Malicious actors have been turning their attention to the nation’s schools in a significant and unwelcome way. The State of K-12 Cybersecurity: 2020 Year in Review report found an 18 percent increase in publicly-disclosed incidents over 2019 – the equivalent of more than two incidents per school day in 2020. Education was the second-most targeted sector in the first half of 2021, according to the a midyear threat report.
The shift to remote learning last year is partly to blame for this rise in attacks, as teachers and students relied on technology to deliver lessons, complete homework, and interact with students. When attackers target schools, learning is often disrupted, sometimes for days, as critical systems are taken offline.
The problem is significant enough that President Joe Biden signed into law the K-12 Cybersecurity Act, strengthening federal efforts to examine the cyber risks facing these institutions. And just what are those risks – and what needs to happen next? Read on.
Cybercriminals love to target schools
School systems are notoriously budget-strapped and therefore not always able to invest in cybersecurity, which makes them a prime target for attackers. IT teams have struggled to simply ensure that students can connect to school remotely. And teachers have had to wrestle with unfamiliar technology to upload and download lesson plans and homework assignments, broadcast their classrooms, and provide one-on-one assistance for struggling students. There has been little time or money left over for adequate security measures.
Schools get hit with many kinds of attacks, including denial of service (DDoS) attacks; ransomware and classroom disruption tactics that expose students to hate speech; shocking images, sounds and videos; and even threats of violence. Incidents like these have resulted in class disruptions and cancellations–and even school closures in extreme circumstances. One of the most high-profile multi-day school closures involved the Miami-Dade County Public Schools in Florida, which suffered a multi-day DDoS attack that closed school for more than 350,000 students. The second involved Fairfax County Public Schools in Virginia, which had to close school for several days for over 189,000 students due to widespread virtual classroom invasions.
It’s not just the schools; board meetings also have suffered disruption and cancellation, email services to and from school community members have been compromised, and children as young as kindergarteners have been exposed to racist and sexist speech, threats of violence and inappropriate images. Moody’s Investors Service says attacks on schools have “increased exponentially” since it began tracking cyberattacks in 2018.
Why have cybercriminals set their sights on schools? Financial gain is the most common motive. Schools store a wealth of personally identifiable information (PII) that can be stolen and sold on the dark web. And schools tend to process a relatively high volume of financial transactions, like paying school fees, over poorly secured networks. Ransomware attackers target schools because they know schools cannot remain offline for long. In 2020 alone, ransomware attacks affected nearly 1,800 schools, impacting more than 1.3 million students.
Ransoms ranged from $10,000 to over $1 million. But experts estimate that these attacks cost education institutions $6.62 billion in downtime alone. Most schools will have also faced huge recovery costs in their efforts to restore computers, recover data, and shore up their systems to prevent future attacks.
Financial gain isn’t the only motive. Vandals target schools for the notoriety or the thrill of disrupting a social mainstay. Hacktivists target schools and school board meetings with extreme political agendas. And disgruntled students are often just looking for a way to exact revenge or disrupt school. What all these attacks have in common is that it’s easy to breach the cyber defenses of underfunded school network security.
Technology changes are likely permanent
Modern education relies on technology. Digital classrooms, remote tutoring, web sites that host assignments, digital online libraries, and online parent-teacher engagement are all possible thanks to technology. More students have devices, and more teachers are using the internet to teach and communicate with students than ever before. And allowing some percentage of students to remotely attend hybrid classrooms is likely to remain a permanent fixture of many schools, even after the pandemic is over.
The government has made significant investment to connect students and anchor institutions during the pandemic, and those technologies are unlikely to be abandoned once life returns to normal. Schools not only need to be sure that students remain connected but need to ensure that they are securely connected.
Time to update E-Rate funding
Funding has historically been an issue, ironically made worse by the outdated focus of the E-Rate Program, which is run by the Federal Communications Commission (FCC). This has made it difficult for schools to keep up with the technology–and accompanying security–demands of our digital society. The FCC has a unique opportunity here and a recognized demand across the country to provide schools the flexibility to use funds to stay ahead of the growing cyber threat.
It’s clear that the E-Rate Program intends to include cybersecurity because a “basic firewall” has been an allowable expense since the policy was written in the late 1990s. But cyberthreats have evolved since then, and the need for more robust cybersecurity has advanced well beyond the capabilities of a basic firewall. Today’s digital security needs to address the variety of threats schools and students face while protecting the variety of technologies now in place at most schools. This must include devices used by remote students, who need them to ensure equal access to digital classrooms and online resources.
It’s time for the FCC to evolve its funding parameters to include the modern, advanced cybersecurity tools that schools need to combat today’s rampant and sophisticated attacks. Schools have both a desire and an obligation to protect the digital presence of students and teachers, and they must not be hindered from doing so by a lack of funds. As the digital landscape shifts to include hybrid learning long-term, children and their data are worth protecting.
- 5 ways school districts can create successful community partnerships - November 21, 2024
- Trump picks Linda McMahon to lead, and possibly dismantle, Education Department - November 21, 2024
- 6 ways to create engaging elementary learning spaces - November 20, 2024