When hackers struck one-third of North Dakota鈥檚 schools with a vicious malware attack last February, it highlighted the growing cyber threat facing America鈥檚 public-education sector鈥攅ven in a state that鈥檚 ahead of the cybersecurity curve.
鈥淚t moved quickly, and it didn鈥檛 care what it hit,鈥 said Sean Wiese, North Dakota鈥檚 chief information security officer. 鈥淛ust like any corporate environment, we have a constant barrage of attacks at our front door.鈥
For this special report on K-12 cybersecurity challenges, Education Week spoke with state and local technology officials across North Dakota. We also surveyed the nation鈥檚 school technology leaders, in partnership with the Consortium for School Networking. The aim was to better understand both the nature of the cyber threats schools face, and the steps they are taking in response.
The results paint a mostly worrisome picture.
In North Dakota alone, for example, the state network used by K-12 schools, state universities, and other public agencies experiences 5.7 million known cyberattacks every month, officials said.
Nationwide, though, recognition of such dangers is still mostly low.
There is some good news that ed-tech leaders are getting their heads out of the sand: More than half of K-12 CTOs now say phishing scams are a significant or very significant problem, up from 48 percent last year, according to the Education Week/CoSN survey.
But when it comes to ransomware attacks, data breaches, distributed denial-of-service attacks, and even the kind of malware that slammed North Dakota, 70 percent or more of the respondents don鈥檛 see a serious threat. In many cases, the percentage of school technology leaders perceiving such hazards as a serious problem has actually declined since 2017.
A similar dynamic is at work when it comes to taking preventative action. School districts do seem to have gone on a spending spree: 59 percent of school tech leaders now say they are purchasing cybersecurity-related products and services, compared with just 29 percent a year ago.
But there have been only slight upticks in the percentages of school technology leaders who say they鈥檙e taking basic steps to improve their districts鈥 cyber hygiene, like monitoring network traffic in real-time. Nearly half of K-12 technology leaders say their districts don鈥檛 have a formal password policy that is widely followed. One in four don鈥檛 have a password policy at all.
鈥淩elying solely on ad hoc efforts to manage school cybersecurity risk is like playing football without a helmet,鈥 said Doug Levin, the CEO of consulting group EdTech Strategies, which operates the K-12 Cybersecurity Resource Center. 鈥淭he digital threats facing schools today are greater than they have ever been, and it is only a matter of time before a preventable incident blindsides a member of the school community.鈥
鈥極ur First Line of Defense鈥
In North Dakota, cybersecurity is increasingly top-of-mind.
鈥淚n the old days, you didn鈥檛 wake up thinking about security,鈥 said Casey Mueller, the director of core technology for the 13,000-student Bismarck school system, who started with the district as an intern back in 2001, when he was still in high school. 鈥淣ow, you do a check first thing every day to make sure things are functioning as expected.鈥
This Education Week examination of K-12 cybersecurity is the second of three special reports focused on the needs of K-12 district technology leaders, including chief technology officers. Each report in the series features exclusive results of a new, nationally representative survey of CTOs, conducted by the Consortium for School Networking, an organization representing K-12 district technology officials.
That kind of vigilance helped Bismarck schools ward off the February 2018 malware attack that swept through the state. Mueller said the district is lucky to have the capacity and resources to tend to many cybersecurity basics.
鈥淲e make sure we stay up to date on security patches, we train users, and we enforce a password scheme,鈥 he said. 鈥淲hen you start looking at rural North Dakota, though, you often have a tech coordinator who is also the baseball and wrestling coach. They don鈥檛 have the skill set or know-how to stay on top of these things.鈥
That fundamental staffing challenge is evident across the country: Overall, just 25 percent of K-12 schools have a full-time staff member dedicated to ensuring network security, according to the CoSN survey data. In rural schools, that figure plummets to 8 percent.
While North Dakota is the least-densely populated state in the continental U.S., it does have some advantages.
The state department of information technology manages a statewide broadband network known as STAGEnet. Each day, more than a quarter-million users across 400 separate public entities鈥攊ncluding the state鈥檚 227 K-12 school districts鈥攗se the network. Much of the work of monitoring and filtering incoming traffic is handled at the state level, taking some of the burden off under-resourced schools.
There鈥檚 also a push underway to get the North Dakota legislature to adopt a 鈥渙ne state, one security鈥 approach that would consolidate cybersecurity strategy in the state鈥檚 information technology department.
On-Demand Webinar: Attacking the K-12 Cybersecurity Challenge
K-12 districts face an array of threats from cyberattacks and security breaches. In this Education Week webinar, staff writer Benjamin Herold talks with guests about how district leaders can secure data and networks and insulate schools from bad actors.
Register now.
Levin of EdTech Strategies said there鈥檚 鈥渁 lot that makes sense鈥 about such a statewide approach to cybersecurity, less-comprehensive versions of which can also be found in Kansas, Missouri, North Carolina, and Utah. But it鈥檚 not a cure-all.
In Bismarck, the state-level support has complemented local work, said Mueller鈥檚 boss, district technology director Tanna Kincaid.
One of the biggest benefits, she said, has been helping elevate the sense of urgency within the district, which has helped smooth her team鈥檚 efforts on issues like improving staff members鈥 password practices.
鈥淲hen you first start, people are like, 鈥榃hy do I have to have a 14-character password?鈥 鈥 Kincaid said. 鈥淏ut most of our users now understand that鈥檚 our first line of defense.鈥
A big part of the K-12 cybersecurity challenge is technical.
But education and training are also huge鈥攂oth for teachers for the present, and when it comes to preparing students for the future.
That鈥檚 especially crucial in North Dakota, where schools are all on a statewide network shared by other public agencies, said Matthew G. Scherbenske, a deputy director in the office of academic support in the state department of public instruction.
鈥淚t鈥檚 very important that we get our students to understand what their role is,鈥 Scherbenske said.
To help make that happen, the state has adopted a K-20W Cyber Education initiative. It includes embedding cybersecurity throughout new statewide computer science standards, improving cybersecurity training for in-service teachers, and focusing on cybersecurity-workforce development.
Misti Werle has been on the frontlines of that work. In her work coordinating the school libraries in the 13,000-student Bismarck district, she鈥檚 long made digital citizenship and online safety points of emphasis.
Recently, though, Werle has also been on the state committee writing the new cybersecurity-heavy state computer-science standards. The focus starts in kindergarten and runs through high school, with specific grade-level standards around such cybersecurity strategies as password management, as well as broader skills like coding.
鈥淲e know not all students are going to be cybersecurity specialists in the future. But all of them will be dealing with day-to-day things like accessing medical and banking records,鈥 Werle said. 鈥淭hese are skills all students are going to need.鈥
Start With Basic Steps
The K-12 Cybersecurity Resource Center documented 122 publicly reported cyberattacks on schools in 2018. Well over half resulted in the sensitive data of students or staff being compromised. That鈥檚 probably the tip of the iceberg.
Levin said it鈥檚 critical that districts not wait to take basic steps.
鈥淛ust like we know that eating right and exercising can lead to a healthier life, there are basic cyber hygiene practices鈥攕uch as deploying anti-malware and anti-phishing technology, ensuring IT systems are backed up, implementing multi-factor authentication, and offering user training鈥攖hat can make a big difference,鈥 he said.
Still, national survey data suggests that remains a heavy lift.
More than one-third of K-12 tech leaders say their district either doesn鈥檛 have a password policy, or has a policy that isn鈥檛 widely followed. And just 40 percent of districts that do have password policies include monitoring of log-in attempts to district accounts, a common security measure, according to the nationally representative CoSN/Education Week Research Center survey.
Just 14 percent of respondents require multi-factor authentication. Only 19 percent have a cybersecurity plan. There wasn鈥檛 any increase from 2017 to 2018 in the percentage of K-12 CTOs who are training teachers and students around good cybersecurity practices.
Bismarck, at least, is working on that last piece.
But even North Dakota鈥檚 largest school district says it鈥檚 not where it would like to be. Despite the emphasis on greater password security, the district still doesn鈥檛 have an official password policy, Kincaid and Mueller said. Nor is it yet requiring multi-factor authentication on district accounts.
鈥楻amp Up Our Efforts鈥
And in school systems like the 1,000-student New Town, N.D., district, the barriers are even more profound.
Located on the Fort Berthold Indian Reservation in the oil fields of the state鈥檚 northwestern corner, the New Town district serves a transient population of mostly Native American students living in poverty. It鈥檚 a huge challenge to retain or recruit technology talent, said Kara Four Bear, who recently became principal of the local middle school. There are also plenty of more immediately pressing needs.
鈥淲hen I came on last year, the school was very much in need of some good old-fashioned love,鈥 she said. 鈥淚t needed somebody to care about the curriculum, the students and the teachers, even the building.鈥
Quiz Yourself: How Much Do You Know About Cybersecurity in 69传媒?
Four Bear said she鈥檚 worked hard to make technology part of her transformation efforts. New Town Middle is trying to build a 1-to-1 program. Most classrooms have document cameras and smart televisions. Four Bear has arranged for her staff to receive training from the National Initiative for Cybersecurity Education, housed in the federal government. For extracurriculars, her students now take part in afterschool STEM clubs and NASA competitions.
鈥淭here鈥檚 no more bringing in the rodeo clown,鈥 she said.
But such efforts don鈥檛 leave much time or money to focus on network security. Being able to rely on the state information technology department has helped. But cybersecurity is just one in a long line of priorities to worry about鈥攁nd it rarely makes it to the top of the list.
鈥淚t鈥檚 an area where we really need to ramp up our efforts,鈥 Four Bear said.鈥淲e can鈥檛 just be building managers anymore.鈥