CISA: K-12 cybersecurity change falls on leaders, not just IT staff
Recognizing schools’ growing vulnerability to cyberthreats, the Cybersecurity and Infrastructure Security Agency released anticipated guidance Tuesday outlining recommendations on how districts can strengthen their cyberdefenses. The CISA report was mandated by Congress’ passage of the K-12 Cybersecurity Act of 2021, which requires the agency to report risks the K-12 sector faces in the cybersphere.
Among CISA’s key recommendations for school systems is taking meaningful steps in security investments, such as implementing multi-factor authentication and running a strong cybersecurity training program. District leaders should also work with peers and partners in the education space to raise awareness around the issue, the agency said.
K-12 leaders need to ensure cybersecurity is a bigger priority and use available grant programs to improve a district’s networks, CISA said. The agency’s report began with a message that these recommendations “must come from the top down” with leaders emphasizing a “cybersecure culture.” The burden to take on these changes cannot fall squarely on IT and cybersecurity staff alone, the guidance said.
Citing the nonprofit K12 Security Information Exchanges’ 2022 annual report, CISA noted that reported cyberattacks against school districts have increased from 400 in 2018 to an accumulated total of more than 1,300 incidents by 2021.
On top of that, K-12 leaders typically have small budgets to commit to taking on these security threats.
A November report by the Multi-State Information Sharing and Analysis Center found the average school spends about 8% of its IT budget on cybersecurity measures. As CISA collected feedback through listening sessions with K-12 leaders, many stakeholders told the agency they were struggling with cybersecurity and IT staffing shortages.
On Monday, the Maryland Office of the Inspector General for Education released more details about a 2020 ransomware attack that cost Maryland’s Baltimore County Public Schools over $9.6 million. The accumulated costs are tied to recovery efforts from the cyberattack, upgrades to the district’s system, and a switch to a new platform.
The inspector general’s investigation said the incident originated from a phishing attack addressed to a school staff member. The email attachment could not be initially opened, and a district tech liaison found the email to be suspicious. However, when the tech liaison forwarded the message to a district IT contractor for help, the contractor accidentally opened the attachment with an unsecured Baltimore County schools email account. That action became the entry point for undetected malware into the district’s IT system, the investigation said.
Meanwhile, the Los Angeles Unified School District indicated to the California Department of Justice that last year’s major ransomware attack occurred earlier than initially reported — meaning the incident went undetected for a month.
In an October report, the U.S. Government Accountability Office highlighted the lack of coordination on school cybersecurity between the U.S. Department of Education and CISA with other agencies and the K-12 community.
According to CISA’s report, the new guidance is just one step the agency is taking toward improving school cybersecurity.
“Going forward, CISA will continue to partner with the K-12 education community, and work with technology providers to encourage provision of free or low-cost security tools and products that are secure by default and design,” the CISA report said.
Given the consistent amount of ransomware attacks impacting school districts nationwide, Doug Levin, national director of K12 Security Information Exchange, said in a statement that the CISA report was released “not a moment too soon.”
“This landmark federal report clearly and concisely communicates the cybersecurity challenge the U.S. K-12 education sector is facing and recommends common sense steps that stakeholders — including superintendents, school administrators, school board members, and state policymakers—can take to bring about needed change,” Levin said.