K-12's decade-old cyber guidance needs updating, watchdog says

Dive Brief:

Amid increased cybersecurity threats to K-12, a Government Accountability Office report released Friday calls on the U.S. Department of Education to update its 2010 plan for addressing cyber risks to schools and consider whether more specific guidance is needed for K-12.
The report explores whether products and services offered by federal agencies to assist schools' prevention and response efforts are tailored to address current threats. The GAO calls for decisiveness in whether sector-specific guidance is needed on current cyber risks and identifying education as one of the nation's "critical infrastructure" subsectors.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, the Department of Education's Office of Safe and Secure Schools, and the Federal Bureau of Investigation are among agencies offering programs, services and support to K-12, including incident response assistance, network monitoring tools and cybersafety guidance for parents and students.

Dive Insight:

Specifically, the GAO's two recommendations for the Department of Education are that the secretary of education meet with the director of CISA to develop on updates to the sector-specific plan for education, with focus on assessing and prioritizing the federal role in helping K-12 schools respond to and prevent cyberattacks.

2020 was a "record-breaking" for cyberattacks against U.S. schools, due in part to the pandemic-driven transition to remote learning, according to the K-12 Cybersecurity Resource Center. Last year, there were 408 publicized incidents marking an 18% increase over 2019.

The sector has experienced an estimated 1,180 cyber-related incidents since 2016.

In October, President Joe Biden signed the K-12 Cybersecurity Act into law, requiring CISA to study the K-12 sector's cybersecurity needs to develop tools and guidance for school districts. Other proposals, like the Enhancing K-12 Cybersecurity Act, have also sought new resources from CISA and called for additional funding for a K-12 Cybersecurity Technology Improvement Program.

"What we are really hoping for is a deeper analysis of some of the systemic and structural challenges facing schools in trying to defend against these risks," as opposed to more federal guidance, Doug Levin, national director of K-12 Security Information Exchange, told K-12 Dive in October.

K-12 schools have become a particularly popular target for ransomware attacks, in which malware locks access to sensitive data behind a wall in demand for a ransom from the victim. In some instances, school districts have caved and paid these ransoms. The average amount demanded in ransomware attacks across industries is $570,000, according to GRC World Forums.

There are, however, a number of steps K-12 districts can take to avoid worst-case scenarios from cyber threats. For instance, organizations like the K-12 Security Information Exchange offer self-assessments to help schools identify and overcome vulnerabilities. Standards developed by the organization suggest, as a baseline:

Protecting network traffic going in and out of school districts.
Protecting end-user devices.
Protecting the identities and personal information of students, teachers and community members.
Patching regularly and maintaining offline backups.

Other suggestions experts have shared with K-12 Dive include using stronger, hard-to-guess passwords and adopting tools that require multi-factor authentication in sign-on processes.