Dive Brief:

• In the wake of Russia’s invasion of Ukraine, there is a good chance K-12 schools will face a higher risk of cyberattacks, though the sector will likely not be a direct target, said Amy McLaughlin, a subject matter expert at the Consortium for School Networking.
• Still, all sectors are on alert as the Cybersecurity and Infrastructure Security Agency said while there are “no specific or credible cyber threats to the U.S. homeland,” organizations of all sizes “must be prepared to respond to disruptive cyber activity.”
• Cybersecurity continues to be the No. 1 concern for K-12 ed tech leaders, with state and federal legislation to address the issue noticeably increasing in 2021 from the prior year, according to a recent CoSN cybersecurity policy trend report.

Dive Insight:

With K-12 cybersecurity experts already expecting cyberattacks to worsen in 2022, the crisis in Ukraine could further complicate matters.

McLaughlin doesn’t think schools will necessarily be a primary target but there is still a risk in becoming collateral damage. 

“Vulnerable targets can be easy targets,” McLaughlin said. 

Schools have become more susceptible to cyberattacks since districts had to pivot and rely more on remote learning and technology at the start of the pandemic, according to a December 2020 joint report by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center. 

McLaughlin said the heightened cybersecurity concerns tied to Russia could potentially add momentum to ongoing policy efforts to enhance K-12 cybersecurity.

Sara Spencer, CEO of SolonTek, a cybersecurity software provider, said she’s already noticed since the conflict erupted this week that threat actors from China, Iran and Russia are scanning the internet for apps that provide services to the public or allow access to public internal networks.

“They’re looking for low-hanging fruit, so they’re not necessarily saying, ‘Is this critical infrastructure? Is it education? Is it a small business,’” Spencer said. “They’re just looking for anybody that is exploitable.”

It’s key that schools use multi-factored authentication to access their local network, use a firewall, and encrypt their data using a Virtual Private Network, Spencer said. Teachers, students and parents are also facing stronger phishing attacks, so they need more training about how to detect those attempts, Spencer said. 

The education sector’s cybersecurity vulnerabilities were already exposed in 2020 when it was labeled a “record-breaking” year for K-12 cyberattacks, partially due to the pandemic-driven transition to remote learning, with 408 publicized incidents occurring that year, according to the K-12 Cybersecurity Resource Center. That represents an 18% increase since 2019. 

Overall, there have been 1,331 K-12 tracked cyber incidents since 2016. 

Legislators proposed at least 170 cybersecurity bills focusing directly or indirectly on K-12 across 40 states in 2021, compared to 87 state-level bills introduced in 2020, the CoSN report found. Of the 170 bills introduced, 51 became law across 30 different states, the report said. 

On top of that, at least 19 federal education-related bills on cybersecurity were introduced in 2021, compared to 10 bills in 2020.

The most impactful federal bills passed for K-12 cybersecurity were the K-12 Cybersecurity Act of 2021 and the Infrastructure Investment and Investment Jobs Act. The K-12 Cybersecurity Act mandated a federal report conducted by CISA on the issue. The Infrastructure and Investment and Jobs Act will provide $1 billion in federal grants to improve state and local government cybersecurity between 2022 and 2025.