Cyberattacks against K-12 schools in the United States are increasing, but efforts to combat them are hampered by inadequate staffing and security procedures as well as a lack of data collection and communication between federal agencies overseeing school security.
Phishing, ransomware, denial of service attacks, and video conference disruptions hit at least 45 U.S. school districts operating 1,981 schools during 2022, according to Emisoft, a maker of cybersecurity software.
The number of attacks rose sharply during COVID-19 related school shutdowns when the rapid switch to online learning technologies brought new vulnerability. Though increased only slightly from 2021, the number of attacks remains well above previous levels.
The rise in cyberattacks has left education officials scrambling to address the threat and, in some cases, mitigate the damage caused by breaches to their computer systems, ransom demands, and the cost of upgrading security procedures and computer equipment.
Cyberattacks have been reported by schools in most states, according to the Cybersecurity and Infrastructure Security Agency (CISA). Though no central data collection system exists, CISA reports a dramatic increase in attacks during recent years using publicly available data.
Dave Hinchman, acting director of Information Technology and Cybersecurity at the Government Accounting Office (GAO) believes the lack of a central reporting mechanism is just one reason the exact number is hard to pin down.
“There seems to be a reluctance on the part of schools to voluntarily disclose these attacks, both for fear of self-identifying as the victim, but also fear of being targeted again, because they’ve demonstrated that they have a certain vulnerability,” Hinchman said on the Oct. 22 edition of the podcast GAO Watchdog Report.
A laptop computer at Grant Elementary School in Los Angeles on Aug. 16, 2021. (Robyn Beck/AFP via Getty Images)Schools are often seen as easy targets because they are less tech savvy and either can’t afford to—or choose not to—prioritize computer security, Hinchman said.
There is no single motive for cyberattacks on schools. Some hackers are after money, using so-called ransomware to lock administrators out of their own system until a payment is received. Others want to steal personal data or simply disrupt school operations.
In some cases, children or teens have launched cyberattacks on their own schools, often coinciding with test day, according to Hinchman.
A 16-year-old Florida student was arrested in September 2022 for allegedly launching several cyberattacks on Miami-Dade County Public Schools, where the teen was enrolled.
In the UK, a 2022 report by the National Crime Agency found that children as young as 9 had launched denial of service attacks on schools.
Learning disruptions due to cyberattacks have ranged from three days to three weeks, and recovery time took up to nine months according to the GAO, which reported on the problem in November 2022.
Some of the nation’s largest school districts have been targeted.
The Los Angeles United School District, serving over 500,000 students, was attacked by ransomware in September 2022. After the district refused to pay the ransom, the hackers released a large quantity of information stolen from district’s computers.
A cyberattack on a vendor serving Chicago Public Schools resulted in disclosure of the personal information of 500,000 students and staff members in 2021.
A November 2020 phishing attack on Baltimore County Public Schools disrupted the school system’s website and remote learning programs for several days, costing taxpayers nearly $10 million in recovery costs and system upgrades, according the Maryland’s Government Accounting Office for Education.
Smaller districts have been hacked as well.
A 2021 attack on Indiana’s Duneland Schools, a district of about 5,000 students, targeted employee data, including birthdates, social security numbers, drivers’ license numbers, and benefits information.
The U.S. Department of Education building in Washington on July 21, 2007. (Saul Loeb/AFP via Getty Images)Michigan’s South Redford School District was closed for two days in September after system administrators discovered a breach in the school’s computer system.
Two problems make U.S. schools vulnerable to ongoing attacks: lack of action by local administrators and lack of coordination among federal and local agencies.
“Cybersecurity risk management must be elevated as a top priority for administrators, superintendents, and other leaders at every K-12 institution,” CISA said in a January 2022 report.
Given the fact that school districts usually operate on a tight budget, that will require a coordinated effort, the report said.
“Leaders must take creative approaches to securing necessary resources, including leveraging available grant programs, working with technology providers to benefit from low-cost services and products that are secure by design and default, and urgently reducing the security burden by migrating to secure cloud environments and trusted managed services.”
CISA has published an Online Toolkit to help school administrators address the threat of cyberattack.
At the federal level, CISA, the U.S. Department of Education, and the FBI each play a role in ensuring the security of the nation’s schools, but they don’t collaborate enough with each other or with school districts according to the GAO.
“The biggest issue we found is that there needs to be better coordination between the federal-level and the actual K-12 organizations. There’s very little actual direct interaction between the agencies or with the K-12 community,” Hinchman said.
One reason for that is the lack of any organizational structure to bring the various stakeholders together.
“Our report recommends that a collaborative mechanism, such as a coordination council, be created to achieve these goals. We think that such a council would prove to be a really valuable tool for facilitating better communication and coordination among federal agencies and with the K-12 community,” Hinchman said.