Why Cybersecurity Practices for K-12 Schools Should Worry Everyone

Why Cybersecurity Practices for K-12 Schools Should Worry Everyone

Digital threats have evolved considerably in the past 11 years. Whereas US education is on the decline. This disparity creates a turbulent environment for school-going children, especially the ones from Kindergarten to grade 12.

Between August 14 to September 12, 2021, 63% of all malware attacks focused on educational institutions. A total of 5.8 million malware attacks occurred in just that month. Last year wasn’t any better.

In 2020, 1681 educational institutions were the target of malware attacks in the US. These included schools, colleges, and universities. That year malware attacks focused on 44% of all the educational institutions worldwide.

During the pandemic, educational institutions were the biggest victims of cybercrime. Last year schools and colleges faced a loss of $2.73 million due to cyberattacks. This was $300,000 more than the next-biggest sector: distributors and transportation companies. These costs included lost clients, downtime losses, and repairs.

Internet cybersecurity firm Kaspersky conducted a study that found 55% of children have experienced at least one cyberattack against schools they were studying at. Additionally, 72% of the surveyed parents said they support having their child’s school pay the ransom in the case of a ransomware attack. Meanwhile, 28% of parents believed their kids’ school should never pay under any circumstance.

The data showed ransomware attacks jumped from 28% to 57%. In many cases, schools had to pay tens of millions of dollars to hackers just to keep the schools open and avoid student data from leaking.

What is the government doing to protect schools from ransomware attacks?

The US government has put in measures to prevent ransomware attacks, and what to do in case of one. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Department of Education’s Office of Safe and Secure Schools, and the Federal Bureau of Investigation have all been assigned specific roles to help schools prepare and protect from cyberattacks like ransomware and brute force attacks.

These different governing agencies have offered services, support, and programs to help kindergarten through 12th grade (K-12) schools defend themselves against various cyberattacks.

These included guides for parents and children to deal with online threats, network monitoring tools and detailed explanations of the type of attacks that can occur. The agencies also discussed the potential vulnerabilities in communication systems.

Meanwhile, the Department of Education is directly responsible for any incident that targets educational institutions, cyberattacks or not. But, the Department of Education’s official security guideline was published back in 2010 and has since gone out-of-date.

Why is the Department of Education so behind?

The Department of Education is responsible for developing and maintaining a sector-specific plan to address cybersecurity risks at K-12 schools. It is also responsible for calculating possible needs for sector-specific guidance. But since the Education Facilities plan was developed and issued in 2010, it has become redundant.

Why? Because ransomware attacks have become more complex and unpredictable over the years. There exists a disparity between how quickly hackers attack a system versus how quickly an organization can respond to it. And over the years this gap has widened dramatically.

Hackers have gotten quite proficient in their ability to identify and exploit vulnerabilities within the systems they are targeting. Whereas, the target organization is most likely unprepared for such threats. These organizations have developed a react-approach instead of a prevent-approach. And by the time they react to a cyberattack, it is almost always too late.

Schools are underfunded

Also, the Department of Education is incredibly underfunded. According to a study released by The Century Foundation (TCF), The United States is underfunding K-12 public schools by nearly $150 billion annually.

This means that most US schools cannot afford to train their teachers on even the most basic IT skills. US schools generally have an inadequate IT infrastructure. They are using outdated or pirated copies of Windows. Such operating systems no longer receive any security updates, leaving the systems exposed to both external and internal threats.

Schools even rolled out Chromebooks to make up for the shortage of PCs in computer labs. But the schools did not know how children were utilizing their time on the devices. This exposed children to ransomware, third party scams and malware attacks. Specific third party monitoring apps for schools could have been useful here for monitoring school resources.

US Government is too old to handle technology matters

Another factor is that a majority of elected officials in the US government are old. According to an analysis from the Congressional Research Service, the average age of US senators in the current 116th Congress is 62.9 years. Meanwhile, The House of Representatives is not much different. It has an average age of 57.6 years.

So the people in power, the people who are running this country, who have the final say in how technology is used in this country, are the ones who are not familiar with even the basic concepts of tech.

Only a few years back, at a House Judiciary Committee hearing on Tuesday, Google CEO Sundar Pichai was asked a random question about Rep. Steve King’s iPhone. To which the CEO replied, “Congressman, iPhone is made by a different company.”

If the people in charge cannot differentiate between Google and Apple, how can they educate and prevent ransomware?

What can the Department of Education do to prevent ransomware attacks?

The US Government Accountability Office(GAO) noted that the DoE blamed other departments for its failures. It blamed the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). DoE remarked that the department had not told it to make any updates to the 2010 plan.

But GAO holds DoE accountable for not updating the guidelines which could have prevented many of the ransomware attacks the schools faced.

GAO’s report has made it clear that government officials need to take extreme measures to prevent ransomware attacks on K-12 schools. GAO has called for a more organized effort among the various government agencies. It maintains a greater need to share threat intelligence with K-12 schools, equipping schools with better awareness of the latest ransomware threats.