Cyberattacks against K–12 schools in the United States are increasing, as efforts to combat them are hampered by inadequate staffing and security procedures, as well as a lack of data collection and communication between federal agencies that oversee school security.
Phishing, ransomware, denial of service attacks, and video conference disruptions hit at least 45 U.S. school districts that operate 1,981 schools during 2022, according to Emsisoft, a maker of cybersecurity software.
The number of attacks rose sharply during COVID-19-related school shutdowns when the rapid switch to online learning technologies brought new vulnerabilities. While increasing only slightly from 2021, the number of attacks remains well above previous levels.
Schools a Prime Prey
Cyberattacks have been reported by schools in most states, according to the Cybersecurity and Infrastructure Security Agency (CISA). Although no central data collection system exists, CISA reported a dramatic increase in attacks during recent years using publicly available data.The lack of a central reporting mechanism is just one reason the exact number is hard to pin down, according to Dave Hinchman, acting director of information technology and cybersecurity at the Government Accounting Office (GAO).
“There seems to be a reluctance on the part of schools to voluntarily disclose these attacks, both for fear of self-identifying as the victim but also fear of being targeted again because they’ve demonstrated that they have a certain vulnerability,” Hinchman said on the Oct. 22, 2022, edition of the podcast GAO Watchdog Report.
Schools are often seen as easy targets because they’re less tech-savvy and either can’t afford to—or choose not to—prioritize computer security, he said.
There’s no single motive for cyberattacks on schools. Some hackers are after money, using so-called ransomware to lock administrators out of their own system until a payment is received. Others want to steal personal data or simply disrupt school operations.
In some cases, children or teens have launched cyberattacks on their own schools, often coinciding with a test day, according to Hinchman. For example, a 16-year-old Florida student was arrested in September 2022 for allegedly conducting several cyberattacks on Miami-Dade County Public Schools, where the teen was enrolled.
In the UK, a 2022 report by the National Crime Agency found that children as young as 9 had launched denial of service attacks on schools.
Some of the nation’s largest school districts have been targeted.
The Los Angeles Unified School District, which serves more than 500,000 students, was attacked by ransomware in September 2022. After the district refused to pay the ransom, the hackers released a large quantity of information from the district’s computers.
A cyberattack on a vendor serving Chicago Public Schools resulted in the disclosure of the personal information of 500,000 students and staff members in 2021.
A November 2020 phishing attack on Baltimore County Public Schools disrupted the school system’s website and remote learning programs for several days, costing taxpayers nearly $10 million in recovery costs and system upgrades, according to Maryland’s Government Accounting Office for Education.
Smaller districts have been hacked as well.
A 2021 attack on Indiana’s Duneland Schools, a district of about 5,000 students, focused on employee data that included birthdates, Social Security numbers, driver’s license numbers, and benefits information.
Action, Coordination Needed
Two problems make U.S. schools vulnerable to repeated attacks: lack of action by local administrators and lack of coordination among federal and local agencies.Given the fact that school districts usually operate on a tight budget, that requires a coordinated effort, according to the report.
“Leaders must take creative approaches to securing necessary resources, including leveraging available grant programs, working with technology providers to benefit from low-cost services and products that are secure by design and default, and urgently reducing the security burden by migrating to secure cloud environments and trusted managed services.”
CISA, the U.S. Department of Education, and the FBI each play a role at the federal level in ensuring the security of the nation’s schools, but they don’t collaborate enough with each other or with school districts, according to the GAO.
“The biggest issue we found is that there needs to be better coordination between the federal level and the actual K–12 organizations,“ Hinchman said. ”There’s very little actual direct interaction between the agencies or with the K–12 community.”
One reason for that is the lack of any organizational structure to bring the various stakeholders together.
“Our report recommends that a collaborative mechanism, such as a coordination council, be created to achieve these goals,“ Hinchman said. ”We think that such a council would prove to be a really valuable tool for facilitating better communication and coordination among federal agencies and with the K–12 community.”