A recent cyberattack that affected the biggest school district in the country is a reminder of an increase in cybersecurity incidents at schools across the U.S. As such attacks become more common, schools may need to do more to build their ability to prevent attacks and to hold private vendors to high standards, experts say.
An “attempted security incident” this month knocked out many of Illuminate Education’s digital services, including an online gradebook, Skedula, and a related parent-focused platform, PupilPath, which are used by New York’s public school system. Service was out for several weeks, disrupting learning as the schools returned from the holiday break. And even now, some of the company's other services appear to still be down, according to updates from the company.
Cyberattacks on schools are on the rise, according to the latest available report from the K-12 Security Information Exchange, a national nonprofit focused on cybersecurity and K-12 schools. There’s been a five-fold increase in incidents since 2016, with 1,180 reported incidents connected to U.S. public schools in that time. At least 128 school districts have seen repeat attacks.
The uptick is happening at a time of record spending on U.S. edtech: K-12 public schools in America spent somewhere between $26 billion and $41 billion annually before the pandemic, according to figures from the nonprofit EdTech Evidence Exchange.
The issue isn’t just a matter of inconvenience, but a potential threat to student privacy, especially in the case of digital gradebooks and other student information systems, experts point out.
“Cyber attacks are a growing problem in schools, and the harms to students and their families are not theoretical,” says Elizabeth Laird, director of Equity in Technology at the Center for Democracy and Technology.
Although school districts are doing a decent job with what they have, they don’t have as many resources to throw at cybersecurity as private corporations do, which can make them look like low-hanging fruit to would-be attackers, says Tim Harper, a former chief technology officer for Seminole Public Schools in Sanford, Florida, and the current administrator-in-residence for Clever, a K-12 digital platform.
For many schools across the country, which require edtech to function, third-party vendors would be better equipped to handle cybersecurity, argues Jim Siegl, senior technologist at the Future of Privacy Forum. Many districts are small, and may only have a handful of staff for all of their technology operations.
So far, schools have responded by increasing training for teachers, though that training has focused more on student security than on how teachers themselves can prevent online intrusions. According to one Center for Democracy and Technology report, many teachers have received training on student privacy, fewer have received training on how to avoid phishing or ransomware scams meant to hoodwink them into giving up their personal information.
These days, any online system comes with tradeoffs, and risks, notes Doug Levin, the national director of the K-12 Security Information Exchange.
“When school districts adopt technology solutions for their operations, they are accepting cybersecurity risk—it faces every organization that relies on technology,” he says.
Not all the risk comes from computers within a school. The many outside systems that schools contract with aren’t immune from attacks, and are outside of a school’s control.
Even when schools outsource their cybersecurity to an outside firm, Levin adds, “it is merely shifting their risk to a third-party.”
For example, an attack against Finalsite, a software company used by schools across the country, affected around 5,000 school websites earlier this month. Levin notes that while Finalsite appears to have been forthright about the attack and its response, there are still questions about whether it could have done more to prevent it.
And companies have not always been candid when they’ve experienced a significant attack. The U.S. Securities and Exchange Commission, for instance, announced last year that it had fined Pearson, the London-based publishing company known for its textbooks, $1 million to settle charges that it had “misled investors about a 2018 cyber intrusion involving the theft of millions of student records, including dates of births and email addresses, and had inadequate disclosure controls and procedures.”
What schools can do, experts say, is to diligently vet the edtech they use. Specifically, schools should insist on contractual commitments to safety audits and prompt disclosures of security issues that may arise, Levin says.
Lack of National Consensus
The U.S. lacks a national consensus around what sort of protections parents, teachers and students should expect in terms of data privacy from school districts, experts including Levin and Harper say. In contrast, the European Union put in place the General Data Protection Regulation, or GDPR, in 2018 which spells out the expectations around data protection and personal information.
U.S. states have begun to address the issue, however, and more than 100 student-privacy laws have been passed since 2013, many of which ban targeted advertising or data-selling—though fewer of those laws tackle training or meaningful security requirements. And the measures rarely provide extra funding to schools for security or privacy resources, experts point out.
There is more federal information on the way, though.
In October 2021, the K12 Cybersecurity Improvement Act became law. It instructs the federal cybersecurity agency, CISA, to conduct a study of cybersecurity threats facing school districts—and to make recommendations this year.
Cyber security experts say that’s a step in the right direction.
Clarification: A previous version of the story cited a different estimate about the amount of edtetch spending at K-12 schools in the U.S.