Thanks to my invited participation in the National Governors Association regional summit, Meet the Threat: States Confront the Cyber Challenge, I thought I’d take the opportunity to briefly share my perspective on the high-level cybersecurity challenges facing K-12 schools, why it is an important issue (for schools and government), and what should be done about it. In so doing, I will endeavor to distinguish information technology security concerns from privacy issues, as well as from the broader security threats that may exist to students, school staff, and facilities.
In general, there are a range of potential cybersecurity threats facing K-12 schools specifically, driven by motivations to:
- disrupt school operations;
- harm or otherwise take advantage of individuals associated with schools; and
- disable, compromise, and/or re-direct school technology assets.
Information technology vulnerabilities can be exploited by actors wholly external to schools (the prototypical online ‘hacker’), as well as by those internal to/associated with specific schools (including by school staff, students, families, and local community members).
A few (non-exhaustive) examples of each class of threat may be instructive:
Attacks to Disrupt School Operations
While disruptions to school operations can take many forms, in its most extreme form it can involve the complete lockdown of a school’s information technology assets, sometimes by external actors motivated by financial gain. Indeed, news reports document that school districts across the country – including Spring Lake Park Schools (MN), Bigfork Public Schools (MT), Horry County Schools (SC), Rhinebeck Central School District (NY), and Swedesboro-Woolwich School District (NJ) – have been victimized by ransomware attacks. Another common vector of disruptions to school operations – sometimes motivated by those more closely associated with schools – can be found in denial-of-service attacks on school districts or their vendors. Again, news reports of school districts and school vendors victimized by these attacks are not difficulty to find and include: West Ada School District (ID), multiple school districts near Murrysville (PA), and schools across the state of Virginia among many others.
One final example of disruptions to school operations via exploiting information technology vulnerabilities involves the ‘defacement’ of school websites, such as happened, e.g., in Oklahoma City and Wilmington (MA) Public Schools. While these disruptions have real-world implications for schools, they do not necessarily involve a breach or unauthorized disclosure of school data or records. Nonetheless, to the degree K-12 schools rely on the internet and online tools and services for their daily operations, disruptions of school operations must be assessed as a threat.
Attacks on Individuals in Schools
These attacks are perpetrated via vulnerabilities in school information technology systems (whether hosted locally or ‘in the cloud’ by vendors) and via lax security practices and (increasingly) social engineering of school staff, vendors, and students. Designed to harm, embarrass, and otherwise take advantage of individuals, this type of cybersecurity exploit results in the unauthorized disclosure of data about students, families, and school staff and represents a core threat to the trust that public schools are granted by their local communities. While legal experts debate the standards for legal liability for the harm caused by data breaches and what constitutes ‘personal’ data worthy of special protections, there are clear examples of significant issues of this type. For instance, as I’ve extensively documented, dozens of school districts have been victimized in 2017 alone by email scammers seeking W-2 tax forms via phishing attacks. Identity theft of children and youth – brought on by school data breaches and hacks – can be even more devastating. There are also examples of school IT security breaches that result in cyberbullying and other predatory behavior (beyond identity theft). While some suggest that schools would do well to shift IT management of sensitive information to third-party vendors with more expertise, this is not a panacea. School vendors have their own mixed track record of security (and encryption) issues and many agreements between schools and IT vendors do not offer sufficient protections (when such formal agreements exist at all).
Attacks that Disable and Compromise School Technology Assets
I would argue that the potential to disable, compromise, and/or re-direct insufficiently secured school technology assets is the final major category of school cybersecurity threats. Consider these three facts: (1) school districts are increasingly investing in computing devices for students, teachers, and school operations (it is not uncommon for medium/large school districts to be supporting thousands of end user and IoT computing devices, such as security systems, VoIP telephony, and HVAC controls); (2) schools are increasingly connected to the internet via high-speed connections; and (3), schools systematically underinvest in IT leadership, management and support. Not great. Certainly, stories abound of school IT staff who find themselves overwhelmed in trying to contain malware and viruses within their districts – such as Lake Washington School District (WA), Santa Rosa ISD (TX), Cloquet Public Schools (MN) – costing thousands of dollars to repair, hundreds of hours of staff time, and causing significant disruptions to teaching and learning.
Equally (or perhaps even more) concerning is the fact that weak security on school computers may make schools ripe targets for hackers seeking to obfuscate their identity and the origin of their attacks. Consider the case of Colton Joint Unified School District (CA), which was infected by a botnet designed to install adware software onto computers, generating installation commissions from unsuspecting adware companies.
Should Schools Be Considered Critical Infrastructure for Cybersecurity Threats?
There are 16 critical infrastructure sectors whose “assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” Education is not one of them, but maybe it should be. School districts are the only institution that serves the nation’s roughly 50 million children and youth on a daily basis, providing educational opportunities, nutrition and health services, and offering custodial care that allows parents to pursue employment. School districts also are among many communities’ largest employers, involving the management of facilities, and the provision of transportation and food services. And, increasingly, school districts are investing millions of dollars in IT systems and services that demonstrably face regular and significant cyber threats. When school districts are victimized, it is our tax dollars that are spent in responding; it is our children’s and children’s teachers whose identities are stolen; it is taxpayer-funded IT equipment – in many cases funded via special levies and one-time funds – being repurposed to nefarious ends. As schools are increasingly relying on technology tools and services for their core operations, it is past due time for government at all levels to devote more concerted attention and resources to these needs.
A Framework for Addressing K-12 Cybersecurity Threats
There is no shortage of advice for school CTOs and system administrators – much of it from technology companies – on how to better secure school IT systems via software and hardware products. Some of the advice and products are surely helpful; other advice and products may be digital snake oil. Nonetheless, the cybersecurity issues facing schools are not merely (or even wholly) technical failings, but symptoms of larger policy issues that we have yet to confront. Until state governments, the federal government, and the technology industry do so, the cyber threats facing our schools will continue to grow largely unabated.
In my view, any meaningful framework for addressing this emerging policy issue at the intersection of technology and education will include strategies to:
- Set minimum standards for security practices for schools and school vendors;
- Hold schools and vendors publicly accountable to taxpayers and school communities for lax security practices and data breaches (e.g., via mandatory data breach notification and regular audits of security practices, including via automated tools);
- Assign legal liability to all parties at fault for not meeting security standards and/or for negligent actions leading to a successful cyber attack (including via more robust contract terms between schools and vendors – as well as via a robust, regulated cyber security insurance market);
- Build the capacity of school IT staff to manage technology assets, including via adequate staffing and regular trainings;
- Educate all administrators, teachers, and students on basic IT privacy and security practices, including ensuring all students have the opportunity to learn how to code (and pursue advanced STEM and computer science topics);
- Explicitly support open source software development for educational technology products, services, and tools; and,
- Ensure that a mechanism is established to provide centralized information sharing and guidance to schools on cyber security issues, including via conducting periodic studies to assess the prevalence and trends of cyber security attacks targeting schools over time.
In sum, if we can’t generate the political will to address the school IT security issue head on, states and the federal government have no business pursuing school reform and improvement strategies dependent on technology.