GAO to Federal Authorities: More Coordination Needed to Strengthen K-12 Cybersecurity

This audio is generated automatically. Please let us know if you have any comments.

Diving Brief:

  • Ransomware attacks affected over 2.6 million students between 2018 and 2021, according to an analysis released Monday by the US Government Accountability Office. The number of affected students peaked at nearly 1.2 million in 2020 and fell to 647,000 students in 2021, according to the GAO report.
  • In addition to offering cybersecurity-related products and services to schools, according to the report, the U.S. Department of Education and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency “have little or no interaction with other agencies and the K-12 community” on cybersecurity in schools.
  • To improve coordination among federal agencies on K-12 cybersecurity, GAO recommends that U.S. Secretary of Education Miguel Cardona establish a coordinated cybersecurity council between federal leaders and schools and , alongside stakeholders, “to examine the opportunities identified to combat cyber threats, if any”. Additionally, the Education Department should create measures to gather feedback and evaluate the effectiveness of cybersecurity products available to schools, the report said.

Overview of the dive:

There are still no formal channels between federal agencies and schools to address cybersecurity risks or incidents, the GAO said.

The lack of federal support and coordination with schools on cybersecurity is in part because the Department of Education has not created a board to foster ongoing communication between schools and federal agencies, according to the report.

Federal orientations in the National infrastructure protection planwhich establishes the responsibilities necessary to protect critical infrastructures, includes education sub-sector. In this plan, the Department of Education should manage this sub-sector, the GAO said. CISA and the Department of Education should also coordinate K-12 cybersecurity efforts with federal and non-federal partners, the agency said.

The GAO report comes shortly after approximately 500 gigabytes of data were stolen from the Los Angeles Unified School District in a major ransomware attack. This has led to the publication on the dark web of personal and possibly harmful information about students and staff of the second largest school system in the country.

From a neighborhood perspective, experts recommend that schools and their IT leaders review new district technologies and create their own security team.

Collaboration between education and IT leaders to teach students about cybersecurity should be another goal, experts suggest. In such an effort, a school district in Ohio – the local Lakota schools – is among those offering a cybersecurity program for high school students. This course, started four years ago, also equips students with skills to improve online safety, and it can include cybersecurity certifications that can also help them find jobs in the field.

Cyberattacks on schools can have both academic and financial consequences, the GAO said, noting that recovery time ranged from two to nine months.

Learning loss after a cyberattack can range from 3 days to 3 weeks for a district, the agency said. Cyberattacks also create expenses as districts recover. Overall, the GAO said, the exact national impact of these cyberattacks on schools is still unknown.

Leave a Reply