Schools have taken a big hit due to cyberattacks. In some cases, incidents involving educational institutions have resulted in truly terrible consequences.
Just a few of the recent examples are data breaches where a child's data was used to apply for an auto loan and complete shutdowns of online education during the COVID-19 pandemic. The list continues to grow, especially with the rise of cyberattacks like ransomware.
And schools clearly need help with mitigating cyber risk.
According to the incident map by The K-12 Cybersecurity Resource Center, 1,180 cyber incidents have been reported since 2016. This does not include attacks on educational institutions that go uncited, which is common.
In an effort to curb the attacks on schools, the Biden Administration signed into law the K-12 Cybersecurity Act, which aims to provide assistance to education officials. According to a statement from the White House:
"This law highlights the significance of protecting the sensitive information maintained by schools across the country, and my Administration looks forward to providing important tools and guidance to help secure our school’s information systems."
Next steps for the K-12 Cybersecurity Act
Before 120 days, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) will study cybersecurity risks that:
- "analyzes how identified cybersecurity risks specifically impact K–12 educational institutions"
- "includes an evaluation of the challenges K–12 educational institutions face"
- "identifies cybersecurity challenges relating to remote learning"
- "evaluates the most accessible ways to communicate cybersecurity recommendations and tools"
From there, Congress will be briefed, and then 60 days after the study, CISA Director Jen Easterly will make cybersecurity recommendations for K-12 institutions.
No more than 120 days after the recommendations, an "online training toolkit" will be created to educate school officials and "provide strategies" to keep institutional data and networks safe.
While this initiative is helping give officials additional tools, it will not be an overnight fix.
Will the K-12 Cybersecurity Act make a difference?
By taking the first step and having the government recognize the issues, some professionals are saying this bill could strengthen security for schools.
"Not all educational institutions have a deep enough understanding of how to go about protecting themselves, and having official guidelines and laws such as this one will strengthen security as a priority in a standardized way across the country. The support of the presidential office to secure systems and data at schools is significant and will be extremely helpful in providing schools and administrators with the tools they need to properly protect their systems and data from cyberthreats," said Heather Paunet, SVP of Untangle.
However, with so many educational institutions across the nation, scaling a cybersecurity initiative is where challenges could arise, according to some experts.
"This is a marathon, not a sprint. It's a complicated issue, and I don't think there are a lot of easy solutions," said Doug Levin, National Director of the K-12 Security Information Exchange, to ZDNet.
Others say financial boundaries may stand in the way of the project being successful. John Bambenek, Principal Threat Hunter at Netenrich, said:
"Cybersecurity in any organization is an expensive proposition, either because tools cost money or professionals cost money. The fact is that many units of local government, and especially schools, simply don’t have money to spare.
While studying the risks and creating free resources and guides is a good first step, the reality is that smaller and poorer districts won't be able to implement much of what is in the guide CISA will create, assuming they have any staff that can read and understand it in the first place. This law is a good first step, but it cannot, and must not, be the last step."
Advocates for mitigating the cybersecurity vulnerabilities of K-12 education are already jumping in to provide helpful guidance on improvements.
I recently spoke with @douglevin of K-12 SIX and @CISAgov's Tom Millar to learn more about what #K12 leaders can do to improve school #cybersecurity measures. More guidance is on the way thanks to the K-12 Cybersecurity Act, but there are several steps districts can already take. https://t.co/FfrhVUhMoM— Roger Riddell (@K12DiveRoger) October 12, 2021
Background on the K-12 Cybersecurity Act
This bill was passed with bipartisan support, noting that children are susceptible to having sensitive data exposed through grades and information on scholastic development, medical records, family records, and personally identifiable information (PII).
In an effort to address cyberattacks, the bill states it will assist by "providing K–12 educational institutions with resources to aid cybersecurity efforts, will help K–12 educational institutions prevent, detect, and respond to cyber events.”
Educational institutions in top 10 most vulnerable to ransomware in 2021
In a SecureWorld Remote Sessions webcast, Alec Alvarado, Digital Shadows Threat Intelligence Manager, shared statistics on ransomware alone in the first half of 2021. While not as prevalent as attacks on the industrial sector, education still fell into the seventh place.
On the other hand, ransomware is not the only form of malware and cyberattacks schools are experiencing.
What are your thoughts about the new K-12 Cybersecurity Act, and what are some of the first steps educational institutions can take to protect student data? Share your thoughts in the comments section below.
[RESOURCES] If you would like a full picture of ransomware's effects in 2021, listen to Alvarado's presentation, Ransomware in 2021: 3 Leak Sites, 2,600 Victims, available on-demand.
Register to attend one of SecureWorld's virtual conferences to stay up to date on the latest conversations in cybersecurity.