Schools are ‘strikingly collaborative’ amid cybersecurity threats, K-12 leader says
Witthaya Prasongsin via Getty Images
By
Chris Teale
While it may appear tricky to get schools to share information across state and jurisdictional lines, one observer says there are reasons to be optimistic amid multiplying threats.
When PowerSchool, a cloud software provider for school systems across the country, disclosed in December that hackers broke in and stole student and teacher data, it once again highlighted the cybersecurity risks that K-12 schools and their vendors face.
The data breach of the company’s Student Information System via its PowerSource customer support portal, prompted lawsuits from over 100 school districts, with some alleging they were contacted by threat actors looking to extort money from them.
The incident and its ongoing effects show how difficult it can be to keep school systems’ cybersecurity strong, even as parents think their defenses are stronger than they are in reality, according to research released late last year. And given how reliant schools now are on technology, the threats are everywhere and like those faced by large organizations and governments.
“Schools manage facilities, they have security systems and door locks and bell systems,” Doug Levin, co-founder and national director of the K12 Security Information eXchange, said during the Nextgov/FCW and Route Fifty Cyber Summit last week. “They serve food, so the food service and the point of sale is managed via technology. They have transportation systems that may rely on routing software and GPS. They're large employers, so they have HR systems, and then they're required by states and federal government to collect a lot of information and data on students and to share some of that, so they've got some extensive data sets as well.”
Amid those challenges, and the troubling statistic from the Center for Internet Security that 82% of schools suffered recent cyber breaches, Levin said cybersecurity remains a top investment priority for many education leaders. But adoption remains uneven, and is dependent on school superintendents, school board members and the community at large being “enlightened” on the issue, Levin said.
It can also appear challenging to get school districts to share threat information with each other, given how fragmented the education system is in the U.S., both nationally and even within states. But there is evidence of information-sharing taking on more importance, including through K12 SIX, an information sharing and analysis center that was established in 2020 .
“The education sector is strikingly collaborative,” Levin said. “I think it comes out of a culture of never feeling like they have enough, but also understanding inherently that they're not really competing with each other. School systems have their geographic catchments, we're not competing with each other for enrollment, and so we're often quite generous in sharing advice and best practices or threat intel, things that can help others shortcut their learning curve in providing defenses.”
One of the biggest issues schools face is ensuring everyone is well trained on cybersecurity. Levin identified four audiences for such training: students, staff, IT leaders and system leadership, like the superintendent and school board. Good cybersecurity practices are a good “life skill” for students to have, Levin said, while the professional development opportunities are crucial for staff at various levels. Having leaders understand the consequences of a hack could focus their minds, too, and help them see the benefit of robust training.
“The notion that a ransomware attack could close a school system for a number of days and cause millions of dollars’ worth of damage, and delay projects for weeks or months, is something that many school systems, unfortunately, have been surprised by,” Levin said. “The one thing about responding to a cyber incident is that if you don't have an incident response plan and you haven't been practicing that plan, your response is probably going to be much more tortured than if you had been.”
Staffing also remains a big issue for schools, as it is for governments at all levels, as they try to compete with the private sector. And while Levin acknowledged it is unlikely that educational institutions will ever be able to compete, they are trying their best to find a way forward. That includes hiring managed service providers that can “keep their eyes” on networks, especially during off-hours.
“It's pretty hard to imagine that we're going to be in a place to be able to hire a highly qualified [chief information security officer], say, at every school district around the U.S.,” he said. “But we are seeing creative approaches taken by regional agencies or even state agencies to provide more centralized support to school systems so that they don't need to have that expert on staff.”
There is also a role for states and the federal government to play, Levin said. Already, the Federal Communications Commission is exploring how it can help schools and libraries improve their cybersecurity with a three-year pilot program.
But much of the responsibility to help might fall to the states, which could cause problems in the long term.
“The external threat actors targeting school systems are coming from overseas,” Levin said. “The notion that school district IT folks and local communities across America are in a position to defend against foreign threat actors who are doing this professionally, I think, is a stretch.”