Senators Urge Better Cyber Protection For K-12 Schools

Sen. Maggie Hassan

Sen. Maggie Hassan Shawn Thew/AP

A recent Government Accountability Office report dove into how virtual classrooms are increasing vulnerability to ransomware and other cyber threats.

With the COVID-19 pandemic thoroughly relegating many schools to online learning, federal agencies are emphasizing the need to take extra precautions to prevent cyberattacks in the classroom.

A coalition of senators, spearheaded by Sen. Maggie Hassan, D-N.H,. issued a letter on Friday urging the Education and Homeland Security departments to take stronger action against cyberattacks on schools.

“K-12 schools are increasingly coming under cyberattacks from a diverse set of actors, driven largely by the rapid rise of ransomware,” the senators wrote. “According to a database of publicly reported cybersecurity incidents at K-12 schools, 2019 saw almost three times more incidents than 2018  and 2020 saw a further 18 percent increase over 2019. These incidents include ransomware attacks on school districts in New Hampshire, Nevada, Arizona, and Maryland.”

Addressed to both Education Secretary Miguel Cardona and Homeland Secretary Alejandro Mayorkas, the letter called for stronger collaboration between Education and the Cybersecurity and Infrastructure Security Agency, suggesting the establishment of coordinating councils to support local and federal government cohesion.

Sens. Kyrsten Sinema, D-Ariz., Chris Van Hollen, D-Md., and Jacky Rosen, D-Nev., also signed the letter. 

The letter follows the publication of a mid-October report by the Government Accountability Office at Hassan’s request that recommended updated online privacy guidelines for remote learning. 

Focusing on Education’s cybersecurity prevention processes, the report also highlights two key recommendations in collaboration between Education and CISA: to develop a new cyberattack prevention plan, and determining specific needs among sub sectors within Education.

“Increased usage of IT by K-12 schools to conduct remote learning, in addition to the IT systems commonly used before the COVID-19 pandemic, have increased the potential for a cyberattack as threat actors view schools as opportunistic targets,” the report reads. “These threat actors may be motivated by the promise of monetary gain from malware attacks, by the desire to steal data, or simply to cause disruption of K-12 classes.”

In 2020 alone, at least 408 cyber incidents in K-12 schools were reported to law enforcement, representing an 18% increase year over year, according to data from GAO’s report. 

The report noted that the current guidance, the Education Facilities Plan, was issued back in 2010. Over the past 11 years, cybersecurity risks have evolved, prompting the report authors to recommend updates tailored to modern ransomware attacks. 

Education officials told the report authors that the plan has not been updated since 2010. GAO officials noted that as a result, K-12 schools are less likely to have the federal products and support to protect them.

Commenting on the report’s findings and recommendations, Education broadly concurred with the GAO, but expressed concerns over the implementation of new cybersecurity and ransomware protocols. 

Nick Marinos, director of GAO's Information Technology and Cybersecurity, told Nextgov that it’s time for federal agencies to be able to meet the needs of all sectors in defending them from cyberattacks.

“Given the increasing number of cyberattacks we've seen schools face across the country, it's clear that Department of Education needs to update its related sector plans and should carefully look at whether more guidance might be needed to better protect young students, parents and teachers from cyber threats,” he said.