School Cyber Attacks

Cybersecurity Experts Call for More Transparency and Immediate Resources for Schools

'A lack of guidance is not what's holding schools back; it's a lack of resources and a lack of oversight'

The nation’s public K–12 schools need help to address widespread cybersecurity vulnerabilities and a crippling shortage of resources for those needs, and state and federal legislators have begun to propose ways to meet those needs.

But there’s another element to K–12 cybersecurity that, so far, education leaders and lawmakers have been hesitant to bring into the spotlight: The potential dangers to staff and students when a cyber incident occurs and data is stolen or potentially stolen.

In several recent reports from national cybersecurity nonprofits and the private sector, IT professionals are calling for greater transparency and accountability from school districts in their cybersecurity efforts — including mandated public disclosure when student or staff data has been breached.

Transparency is Currently the Exception

In its annual State of K–12 Cybersecurity Year in Review report released last week, the national nonprofit dedicated to public schools’ cybersecurity K–12 Security Information Exchange said that ransomware — where a school’s student and/or staff data is stolen and a ransom is demanded — has become the most common type of publicly disclosed cyber incident at U.S. schools, but many districts impacted by cyber incidents are sharing little or no information to the community stakeholders affected by them.

K–12 schools are not required to publicly disclose cyber incidents, and requirements for vendors to disclose incidents — where mandates exist — are weak and rarely enforced, the report said. Vendor data breaches tend to impact scores, if not hundreds, of schools at a time, K12SIX’s report noted, and companies can face fines and lawsuits if they decline to disclose such incidents.

7 Questions for School Board Members

A K–12 school board is, by law, responsible for managing risks and overseeing operations of the district, noted K–12 Security Information Exchange National Director Doug Levin.

And while school board members don’t need to be technical experts, they do need to understand the cybersecurity landscape and thoroughly understand what their district’s plans are for managing cyber vulnerabilities, he said.

The following questions from Harvard Business Review’s “7 Pressing Cybersecurity Questions Boards Need to Ask” are not only great questions for K–12 board members to ask their technology leaders, Levin said, but board members should be able to answer these questions in order to fulfill their duties to the district and the taxpayers:

  1. What are our most important assets and how are we protecting them?
  2. What are the layers of protection we have put in place?
  3. How do we know if we’ve been breached? How do we detect a breach?
  4. What are our response plans in the event of an incident?
  5. What is the board’s role in the event of an incident?
  6. What are our business recovery plans in the event of a cyber incident?
  7. Is our cybersecurity investment enough?

Public K–12 schools, however, are not overseen by any regulations requiring disclosure of cyber incidents or data breaches. Higher education institutions are required to report data breaches of any size, under a 2018 U.S. Department of Education rule affecting any college or university that accepts federal student aid funds.

“If it were not for the public-interest reporting of security researchers and investigative reporters during 2021 — employing, e.g., freedom of information requests to compel districts to share incident details they sought to keep from the public eye — the number of publicly disclosed incidents catalogued by the K–12 Cyber Incident Map during the past year would have been even smaller,” K12SIX said.

The report illustrates the lack of transparency that’s become increasingly common in the public education system particularly when it comes to cyberattacks and exposure of student data. Last year alone, dozens of school districts declined to inform parents of cyber incidents and, in some cases, took “extraordinary measures” to conceal the reach and impact of data breaches and other incidents, the report noted.

“There’s no question schools should be disclosing these incidents to their communities,” K12SIX National Director Doug Levin told THE Journal this week. “Maybe they think they can avoid backlash from the community if they don’t disclose a cyber incident. But these schools are spending the community’s tax dollars. School board members and those with oversight of the school budget need all the information to do their jobs appropriately, and the community needs to know whether the district’s resources are being spent on the right things.”

Every public school impacted by a cyber incident should be disclosing basic information such as the fact an incident occurred; who was affected in a potential data breach; the amount of money recovery will cost the district; and recommended steps those affected should take to protect themselves, he said.

“Details about the attacker’s tools and techniques that were used, or what the phishing email looked like for example, those things don’t need to be out there publicly,” Levin said. “But those details can be shared anonymously with our K12SIX incident map, and it could really help other schools.” His organization’s K–12 Cyber Incident Map is considered the definitive source of information about publicly disclosed cyber incidents affecting U.S. public schools and education agencies.

Levin, as national director at K12SIX, is tasked with tracking all publicly disclosed cyberattacks at K–12 schools in the United States. He helps school district IT leaders across the country to improve their protections, and he advocates for more resources and stronger security standards alongside cybersecurity officials at the state and national level as well as with tech companies whose IT and security products are used in public school districts.

He told THE Journal that he has concluded from his many discussions with tech and IT professionals across the K–12 sector that “cyber incidents at K–12 schools are being kept secret all the time” — including incidents where student and staff data has been compromised.

“In our State of K–12 Cybersecurity report, we featured some investigative journalism where cyber attacks were not disclosed until the journalists began looking into them or published documentation of them; they wouldn’t disclose it at all unless they were called on it,” he said. “Then there’s another set of schools that didn’t even know they had a cyber incident or data breach: There are plenty of examples of security researchers finding student data on the dark web and when they reached out to the district, the district apparently had no idea that it had happened.”

Another recent report from education advocates at Project Tomorrow calling for “greater awareness and action on K–12 cybersecurity” is the National K–12 Education Cybersecurity Research Study, for which Project Tomorrow and cloud software provider iboss surveyed 600 K–12 administrators and IT leaders nationwide.

The survey showed that most school IT leaders do not feel they have adequate resources to protect their districts’ data or networks. The responses also showed that IT leaders at K–12 schools don’t think their district leaders are paying enough attention to cybersecurity.

Of the technology professionals responding to the survey, only 12% said their school board members are highly aware or informed on cybersecurity issues; a third of respondents said their school board members (35%) and principals (32%) had a “low awareness” of cybersecurity concerns and needs, according to the report.

The study also noted a lack of awareness among parents and other stakeholders about cybersecurity concerns and said “given the impact of a cyberattack on community trust, transparency regarding how the district is protecting their assets including student data is an important new consideration for district communications.”

Earlier this week, SETDA, a national association of U.S. ed tech and IT leaders, released its first Cybersecurity and Privacy Collaborative “landscape scan” calling on federal policymakers and state and local education leaders to work together to increase information sharing and to commit significant, sustained resources and training to improving cybersecurity across the nation’s K–12 schools.

Recent Examples of Schools Not Disclosing Data Breaches

K12SIX, in its 2021 State of Cybersecurity report, highlighted examples of investigative journalists finding evidence that school data breaches had led to the personal information of students being published on the dark web. The following examples come verbatim from the K12SIX report:

K–12 Data Breaches Are Already Impacting Millions

The stealing of student and staff data from schools — information such as birthdate, Social Security number, and home address — is a widespread problem that has been growing for years.

In fact, through last September, more than 3.8 million records have been reported stolen from U.S. K–12 schools since consumer tech advocacy website began tracking the public disclosure of data breaches in 2005. According to Comparitech, primary, secondary and post-secondary schools in the U.S. have disclosed 1,851 data breaches since 2005, with the total number of student and staff records stolen topping 28.5 million.

The analysis by NBC News of K–12 school data published on the dark web solely during 2021 found that the leaked school data includes all kinds of private information: “Some of the data is personal, like medical conditions or family financial statuses,” the report said. “Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can set up a child for a lifetime of potential identity theft.”

Levin said the danger of identity theft is far greater for a minor whose personal information was stolen than for an adult.

“You’d think that getting the identify information of an established adult is worth more to a criminal, but it’s not; minors’ identity information can be abused and their credit record can be hijacked and used for five to 10 years before anyone figures out their identify has been compromised,” he said. “An adult will figure it out usually within a month or two, certainly by the end of the year or at tax time.”

The risk to those whose personal data is stolen is not hypothetical, Levin noted. “We’ve seen false tax returns filed on behalf of educators where their identity was stolen through a data breach at their school, and we’ve seen credit fraud and identity theft perpetrated not only school employees but also students — in some cases as young as elementary students — resulting from school cyber incidents.”

For those reasons, it is imperative that K–12 schools disclose cyber incidents to their communities, Levin said. Parents have little recourse when their child’s identity information is breached, but they can set up credit monitoring to ensure their child’s financial future isn’t ruined before they turn 18.

Even if there is no data breach, public schools should disclose any cyber incident, because it is very likely to interrupt school operations and it almost certainly will impact the district budget for IT spending, he noted.

More Attention from Lawmakers, But Actual Help Hasn’t Materialized

The SEDTA report released Wednesday emphasizes the importance of state education agencies taking a bigger role in cybersecurity efforts and said the collaborative’s members are actively “working with states to further their thinking about the role of cybersecurity in the K–12 sector,” it stated. “States have a responsibility to establish cybersecurity as a priority, and ensure that schools and districts are good stewards of the student data entrusted to them.”

To be sure, cybersecurity has been getting a lot more attention at state capitols around the country in recent years.

According to the Consortium on School Networking, in 2021, 30 states enacted 51 new laws addressing cybersecurity in one way or another. There were at least 120 others proposed by legislators in 40 states directly or indirectly addressing cybersecurity in schools that did not pass, CoSN said.

“The most common new state cybersecurity laws focused on: mandatory cyber incident reporting (7 states); cyber governance changes (6 states); dedicated cybersecurity funding for state agencies (6 states); required state level cybersecurity planning or landscape assessments (5 states); and providing “Sunshine Law” exceptions to permit withholding of sensitive cybersecurity information from public scrutiny (3 states),” said CoSN’s 2021 State and Federal Cybersecurity Policy Trends: Insights for Education Technology Leaders & Policymakers report.

K–12 public schools are now required in seven states — Arkansas, Georgia, Indiana, New Hampshire, North Dakota, Texas, and West Virginia — to report any cyber incident to their designated state education or security agency. None of those new laws explicitly require districts to disclose cyberattacks to their stakeholders nor to the students or staff whose private information may have been compromised; in some states, such as Texas and Georgia, the records of school cyber incidents are considered exempt from Freedom of Information laws.

Rules governing whether public schools need to disclose cyber incidents and data breaches remain murky at the federal level, as well.

The government spending bill signed by President Joe Biden last Friday includes a new requirement for “critical infrastructure operators” to report a cyber incident or a ransomware payment, and it’ll be up to the Cybersecurity and Infrastructure Agency to decide — as it irons out the details and writes the new regulations over the next two years — who will collect those reports for each type of organization.

Even that may not impact K–12 schools, though, Levin said, because they are not explicitly designated as “critical infrastructure.”

“K–12 schools are kind of critical infrastructure and also kind of not — they’re in this weird gray zone,” he said. “The designation of ‘critical infrastructure’ is determined by Congress. State and local government agencies are considered critical, and public K–12 schools are considered a part of state/local government agencies. But they’re largely ignored in all these top-level discussions by policymakers.”

There have been other recent efforts in Congress to not only help K–12 schools address cyber vulnerabilities but also require them to disclose cyberattacks and share information to help each other avoid further costly breaches. None of those bills have made it out of committee.

The K–12 Cybersecurity Act of 2021 is also likely to fall short, Levin predicted. “They didn’t give CISA any money to do any actual work; the law charges CISA with writing a report and making recommendations, but CISA can’t propose any new regulations. They will issue guidance — probably guidance that already exists — and repackage it for schools.”

There is plenty of advice for school districts on how to protect their environments, Levin noted. “Advice, or a lack of guidance, is not what is holding schools back,” he said. “It’s a lack of resources and a lack of oversight. Schools are mostly viewed as the place where you train cybersecurity workers of the future. What we are trying to convey is schools are under assault right now from cybercriminals, and schools need support right now.”

Levin said he’s somewhat optimistic that the CISA report resulting from the K–12 Cybersecurity Act — which is expected any day now — will build momentum in Congress: “My hope is that the forthcoming report will result in some new legislation bringing more support and more resources to K–12 schools to help them defend themselves better.”