The Cybersecurity and Infrastructure Security Agency on Tuesday published a much-anticipated review of cybersecurity readiness at K-12 school districts, laying out a path for improving the defense of a sector battered by scores of ransomware attacks, phishing schemes and vendor failures.
In recent years, cyber incidents have snagged up school systems ranging from small, rural districts to some of the country’s biggest, like the Los Angeles Unified School District, which is still dealing with the fallout of a ransomware attack from last fall.
The CISA report acknowledges that while many — if not most — of the roughly 15,000 school districts in the United States face significant staffing and resource challenges in protecting their IT systems, there are opportunities for improvement, particularly if organizational leaders take a more active interest.
“Cybersecurity risk management must be elevated as a top priority for administrators, superintendents, and other leaders at every K–12 institution,” the report reads.
‘Too many responsibilities’
Among the steps CISA recommends are familiar refrains: implementing multi-factor authentication, updating operating systems and applications regularly and joining cooperative organizations like the Multi-State Information Sharing and Analysis Center or the K12 Security Information Exchange, also called K12 SIX.
But even these low-cost or free options can be a burden for many K-12 schools. A majority of districts CISA interviewed told the agency they did not employ any full-time cybersecurity staff, and many only had part-time general IT personnel. And even in districts that have information security officers, those employees often struggle to get school leaders’ attention, the report read.
“An overwhelming majority of stakeholders across the educator and administrator communities reported that they had too many responsibilities and not enough time or resources to fulfill them,” it read. “Most reported that the breadth of available cybersecurity information — news coverage, conference panels, webinars, and more — only made matters more complicated.”
K12 SIX, which tracks cybersecurity incidents affecting schools, counted more than 1,300 in 2021, the most recent year for which it has data. Doug Levin, the group’s executive director, told StateScoop the CISA report is right to place the burden on school administrators.
“It’s an endorsement that this is a topic that deserves more study, more attention,” he said. “It could be picked up by folks who are already working in the field and help them advocate for changes. Maybe those not in IT positions, but those who are involved in school leadership and aren’t doing what they need to do to support those best practices.”
‘An important step’
In publishing the 29-page report, CISA finally made good on a 2021 law that ordered it to study the K-12 sector’s cybersecurity.
“This report is an important step to helping K-12 schools across the country protect themselves against cyber-attacks that put the personal information of students and staff at risk,” Senate Homeland Security Chairman Gary Peters, D-Mich., the 2021 law’s lead sponsor, said an emailed statement.
In a press release, CISA Director Jen Easterly called the report an “initial step towards a stronger and more secure cyber future for our nation’s schools.” Easterly said at an event in Washington last October that K-12 is one of three sectors that will get a heightened focus from the agency in 2023.
But CISA is just one federal agency, and an unfamiliar one at that to most public schools, Levin said. He said the Department of Education, as the K-12 sector’s main point of contact with the federal government, needs to take a more active role in helping schools improve their cybersecurity.
“I would like to see Department of Education playing a much stronger role here since they are the primary federal agency that interfaces with school districts,” he said.
The department, though, has been cited by recent federal audits for being slow to update its cybersecurity guidance for K-12 organizations, a document that was last issued in 2010. Federal education technology officials said last March that a revision was in its “nascent stages.”
Levin said state boards of education and regional agencies also need to help spread the message.
“To drive this message there needs to be a strong partnership formed, hopefully with the U.S. Department of Education, hopefully with state departments of education,” he said.
In addition to its top recommendations about multi-factor authentication, patching software, backing up critical files and joining ISACs, CISA also issued a guide with steps school districts should take, including asking more of technology vendors, which are the source of 55% of the incidents K12 SIX has logged since 2016.
“The recommendations will not be controversial,” Levin said. “Hopefully this will help school leaders see cyber risk like other physical risk. The resource challenge is very real, there are thing schools can do to start, and I hope they do not wait.”