CyberGuide - Information Security and Cyber Risk Management

K-12 schools need more cyber help from officials: GAO

By Erin Ayers, Advisen

Federal education officials need to offer more resources to help K-12 schools protect themselves against cyberattacks, including working more closely with the Cyber Security Infrastructure Security Agency (CISA) and updating guidance and tools to reflect current threats, according to a recent report from the U.S. Government Accountability Office (GAO).

According to the GAO, the Department of Education has taken some steps to support schools in fending off cyberattacks. However, many resources are out of date – some of the guidelines developed by the DOE haven’t been updated since 2010.

“CISA can actually provide schools with assistance at their request to help them figure out the cause of an incident and to help them restore their systems,” said Nick Marinos, director of GAO’s Information Technology and Cybersecurity Team, during a podcast review of the report. “They also provide voluntary assessments of school systems. They can provide training exercises. On the law enforcement side, the FBI primarily conducts investigations when schools have been victims of cyberattack and they help the schools in attributing the attack, figuring out who did it, and they conduct analysis to determine other affected groups because a cyberattack may not only be limited to just one school system.”

Cyberattacks on schools have increased significantly, with 2020 marking a record-breaking year. Some of the attacks have been merely disruptive, others have resulted in multimillion-dollar losses and data breaches. Schools also face struggles procuring cyber insurance and recognize they must improve their security.

The threats haven’t stopped in 2021: in March, cybercriminals hit a Florida school district with a $40 million ransom and a Kentucky school district fell victim to funds transfer fraud, mistakenly paying $3.7 million to a bad actor who posed as a legitimate vendor. The list goes on: a recent Vice report using data from cybersecurity firm Emsisoft estimates that nearly 1,000 schools have dealt with ransomware events this year.

The GAO report marks renewed federal attention to cyber threats against schools. In October, President Joe Biden signed the K-12 Cybersecurity Act of 2021, requiring CISA to develop security recommendations and training guidelines for K-12 schools and to complete a study of the cyber risks facing schools by February 2022.

Additionally, a quartet of senators led by Sen. Maggie Hassan (D-N.H.) wrote to the Education Secretary Miguel Cardona and Homeland Security Secretary Alejandro Mayorkas to urge collaboration on the problem and supporting the GAO’s conclusions.

“The bottom line is that even though federal agencies do already provide a variety of products and services to help schools protect themselves against cyber threats, it’s time for them to ensure that these efforts meet current needs,” said the GAO’s Marinos. “It’s been 11 years since Education updated this plan, and a lot has obviously changed in how schools use technology and what are the types of cyber threats that they confront.”

Senior editor Erin Ayers can be reached at [email protected]