The White House is rolling out a number of initiatives aimed at fortifying the security defenses of school districts across the country, which have been hit hard over the past few years by ransomware attacks.
As part of the White House’s new efforts, the Department of Education will create a council that will coordinate plans and policies for federal, state, local, tribal and territorial education leaders to improve their school security defenses. The hope here is to take a “key first step” in school districts’ ability to prepare for and respond to cyberattacks, according to the White House in a Monday press release. The Federal Communications Commission (FCC) has also committed to providing $200 million over the next three years to help strengthen security defenses in schools.
Doug Levin, national director with K12 Security Information eXchange (K12 SIX), a nonprofit that works with K-12 schools to protect them from emerging cybersecurity threats, said that for school districts, dealing with cyberattacks and ransomware “has been a big challenge.”
“It’s no surprise to anyone that schools are resource poor, and they’ve been particularly challenged to deal with this issue,” said Levin. “We absolutely welcome and are thrilled with the greater federal engagement in this issue, particularly from the U.S. Department of Education, which heretofore has not been particularly engaged in the issue. CISA is redoubling its work with the K-12 sector, and we’re looking at guidance and support from other agencies as well.”
The newly announced initiatives build on the Biden Administration’s K–12 Cybersecurity Act of 2021, which directed the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to work with teachers, school administrators and private sector firms to develop recommendations and an online toolkit that can help schools improve their security – from securing student data to security challenges with remote learning.
The aim here was to scope out resources needed to bolster the cybersecurity of school districts; however, these newer initiatives represents a more holistic government and private-sector effort. On the private sector side, several education technology providers – including AWS, Cloudflare, PowerSchool, Google and D2L – committed to providing free or low-cost cybersecurity resources to school districts. Additionally, CISA on Monday said it is committing to providing assessments, exercises and security training for 300 K-12 entities in the coming school year.
School districts are prime targets for ransomware actors: They are sitting on a treasure trove of personal student and school staff data, including sensitive medical information, records about law enforcement interactions, addresses or even social security numbers. At the same time, it is tough for school districts to implement even basic cybersecurity controls, due to budgetary setbacks and under-resourced IT teams.
According to the White House, in last year’s academic year at least eight K-12 school districts in the U.S. were impacted by significant cyberattacks, and four of those caused schools to cancel classes or close completely. The impact of these ransomware attacks is heavy, with a U.S. Government Accountability Office (GAO) report in 2022 finding that loss of learning following a cyberattack can range from three days to three weeks, and recovery time can be months.
“This is something we have been tracking for some time, and any way you look at the data about school cybersecurity incidents, they’re growing both more frequent and more significant, whether that’s in terms of amount of money that’s extorted or stolen from schools, whether it’s downtime of school IT systems, whether it’s the amount of data and sensitivity of that data that’s stolen from school systems, to even school closures and things like that,” said Levin.
