Editor’s note: This story led off this week’s Future of Learning newsletter, which is delivered free to subscribers’ inboxes every other Wednesday with trends and top stories about education innovation.
In March, the Minneapolis Public Schools district was the target of a large ransomware attack that resulted in thousands of confidential documents — student mental health records, sexual assault incidents, suspensions and truancy reports, child abuse allegations, special education plans — dumped online.
Last year, a similar data breach of the Los Angeles school district led to thousands of students’ psychological records uploaded to the dark web. In 2020, Baltimore County Public Schools was hit with a cyberattack that disrupted the district’s remote learning programs, froze its operations and cost the school system nearly $10 million. On Sept. 1, Pennsylvania’s Chambersburg Area School District was the latest school district to be hit with a cyberattack.
Cyberattacks have become a growing threat to school districts across the country in recent years, with cybercrime gangs viewing school systems as soft targets because of their lack of cybersecurity infrastructure. While many school districts are starting to take steps to secure that infrastructure, there’s still a long way to go, according to experts.
“Students normally shouldn’t have to worry about their privacy and their safety when they’re going around the internet in a school-approved manner,” said Jake Chanenson, a Ph.D. student at the University of Chicago and one of the authors of a study released earlier this year on the privacy and security challenges facing K-12 education. But because schools don’t have enough staff with the expertise to properly vet safety risks associated with educational technology, he said, the increased use of that tech is putting students at risk.
School districts that have been hit say they are taking new safety precautions. After a phishing attack in 2019, the Atlanta Public Schools district hired a private firm to conduct security assessments of its networks to find blind spots and weaknesses, according to Olufemi “Femi” Aina, the district’s executive director of information technology. The district has also backed up sensitive school data offsite, invested in insurance that covers cybersecurity liability and added security procedures like multi-factor authentication on school devices, he said. In addition, the district is providing cybersecurity education to employees and students. School faculty and staff participate in mock phishing drills and are sent to cybersecurity training. Students are being taught to set up multifactor authentication and choose complicated passwords.
“If you can prevent your employees or make them more aware, so that they do not click on those harmful emails, or respond to those types of messages, it can be just as effective, if not more, than a lot of different systems that we have,” Aina said.
Days or weeks of missed school and lost instructional time for students can result when sensitive student or employee information, such as social security numbers, student health records and disability diagnoses, is compromised due to a ransomware attack or data breach, he said.
Related: ‘Don’t rush to spend on edtech’
The federal government is starting to step in. During a recent Department of Education cybersecurity summit cohosted by first lady Jill Biden, Department of Education Secretary Miguel Cardona and Secretary of Homeland Security Alejandro Mayorkas, the agency announced several new initiatives and released guidance for school districts on how to tackle cyber threats and what to do if they are hit by an attack.
The education department plans to develop a special council made up of federal, state, local, tribal and territorial governments to coordinate policy and communication between government and the education sector to strengthen school district’s cyber defenses, according to Kristina Ishmael, deputy director of the Office of Educational Technology. She called it a “first step” in the department’s strategy to protect schools and districts from cybersecurity threats and help them respond to attacks.
Meanwhile, Federal Communications Commission Chairwoman Jessica Rosenworcel has proposed a pilot cybersecurity program, which would run separately, but in tandem, with the FCC’s E-Rate program, which was created in the early 1990s as a way to provide affordable internet for schools and libraries. The three-year pilot would provide $200 million to schools and libraries eligible for the E-Rate program to use toward hiring cybersecurity experts and beefing up school network security.
Groups such as the Consortium of School Networking, or CoSN, a K-12 tech education advocacy group, have long been calling on the FCC to update the E-Rate program to include more cybersecurity protections, said CoSN’s CEO Keith Krueger. “We’ve been saying this is a five-alarm fire for the last two years,” he said.
“None of that really solves the problem that only about one in three school districts has a full-time equivalent person dedicated to cybersecurity.”Keith Krueger, CEO, Consortium of School Networking, or CoSN
Krueger said he doesn’t believe a three-year pilot is needed to determine the demand for this funding; a coalition of education organizations that includes his group is calling for the pilot to be limited to one year and for the FCC to make cybersecurity funding permanent at the pilot’s conclusion. He added that while the federal government’s announcement of resources for school districts is helpful, much more funding to support cybersecurity infrastructure is needed.
“None of that really solves the problem that only about one in three school districts has a full-time equivalent person dedicated to cybersecurity,” he said. While they wait for additional funding, he said school districts need to get creative in their methods for attracting the cybersecurity professionals their districts need, he said. Such approaches could include partnering with local community colleges, vocational or technical schools to provide internships for students in cybersecurity programs.
Marshini Chetty, associate professor at the University of Chicago and one of the lead researchers of the study on privacy and security risks to K-12 education, recommends that school districts develop a cybersecurity plan or checklist that outlines who to call in case of an attack and how to inform students and faculty. Her co-author on the study, PhD candidate Chanenson, said districts should dedicate a professional development day to cybersecurity and best practices for staff as part of back-to-school planning.
Atlanta’s Aina said school districts aren’t usually able to pay top dollar for cybersecurity professionals. Given the growing threats to school systems, Aina said district leaders need to give school technology leaders access to more funding so they can keep protections for the sensitive data in their schools up-to-date.
“Most people don’t remember cybersecurity until there’s an incident and then it becomes the buzzword,” he said. “But cybersecurity is all about being ready, being proactive and building those layers around your critical assets to keep you safe before the incident happens.”
This story about cyberattacks on schools was produced by The Hechinger Report, a nonprofit, independent news organization focused on inequality and innovation in education. Sign up for Hechinger’s newsletter