The Cybersecurity and Infrastructure Security Agency released a report on Tuesday outlining a variety of steps that K-12 schools and districts should take to enhance their cybersecurity practices, amid an increase in ransomware attacks and other digital threats targeting primary and secondary education institutions across the country.
The report offered three voluntary recommendations to help schools bolster their cyber defenses, including investing in the highest-impact security measures and building toward “a mature cybersecurity plan,” identifying and addressing resource constraints, and focusing on “collaboration and information sharing.”
CISA’s report highlighted individual steps that schools could take to achieve these recommendations, such as implementing multifactor authentication to secure online accounts and data, developing a cyber incident response plan and working to secure funding from the State and Local Cybersecurity Grant Program, and other similar programs, to enhance their cybersecurity practices.
“As K-12 institutions employ technology to make education more accessible and effective, malicious cyber actors are hard at work trying to exploit vulnerabilities in these systems, threatening our nation’s ability to educate our children,” CISA Director Jen Easterly said in a statement. “Today’s report serves as an initial step towards a stronger and more secure cyber future for our nation’s schools, with a focus on simple, prioritized actions schools can take to measurably reduce cyber risk.”
At least 45 U.S. school districts experienced ransomware attacks in 2022, including a ransomware attack on the Los Angeles Unified School District last fall that resulted in hackers leaking 500GB of pilfered data. While CISA said that the total number of cyber incidents affecting K-12 schools “is impossible to reliably quantify due to a lack of consolidated data,” it added that “reported incidents between 2018–2021 have risen from 400 in 2018 to an accumulated total of over 1,300” in 2021.
The increase in cyber attacks targeting schools and districts has underscored the lack of available resources that school administrators and educators currently have to mitigate threats. CISA—which noted that it “hosted and facilitated a series of roundtable listening and feedback sessions with key stakeholder groups” to gather input for the report—said educators and school personnel expressed particular concerns to the agency about a lack of staffing and funding needed to adequately address cyber-related challenges.
Participants in the listening sessions highlighted the “extreme disparity in talent availability and funding” when it comes to managing cyber risks, as well as the fact that “most districts do not employ full-time cybersecurity personnel, and some smaller school districts may not even employ full-time IT staff.” In the instances where a school or district did employ a cybersecurity professional, stakeholders noted that these employees often “do not have up- to-date training or experience, in part due to limited resources for professional development.”
“We learned that what the sector needs most is resources, simplicity and prioritization,” CISA said. “Accordingly, this report strives to cut through the noise and offer clear steps that are prioritized to help K–12 organizations implement the most effective cybersecurity controls first.”
CISA’s report was mandated by the K-12 Cybersecurity Act, which required the agency “to study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include cybersecurity guidelines designed to assist schools in facing those risks.” The legislation—introduced by Sens. Gary Peters, D-Mich., and Rick Scott, R-Fla.—was signed into law by President Joe Biden in October 2021.
In a statement, Peters called the report “an important step to helping K-12 schools across the country protect themselves against cyberattacks that put the personal information of students and staff at risk.”
“K-12 schools are increasingly targeted by criminal hackers, and this new resource from CISA makes easy-to-understand guidance about cybersecurity risks readily available to the schools that need it most,” he added.
CISA also released an online toolkit that expands on the report’s recommendations to help K-12 schools and school districts manage and reduce cyber risks, including providing links to free cyber-related resources and trainings for education professionals.
CISA called the report “a starting point” and said it will continue “to partner with the K–12 education community, and work with technology providers to encourage provision of free or low-cost security tools and products that are secure by default and design.”