Cybersecurity Experts Call for More Transparency and Immediate Resources for Schools — THE Journal

School Cyber Attacks

Cybersecurity Experts Call for More Transparency and Immediate Resources for Schools

'A lack of guidance is not what's holding schools back; it's a lack of resources and a lack of oversight'

• By Kristal Kuykendall
• 03/17/22

The nation’s public K–12 schools need help to address widespread cybersecurity vulnerabilities and a crippling shortage of resources for those needs, and state and federal legislators have begun to propose ways to meet those needs.

But there’s another element to K–12 cybersecurity that, so far, education leaders and lawmakers have been hesitant to bring into the spotlight: The potential dangers to staff and students when a cyber incident occurs and data is stolen or potentially stolen.

In several recent reports from national cybersecurity nonprofits and the private sector, IT professionals are calling for greater transparency and accountability from school districts in their cybersecurity efforts — including mandated public disclosure when student or staff data has been breached.

Transparency is Currently the Exception

In its annual State of K–12 Cybersecurity Year in Review report released last week, the national nonprofit dedicated to public schools’ cybersecurity K–12 Security Information Exchange said that ransomware — where a school’s student and/or staff data is stolen and a ransom is demanded — has become the most common type of publicly disclosed cyber incident at U.S. schools, but many districts impacted by cyber incidents are sharing little or no information to the community stakeholders affected by them.

K–12 schools are not required to publicly disclose cyber incidents, and requirements for vendors to disclose incidents — where mandates exist — are weak and rarely enforced, the report said. Vendor data breaches tend to impact scores, if not hundreds, of schools at a time, K12SIX’s report noted, and companies can face fines and lawsuits if they decline to disclose such incidents.

Public K–12 schools, however, are not overseen by any regulations requiring disclosure of cyber incidents or data breaches. Higher education institutions are required to report data breaches of any size, under a 2018 U.S. Department of Education rule affecting any college or university that accepts federal student aid funds.

“If it were not for the public-interest reporting of security researchers and investigative reporters during 2021 — employing, e.g., freedom of information requests to compel districts to share incident details they sought to keep from the public eye — the number of publicly disclosed incidents catalogued by the K–12 Cyber Incident Map during the past year would have been even smaller,” K12SIX said.

The report illustrates the lack of transparency that’s become increasingly common in the public education system particularly when it comes to cyberattacks and exposure of student data. Last year alone, dozens of school districts declined to inform parents of cyber incidents and, in some cases, took “extraordinary measures” to conceal the reach and impact of data breaches and other incidents, the report noted.

“There’s no question schools should be disclosing these incidents to their communities,” K12SIX National Director Doug Levin told THE Journal this week. “Maybe they think they can avoid backlash from the community if they don’t disclose a cyber incident. But these schools are spending the community’s tax dollars. School board members and those with oversight of the school budget need all the information to do their jobs appropriately, and the community needs to know whether the district’s resources are being spent on the right things.”

Every public school impacted by a cyber incident should be disclosing basic information such as the fact an incident occurred; who was affected in a potential data breach; the amount of money recovery will cost the district; and recommended steps those affected should take to protect themselves, he said.

“Details about the attacker’s tools and techniques that were used, or what the phishing email looked like for example, those things don’t need to be out there publicly,” Levin said. “But those details can be shared anonymously with our K12SIX incident map, and it could really help other schools.” His organization’s K–12 Cyber Incident Map is considered the definitive source of information about publicly disclosed cyber incidents affecting U.S. public schools and education agencies.

Levin, as national director at K12SIX, is tasked with tracking all publicly disclosed cyberattacks at K–12 schools in the United States. He helps school district IT leaders across the country to improve their protections, and he advocates for more resources and stronger security standards alongside cybersecurity officials at the state and national level as well as with tech companies whose IT and security products are used in public school districts.

He told THE Journal that he has concluded from his many discussions with tech and IT professionals across the K–12 sector that “cyber incidents at K–12 schools are being kept secret all the time” — including incidents where student and staff data has been compromised.

Comments are closed.