Policy Explainer

The State of Cybersecurity in K-12 Education

Though the majority of us lament it, we all see that K-12 schools are chronically underfunded. Cleveland School District in the Mississippi Delta kicked off the new school year in August without air conditioning, a ceiling collapsed last fall in a Memphis-Shelby County School library, students in Baltimore public schools have to layer coats, scarves, and mittens to get through class in an unheated classroom in the middle of winter, and Oklahoma students make-do with unqualified teachers holding only emergency certifications in the midst of a teacher shortage. The effects of growing costs and shrinking budgets are easy to see with one glance toward the public education system in the United States.

An increasingly visible consequence of the lack of funding in schools is that the education sector is an easy and bountiful target for cyber attackers. A 2022 nationwide cybersecurity risk assessment review discovered that though “the K-12 sector is improving in its cybersecurity capabilities over time, the sector lags behind other sectors when comparing cybersecurity program maturity.” According to the report:

  • Schools spend on average of 8% of their IT budgets on cybersecurity with one in every five schools spending less than 1%
  • Cyberattacks against the education sector are increasing with 30% of schools having reported an incident
  • Nearly 40% of schools do not have an incident response plan in place
  • 81% of schools have not fully implemented multi-factor authentication and 29% have not deployed MFA on any of their systems
  • Almost 50% of K-12 schools’ IT teams are between 1-5 employees

Underfunded IT and cybersecurity teams have not been able to defend against the onslaught of cyberattackers. Some notable attacks from this academic year alone include the Los Angeles Unified School District ransomware attack that led to 500 gigabytes of student and employee data being leaked, the two Michigan county school district attacks in November that impacted students across Jackson and Hillsdale counties, the Des Moines Public School District ransomware attack, Nantucket Public School District ransomware attack, the Berkeley County Public School ransomware attack in West Virginia, and the attack of the Minneapolis Public School District.

Interestingly, even though schools typically do not pay ransom demands, ransomware gangs are increasingly targeting them. Rather than a monetary hit, the primary impact of these attacks is most frequently lost classroom time. In every example listed above (except LAUSD), schools were forced to close for an average of 2 days to get systems back online while classroom technology was often out of commission for weeks. Typically, networks breached once are likely to fall victim to another attack. This means that student classroom time will continue to decrease if the cybersecurity of school systems is not taken seriously as a threat to the education sector.

In addition to the risk to classroom time, schools hold sensitive data that hackers are keen to steal and sell on the black market. In an interview with EdWeek, K12 Security Information eXchange co-founder Doug Levin noted that “the identity information of minors is especially valuable to criminals interested in perpetrating credit and tax fraud.” In addition, school districts have the personal information, including medical information, of  thousands of students and faculty members which create data sets nefarious actors would gladly pay to get their hands on. This kind of data was stolen and has been used as leverage and a second stream of income in notable attacks on the Los Angeles Unified Public School District and Minneapolis Public School District.

This two-pronged monster of a problem is one that school districts must pay attention to and work towards solving immediately. However, regardless of the priority level of an issue, funding will be a hurdle every school and school district must overcome.

As a response to this, the federal State and Local Cybersecurity Grant Program was created last year. The program has $1 billion in funding to be distributed over four years. Funding will be distributed through each state’s State Administrative Agency (SAA) differently depending on the decision of the required planning committee. Some states, like Louisiana, plan to use the money to provide services to every relevant entity while others, like New York, hope to distribute sums of money to specific entities based on need. However, most states have yet to determine their distribution plan and are hoping to wait until they know the total amount to be awarded before deciding how to proceed. 

To help guide decision making on how to prioritize spending and otherwise provide support to the sector, CISA has a number of free resources available including a training companion course and school security self-assessment tool. Included in these is the “Protecting our Future” report and toolkit to highlight the most important steps schools should take to reduce their cybersecurity risk. 

Unfortunately, the majority of state overseers of the grant program and CISA toolkit say that the efforts are far too little. A number of them plan to go to their state legislatures to ask for additional funding for the programs set up through the grant program. One official lamented that with the funding their state expects to receive, they may be able to purchase a cybersecurity awareness mug, but nothing more.

As states mull over the best ways to spend the limited resources they see coming from the grant program, two paths seem to be emerging as good options for moving forward. For states with a strong percentage of cyber-conscious entities that have programs and solutions in place already, the best option is to award targeted funding for the least protected organizations. In states with significant variation in the maturity and funding available to their K-12 cyber programs, like New York, a cyber risk assessment and a program to target funding where it will reduce risk the most, may be most impactful. 

For states covering entities that do not have programs in place already, like Mississippi, keeping funding at the state level and providing baseline services to all organizations that qualify would be the better option. Deploying solutions like multi-factor authentication, asset management, and incident response preparedness would have the biggest impact. 

With this in mind, the first step toward any option is to conduct risk assessments across all qualifying state organizations. Through this, planning committees can make informed decisions about these programs and outline measurable goals that can be used for future grant applications or as empirical support for funding legislation. The Consortium Networks Metrics that Matter platform would be a great choice for conducting these assessments.

While the State and Local Cybersecurity Grant is an incomplete solution to a nearly boundless issue, it is a good first step towards recognizing the elephant-sized problem the education sector is facing. Bit-by-bit schools can move towards better cybersecurity postures to keep their students in the classroom and their data safe.