The K-12 Cybersecurity Act of 2021 and The State of Cyber Crime in Education

DECEMBER 29 – The number of reported cyber incidents in K-12 schools and districts in the U.S. stands at 1180. Covid-19 and the introduction of remote and hybrid learning have only made cybercrime more frequent and sophisticated in the education sector. In the past 30 days, Microsoft Security Intelligence has seen 8,253,516 devices in the education industry encounter malware, making education the largest affected industry in front of retail, healthcare, and high-tech.  That number will only increase in the new year.

The K-12 Cybersecurity Act of 2021 was passed by President Biden on October 8th. This legislation comes as a direct response to the growing rise in ransomware and data breaches occurring in K-12 education, as found by the Government Accountability Office (GAO).

From the day of its passing, the director of the Cybersecurity and Infrastructure Security Agency (CISA) is to conduct a 120-day study into the specific risks impacting K-12 institutions.

60 days after the study, the director will develop a list of recommendations, including cybersecurity guidelines designed to assist K-12 institutions with potential crimes.

120 days after this, the director will then develop an online training toolkit for K-12 superintendents and officials, both to inform them of the recommendations of the study and to provide strategies on how to implement those recommendations.

Last year, the K-12 Security Information Exchange (K-12 SIX) reported the types of incidents and growing threats present in 2020. Cybercrimes included: Data breaches, class invasions/denial of service, ransomware, and phishing. Such common incidents occurring recently range from holding personal student information for ransom to hijacking a superintendent’s board meeting to project racial slurs.

One explosive incident occurred in March with Buffalo Public Schools, where hackers were able to shut down classes for days, steal sensitive student and employee information, and destroy vital school records. This attack resulted in a $10 million pay-out. A recent exclusive found that IT staff were cautious of an attack months prior, but due to bad judgment and an absent cyber insurance policy, they failed to stop the attack.

The transition into hybrid working has shifted the priorities of IT staff and cybersecurity managers, creating a brittle environment in which they have little experience of working. These attacks have followed a distinct pattern, in which specific types of cybercrime have been identified. The range and scope of these incidents have also been tracked across America.

A team of researchers at CompariTech studied data breaches in U.S. schools across 15 years. The highest number of recorded breaches were found in Nevada with 717,626 exposed records.

Districts most affected included Washoe County (114,000) and Clark County (559,487), both were hit by the Pearson data breach, as were many around the U.S. Regarding ransomware attacks, CompariTech found Nevada again to be the most affected, followed by Texas, Virginia, and Maryland. From both data breaches and ransomware attacks, big school districts have been affected the most by cybercrime.

Dr. Hanine Salem, a managing director at Novus Consulting Group (NCG), who has over 20 years’ worth of experience in public-sector development, explains what types of schools are most exposed to these incidents. “According to research from the K12 Security Information Exchange: larger school districts are at a significantly greater risk for experiencing a cyber incident than other types of school districts, as are school districts located in more densely populated parts of the county. It reports that there are a few reasons that might explain this pattern. First, larger school districts manage more technology devices and systems than smaller enrollment districts and have more students and employees using that technology. Smaller enrollment translates to offering a smaller threat profile to malicious actors and a lower chance of being affected by user actions (whether intentional or by mistake). Second, incidents that occur in smaller school districts may be less likely to become publicly disclosed than in larger, more urban school districts.”

Interestingly CompariTech found no incidents of breaches in Wyoming. According to Governing, Wyoming has one of the smallest numbers of school districts (48), and lowest student enrollments (92,563). These numbers are in parallel to high-risk states like California and Arizona, which were hit the hardest with data breaches. Their total number of districts are (941) and (226), respectively.

There is a clear pattern indicating that schools and districts that deal with a larger number of students, thus larger volumes of information, are most affected by cybercrime.

Dr. Hanine Salem explains how schools are not doing enough to protect and inform students about the cybercrime affecting them.

“With federal funding as a result of COVID, right now, schools have a unique opportunity to pay for training courses like the Cyber Citizenship course.” Said Dr. Salem. “If a school, is improving cybersecurity to better meet the educational and other needs of students related to preventing, preparing for, or responding to COVID-19, it may use Elementary and Secondary School Emergency Relief Fund (ESSER) funds.”

NCG’s Cyber Citizenship course was designed to teach students the fundamentals of cyber security and how to stay safe online when using technology. Non-governmental cybersecurity platforms have been tirelessly providing online resources and information on cybersecurity since before the pandemic, and have only been developing their services. K-12 SIX has their K-12 Cybersecurity Resource Center, which provides an up-to-date map of recorded cybercrime incidents in K-12 schools, and a cybersecurity self-assessment service intended for K-12 IT and cybersecurity managers. Fortinet and Dell Technologies also provide cybersecurity software and information for K-12 schools and districts, with solutions for network and cloud security. Along with these companies, there are numerous courses available online concerning K-12 cybersecurity and how to stay safe online from Coursera to Udemy.

EdTech companies are holding the fort for both assisting schools with their security and teaching students about cybercrime.

“Students need to learn to be their own best defense against cybercriminals. Children and youth are often considered to be soft targets, mainly because they have not yet been trained on basic cybersecurity subjects and ways to protect themselves and their devices, making them an easy gateway into the more valuable home and school devices and networks.” Said Dr. Salem.

The results of the CISA director’s study will be revealed in early 2022. With a large amount of information and resources available online from EdTech companies and organizations, the government can provide K-12 schools with a stronger line of defense from recurring cybercrime.

Featured Image: Mikhail Nilov.