Sign In

Communications of the ACM

ACM News

Should Schools Rely on Government for Cyber Protection?

View as: Print Mobile App Share:
Elementary school students learning on computers.

To combat cyberattacks, school districts need to increase their awareness and preparedness, while governments and businesses need to support districts with training, testing, and tools to ensure rapid detection, appropriate response, and minimal damage.


Cyberattacks on U.S. K-12 schools and students are increasing, with unthinkable consequences. In the 2022-2023 school year, eight K-12 districts saw significant cyberattacks, according to a White House release.

In one example, Minneapolis Public Schools suffered a ransomware attack that dumped "raw, intimate, and graphic" student data online, according to AP News. The data dumps included details of student sexual assault cases, psychiatric hospitalizations, bullying reports, abusive parents, and suicide attempts.

According to TJ Sayers, director of intelligence and incident response at the Center for Internet Security (CIS), long-term repercussions of cyberattacks on schoolchildren and their data include increased vulnerability to cyber and physical predatory targeting, as well as potentially permanent exposure of sensitive personal information (such as records documenting their mental and physical health, disciplinary actions, grades, addresses, social security numbers, and dates of birth). CIS is a nonprofit with best practices for securing data and IT.

According to Safe Search Kids, a Google-enhanced search engine for kids, predators can target children for grooming, exploitation, and abuse via the dark web, an anonymous part of the Internet.

Kids suffer educationally from time lost to cyberattacks. Attacks on K-12 schools set learning back by months. According to a release from the U.S. Government Accountability Office (GAO), K-12 schools lost three days to three weeks of learning after a cyberattack, and took two to nine months to recover that learning. School districts lost $50,000 to $1 million per incident in hardware replacements and newly required cybersecurity measures.

The White House, U.S. Department of Education, the U.S. Cybersecurity & Infrastructure Security Agency (CISA), and the Federal Communications Commission (FCC) are taking measures to address K-12 cybersecurity, including training and coordination efforts. According to an FCC release, that agency wants to provide up to $200 million in funding over three years to harden cyber defenses and determine effective attack-prevention methods.

Education technology and cybersecurity companies are offering funding, free training, and free cybersecurity solutions to aid K-12 schools in defending themselves from cyberattacks. According to the White House release, Amazon Web Services, network provider Cloudflare, cloud-based educational software provider PowerSchool, Google, and global learning technology company D2L are offering to contribute funding and resources to the effort.

However, funding and resources alone are not enough.

In fact, said Mieng Lim, vice president of product management for Fortra, a cybersecurity and automation software company, "Up to $200 million in funding over three years hardly touches the cybersecurity needs in education." Lim said the solution for K-12 schools must address all three pillars of cybersecurity, including people, processes, and technology. She said implementing and maintaining cybersecurity presents the most significant challenges.

K-12 organizations may lack the ability to fully implement and maintain tools and resources provided to them, even if they were free, according to Carlos P. Kizzee, senior vice president of stakeholder operations at the CIS Multi-State Information Sharing and Analysis Center (MS-ISAC). According to CISA, MS-ISAC is a CISA-supported collaboration with the Center for Internet Security, serving as the central cybersecurity resource for the nation's State, Local, Territorial, and Tribal (SLTT) governments.

An ongoing approach to maturing K-12 cybersecurity must include the efforts of K-12 administrators, IT, teachers, and students. "Cybersecurity is a process, not an event," said D. Greg Scott, a senior technical account manager at open source enterprise software company RedHat. "The help will make a big difference if the people receiving the help use it right. But if it's just money and products flowing in, it will be a gigantic waste," said Scott.

The government, education technology vendors, and cybersecurity vendors must commit to long-term participation in K-12 cybersecurity. According to Kizzee, the DHS CISA secure-by-design pledge with K-12 education technology vendors focuses on security as a component of education technology design. K-12 organizations can use devices from vendors implementing built-in security, said Kizzee.

K-12 schools can engage each other regarding what cyberattacks they experience and how they deal with those. According to Sayers, K-12 schools can access free membership in MS-ISAC to do that.

"MS-ISAC offers a K-12 Working Group, a diverse group of educational agencies focused on understanding the issues, challenges, and concerns of school districts throughout the country with aims to improve overall K-12 cybersecurity posture," said Sayers.

"K-12s are the MS-ISAC's largest membership subsector, and no-cost membership grants them access to many services and support," said Sayers.

Free services from MS-ISAC include a security operations center (SOC) that operates 24x7x365, malicious domain blocking and reporting (MDBR), a cyber incident response team (CIRT), and cyber threat intelligence (CTI).

Security Operations Centers (SOCs) typically monitor networks for suspicious behavior, cyberattacks, and threats. SOCs issue cyber threat warnings and identify and mitigate network vulnerabilities. Malicious Domain Blocking and Reporting (MDBR) blocks known bad websites and malicious IP addresses that engage in phishing attacks, infect systems with malicious software, and encrypt data and devices with ransomware.

Cyber Incident Response Teams (CIRT) engage in incident response efforts, analyze malware, and conduct forensic investigations on computers and networks. Threat Intelligence includes Tactics, Techniques, and Procedures (TTPs) that cybercriminals use in their attacks. Intelligence includes the Indicators of Compromise (IoCs) that attackers leave behind when they compromise networks and systems. When taken together, TTPs and IoCs are like fingerprints from particular cybercriminals and attacks. Security analysts can use them to identify specific cyberattacks and threat actors.

K-12 schools can learn from savvy students who use a buddy system to stay together and be safe. "Alone, most K-12 schools are ill-equipped to confront the growing ransomware threat. We advise a 'whole of community' approach, specifically one focusing on information sharing and easy-to-implement cybersecurity practices," said Sayers.


David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account