The US Department of Education and Department of Homeland Security (DHS) were urged this week to more aggressively strengthen cybersecurity protections at K-12 schools across the nation to keep up with a massive wave of attacks.
The call for action comes from US Senators Maggie Hassan (D-NH), Kyrsten Sinema (D-AZ), Jacky Rosen (D-NV), and Chris Van Hollen (D-MD).
It was prompted by a Government Accountability Office (GAO) report released on Friday, assessing the Education Dept’s current plan for addressing K-12 school threats — issued in 2010 — to be significantly outdated and primarily focused on mitigating physical threats.
“K-12 schools are increasingly coming under cyberattacks from a diverse set of actors, driven largely by the rapid rise of ransomware,” the four US Senators said.
“According to a database of publicly reported cybersecurity incidents at K-12 schools, 2019 saw almost three times more incidents than 2018 and 2020 saw a further 18 percent increase over 2019. These incidents include ransomware attacks on school districts in New Hampshire, Nevada, Arizona, and Maryland.”
For context on the impact of ransomware on US education institutions throughout 2021, ransomware attacks have disrupted education at roughly 1,000 universities, colleges, and schools since the start of the year, according to Emsisoft threat analyst Brett Callow.
While this number is lower than in 2020 (when 1,681 education institutions were hit), it’s mostly because ransomware attacks have hit smaller school districts this year.
Recommendations and measures to bolster K-12 cybersecurity
GAO found that the two government agencies have provided K-12 schools with programs, services, and support (e.g., incident response assistance, network monitoring tools, and guidance for parents and students) designed to help defend themselves from these ongoing attacks.
However, it’s more than evident that K-12 education needs additional support, as shown by the growing number of successful cybersecurity breaches affecting K-12 schools.
To address this issue, GAO asked the Department of Education to schedule a meeting with the Cybersecurity and Infrastructure Security Agency (CISA) to decide how to update its sector-specific risk mitigation plan and determine if sector-specific guidance to address cyber threats is needed.
“We strongly agree with the GAO recommendations for the Department of Education, working with DHS’s Cybersecurity and Infrastructure Security Agency (CISA), to update the Education Facilities subsector-specific plan and determine if subsector-specific guidance is needed, and we are glad to see that the Department of Education concurred with the recommendation,” the Senators added (PDF).
“An updated subsector-specific plan will help the Department of Education and DHS effectively prioritize the risks, cyber and otherwise, to the Education Facilities subsector, while subsector-specific guidance would help K-12 schools better use existing cybersecurity frameworks and implement best practices.”
The two agencies were also urged to establish a coordination council for education facilities to encourage better coordination between federal, state, local entities, and private sector groups that support K-12 schools.
According to the Senators, this would further strengthen their protection against cyberattacks, just as it happened in the case of the Election Infrastructure subsector.