More federal coordination needed on cybersecurity; State recommendations for LEAs

With K-12 schools becoming increasingly common targets of cyberattacks including phishing attempts, ransomware, distributed denial-of-service and video conferencing disruptions, the U.S. Government Accountability Office (GAO) published the report Critical Infrastructure Protection: Additional Federal Coordination Is Needed to Enhance K-12 Cybersecurity in October. The impacts of cybersecurity incidents can be significant for local educational agencies, causing monetary losses, learning disruption and more.

Information technology (IT) is critical to conducting many school-based operations. Cyberattacks can leave LEAs unable to perform functions as basic as providing academic instruction or paying employees. Schools’ reliance on IT to deliver instruction and services to students increased during the COVID-19 pandemic, further amplifying their vulnerability.

The National Infrastructure Protection Plan, released in 2013, outlined agencies’ roles and responsibilities in protecting the nation’s critical infrastructure. For education, the U.S. Department of Education is the lead agency, and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) “coordinate[s] K-12 cybersecurity efforts with federal and nonfederal partners,” according to the report. The Federal Bureau of Investigation can provide support with criminal investigations.

Resources such as safety guidance documents are available to LEAs through the Education Department and CISA, but traditionally, they haven’t often interacted with other agencies or those in the K-12 community on the topic of cybersecurity, according to the report. In the National Infrastructure Protection Plan, the Education Department was tasked with establishing a government coordinating council, which has not happened. “Such a council can facilitate ongoing communication and coordination among federal agencies and with the K-12 community,” the report states. “This, in turn, can enable federal agencies to better address the cybersecurity needs of K-12 schools.”

The agencies also don’t measure or gather feedback on the effectiveness of their cybersecurity services.

Multiple federal agencies have a role to play in enhancing the protection of K-12 schools against cyberattacks.

The GAO reviewed cybersecurity in schools and made three recommendations to the Education Department, including:

  • Having the Secretary of Education, in partnership with the Cybersecurity and Infrastructure Security Agency and other stakeholders involved with updates to the Education Facilities Sector-Specific Plan, create a collaborative such as a “applicable government coordinating council” to better coordinate cybersecurity efforts.
  • Creating metrics related to obtaining feedback and measuring the effectiveness of the department’s K-12 cybersecurity resources available to LEAs.
  • Having the Secretary of Education and federal and nonfederal stakeholders determine how to help LEAs overcome challenges and consider opportunities to address cyber threats.

The GAO also made one recommendation to the DHS to have the Secretary of DHS ensure the director of CISA develops metrics to measure the effectiveness of K-12 cybersecurity resources “and determine the extent that CISA meets the needs of state and local-level school districts to combat cybersecurity threats.”

State recommendations

The California Department of Education recently updated its list of free and low-cost tips to create more secure IT environments.

The list details 20 recommendations for LEAs, including:

  • Requiring IT staff to use tiered accounts for system administration purposes
  • Regularly reviewing and limiting the number of domain administration accounts
  • Blocking dangerous email attachment file types
  • Requiring regular cybersecurity awareness training for all employees
  • Having an incident response plan and testing your backups

Click here to learn more.