Cyberattacks are now a daily threat for K-12 schools, but new provides 鈥渟imple, prioritized actions鈥 schools can take to protect against these threats.
Recommendations include investing in 鈥渋mpactful security measures,鈥 building toward a 鈥渕ature cybersecurity plan,鈥 taking advantage of different grant programs that reduce the cost of cybersecurity efforts, and working together to share information.
The report comes more than a year after the K-12 Cybersecurity Act of 2021 was signed into law. It established a K-12 cybersecurity initiative and required CISA to publish a report on the risks K-12 schools face, along with recommendations and to help schools reduce risks and maintain resilient cybersecurity programs.
It also comes as cyberattacks on schools have increased in recent years, with schools鈥 use of technology growing as cyber criminals become more sophisticated. Most recently, the was a victim of a cyberattack on Jan. 9, which led to the district鈥檚 servers being shut down and classes being canceled for two days.
Keith Krueger, the CEO of the nonprofit Consortium for School Networking, praised the report and its recommendations, calling it 鈥渁 powerful step forward.鈥 Krueger said he especially appreciates the report鈥檚 suggestion to leverage available grant programs, such as the Federal Communications Commission鈥檚 E-Rate program.
CISA, through listening sessions with K-12 leaders, found that there鈥檚 a shortage of cybersecurity professionals in K-12 institutions; there鈥檚 a need for clear, easily adoptable guidance; there鈥檚 a need for centralized governance to help with resource allocation; and there needs to be more effective oversight and accountability.
To address those challenges, CISA recommended these key steps:
- Implement effective security measures: This includes using multi-factor authentication, fixing known security flaws, developing an incident response plan, and implementing a training and awareness campaign. It also means using CISA鈥檚 cybersecurity performance goals and the National Institute of Standards and Technology鈥檚 cybersecurity framework.
- Address resource constraints: States and districts can do this by leveraging the State and Local Cybersecurity Grant Program, which requires states or districts to establish a cybersecurity planning committee to develop a cybersecurity plan. The report also suggested using the FCC鈥檚 E-rate program, which subsidizes telecom and broadband-related services for schools.
- Focus on collaboration: K-12 districts should join information-sharing forums, such as the Multi-State Information Sharing and Analysis Center and the K-12 Security Information Exchange. Districts should also build a relationship with their regional CISA adviser and local FBI field office.
Tony Dotts, the network systems administrator for Illinois鈥 Community High School District 99, said the recommendations seem feasible.
The steps to securing K-12 districts鈥 networks are 鈥渘ot always necessarily technical in nature,鈥 Dotts said. 鈥淭hings like implementing [multi-factor authentication], while they have a technical side to them, a lot of that really comes down to getting buy-in from your admin, from your superintendent, and others. Implementing change is probably the more complicated piece than the technical aspects.鈥
For example, if a district is already using Google as its email system, it can easily implement multi-factor authentication because it鈥檚 already something Google offers, Dotts said. 鈥淎 lot of it is really just getting buy-in for procedural changes,鈥 he added.
Doug Levin, the national director of the K12 Security Information Exchange, a nonprofit focused on helping schools prevent cyberattacks, said he has heard similar challenges from other district technology leaders.
鈥淲e hear time and time again of school district IT leaders who are trying to do the right thing for their school communities and implement some of these protections, but then get stymied by their leadership who has other priorities [and] is maybe not willing to let anyone be inconvenienced, even though that inconvenience could mean the difference between a ransomware incident or not,鈥 Levin said.
The CISA report will hopefully help other K-12 district leaders, as well as policymakers, understand 鈥渢he risks and risk mitigations that school districts really can and should be putting in place,鈥 he added.
While this is a landmark report, experts say there is still a long way to go to help the K-12 community.
Levin said he would have liked to see a 鈥渟tronger call for additional resources鈥 and funding, as well as 鈥渁 call for a stronger role for the U.S. Department of Education,鈥 which is supposed to be playing a role in helping school systems ward off cybersecurity threats, according to the Government Accountability Office.