During a Dec. 1 panel discussion at CSBA’s 2022 Annual Education Conference and Trade Show in San Diego, which was moderated by CSBA CEO & Executive Director Vernon M. Billy, leaders of local educational agencies and state and federal cybersecurity experts covered how schools can protect themselves and offered resources.
Lessons from LAUSD
At the tail end of summer 2022, Los Angeles Unified School District made national news as the subject of a cyberattack that became evident over Labor Day weekend, with details continuing to emerge as investigations continue.
During the discussion, Superintendent Alberto M. Carvalho said that a “well-known entity” he did not wish to name was behind the attack and shared some lessons learned from the situation, along with security steps LEAs should be taking to prepare.
According to Carvalho, cybercriminals may pick a time when they believe no one is paying attention (like a long holiday weekend) to act. For that reason, it’s important to ensure systems are monitored.
Utilizing multi-factor authentication for accounts within an LEA is “a very easy step that is protective in nature and robust in its effectiveness in terms of staving off attacks,” Carvalho said.
LEAs should ensure partners that have access to their systems are using proper security measures too.
“As school systems we contract and hire a lot of third-party entities and a lot of them plug into our systems. They access data for progress monitoring,” he said. “Make sure that as you’re contracting with these entities, their protocols are as strong or stronger than yours. You’re giving them access to your central nervous system. You don’t want them to be the gateway of entry to your systems.”
Having cybersecurity insurance and being familiar with local, state and federal law enforcement partners who “can rapidly deploy resources to your school system when you come under attack,” is also important.
Some LEAs may already be under attack and not know it, Carvalho and other panelists acknowledged.
Bad actors can infiltrate systems and be present for weeks or months before being detected. In that time, they will study a system and its users trying to find open doors to more information. They can attempt to collect valuable data like names, addresses and social security numbers. They may also freeze LEAs’ systems of operations.
The superintendent said LEAs should develop a business continuity plan for things like transportation, attendance and food services to ensure students are taken care of even if systems are down. Systems could be down by force or by an LEAs’ choice to stop an attack and allow investigators to reconstruct the event and find potential evidence.
LAUSD recognized unusual activity on a Saturday, Monday was a holiday and by Tuesday, as scheduled, students were in classrooms.
“We took attendance manually, we transported kids, we fed kids, it was business as usual with an exception for the fact that people could not get online,” Carvalho said.
Auditing systems and performing penetration tests to pinpoint vulnerabilities and then addressing them is also key, as is training employees and students on best practices around things as simple as regularly changing a password.
Carvalho advised attendees to be as transparent as possible with their community should an attack occur, reduce the number of systems an LEA has and only have one budget system, and consider delegating authority on matters of cybersecurity.
“You do not want to be in a position of rolling out Requests For Proposals in a public way with such a level of detail that you’re actually teaching the bad actors who you’re dealing with, what you’re buying, what you’re accessing, what you’re building — because they will reverse engineer everything,” the superintendent said.
Carvalho urged LEAs to look at their budgets and consider allocating 5 percent of it to IT and cybersecurity related initiatives such as monitoring systems . With so many competing interests at play when developing a budget, it can be hard for LEAs to find the money. In September, LAUSD sent a letter to the Federal Communications Commission requesting that the agency authorize the use of E-Rate funds to be spent on combating cybersecurity threats at public schools. The letter was signed by 1,100 LEAs and organizations from across the nation, including CSBA.
State and federal resources
There are state and federal cybersecurity resources available to LEAs.
The California Cyber Security Integration Center (Cal-CSIC), under the California Office of Emergency Services, provides daily bulletins and can scan systems for vulnerabilities, perform threat assessments for network health and provide possible solutions as well as assist should a district be attacked. Learn more about Cal-CISC.
The federal Cybersecurity and Infrastructure Security Agency (CISA) has information and resources for schools about cybersecurity and ransomware among other related topics, and can provide technical assistance such as conducting security vulnerability and cybersecurity assessments. On Jan. 24, CISA released report Protecting our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats. The agency also has cybersecurity advisors in the field. California is part of CISA’s ninth region.