Methods of assessment could include developing and implementing metrics and analyzing feedback from the subsector provided through a government coordinating council regarding the usefulness of federal support.
GAO’s report notes that Education has no government coordinating council in place for schools to provide feedback. In addition, officials from Education’s Office of Safe and Supportive Schools said that they do not have methods to measure the effectiveness of the cybersecurity-related resources and support offered through their websites.
Education officials told GAO of a lack of authority to compel participation from the K-12 community, but GAO responded that “based on the views we obtained from selected school districts and organizations, it is clear that the K-12 community would more likely use the services and report on the services effectiveness if they were aware of them.”
Additionally, although CISA provides a variety of cybersecurity products and services that are available to K-12 school districts, GAO found it has no mechanisms in place to measure the effectiveness of those resources.
GAO is making three recommendations to Education and one to DHS to improve coordination of K-12 schools’ cybersecurity and to measure the effectiveness of products and services. Education concurred with one recommendation and partially concurred with two. DHS concurred with its recommendation and stated that CISA agrees metrics are necessary to measure the effectiveness of CISA’s K12 cybersecurity-related products and services. In addition, CISA stated that it plans to develop the metrics in an effort to determine whether its products and services meet the needs of state and local-level school districts and reported an estimated completion date of October 31, 2023.
Last week, CISA announced that it will host an inaugural National Summit on K-12 School Safety and Security on November 1-3, 2022. The virtual event, which will kick off CISA’s Infrastructure Security Month efforts, will bring together school safety experts, practitioners, and leaders from across the country to engage in a nationwide dialogue on research, resources and recommendations to some of the most critical and complex threats facing K-12 schools. While not solely focused on cybersecurity, the event will feature three days of panel discussions, interviews, and keynote addresses from government, industry, and community leaders and experts with firsthand experience in school safety. Speakers and participants will share best practices, guidance, research, and resources on school safety topics such as violence prevention and physical security as well as cybersecurity and online safety.
