Opinion Blog


Rick Hess Straight Up

Education policy maven Rick Hess of the American Enterprise Institute think tank offers straight talk on matters of policy, politics, research, and reform. Read more from this blog.

Privacy & Security Opinion

What Can Be Done About K-12’s Looming Tech Nightmare?

By Rick Hess — January 24, 2022 4 min read
Image shows a multi-tailed arrow hitting the bullseye of a target.
  • Save to favorites
  • Print

School closures fueled by COVID and staffing shortages have been well documented of late. Far less attention has been paid to the spate of major school districts shuttered by cyberattacks.

Earlier this month, the Albuquerque public schools were forced to cancel classes due to a cyberattack that locked district staff out of the student-information database they use to record attendance, determine who is permitted to pick students up from school, and store student emergency contacts. Last March, the Buffalo, N.Y., district canceled classes for two days in response to a ransomware attack. Since the start of the pandemic, cyberattacks have also prompted school closures in districts including Hartford, Conn.; Newhall, Calif.; and Somerset Hills, N.J.

What can be done about this growing threat? Well, Eileen Belastock, the director of technology and information for the Nauset public schools in Massachusetts, tackles that issue in a fascinating, deeply troubling article for Education Next (remember, I’m an editor at Ed Next). In “Our Biggest Nightmare Is Here,” Belastock explores the cybersecurity risks facing America’s schools and just how ill-prepared many systems are for the challenge. At a time when schools have become extraordinarily reliant on vulnerable technology, it’s hard to think of a more important topic that gets less day-to-day attention (although Education Week’s own Alyson Klein deserves a hat tip for paying more than a little attention to it in stories like this and this).

As Belastock explains, “Of the 17 industries studied by information-security company SecurityScorecard, the education sector ranked as the least secure in 2018.” The explosion in online learning during the pandemic only exacerbated these challenges. In 2020, there were a record-breaking number of publicly reported cybersecurity incidents—“408 across 377 school districts in 40 states, according to the K–12 Cybersecurity Center,” or “a rate of more than two incidents per school day throughout 2020.”

Ransomware poses a particular danger to schools. First, hackers engage in “distributed denial-of-service attacks,” where a flood of internet traffic disrupts a district’s network and presents users from accessing payroll platforms, student schedules, or email applications. Then, while school networks are offline, they use malware to take control of a district’s data and demand a ransom to restore access.

As of this past August, Politico has reported that ransomware attacks have hit 58 education organizations and school districts, including 830 individual schools. Last March, the Broward County, Fla., district didn’t pay a $40 million ransom, leading the hackers to publish 26,000 stolen files online (these included student and staff Social Security numbers and addresses).

Things may only get worse, Belastock fears. The Consortium for School Networking has reported that hackers are shifting from companies “which are devoting increased resources to cyber defenses,” to more vulnerable sectors like “school districts, universities, and nonprofits.”

You’re not alone if you’re thinking, “Aren’t schools already wrestling with enough challenges?” I’m with you. But the reality is that the pandemic has yielded massive shifts to remote learning, with huge new outlays for hardware and software. Given the speed with which this all occurred, it’s no great surprise that much of this happened without a lot of attention to cybersecurity. And it’s not like K-12 was doing especially well on this score even before March 2020.

So, what now?

See Also

Belastock offers several practical suggestions, all of which seem wholly sensible. Since more than 90 percent of school-based cyberattacks start with phishing campaigns, in which cybercrooks try to get a user to reveal personal information or install malicious software on their computer or else impersonate a trusted party to obtain payments or financial information, she recommends cybersecurity training. Surveys suggest that educational administrators have not yet been prepared for these challenges, so such trainings could go a long way toward eliminating attacks that are the consequence of human error.

In an admonition that sounds all-too-familiar to those of us who’ve wrestled with less cataclysmic computer crashes, she also argues: “A robust backup system is the best protection against an attack, and the most effective backup systems are a) cloud-hosted or offline, b) not tied to a district’s domain, and c) inaccessible from the district network.” So, schools need to take backup seriously and do it pronto.

Finally, Belastock strongly urges school systems to obtain cyber liability insurance, which most insurance companies now offer to school districts—some for only $1,600 a year. The insurance typically covers not only any ransom itself but also experts to help analyze the breach, manage the district’s response, and recover lost revenue. Belastock argues that building this into a district budget is just accountable management and can potentially save millions.

This problem isn’t going away. Indeed, it’s a safe bet that it’s only going to get worse, as schools become ever more reliant on tech. Educational leaders and policymakers have spent the last two years investing heavily in education technology. It’s time to take aggressive steps to protect that investment.

Related Tags:

The opinions expressed in Rick Hess Straight Up are strictly those of the author(s) and do not reflect the opinions or endorsement of Editorial Projects in Education, or any of its publications.

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Reading & Literacy Webinar
Literacy Success: How Districts Are Closing Reading Gaps Fast
67% of 4th graders read below grade level. Learn how high-dosage virtual tutoring is closing the reading gap in schools across the country.
Content provided by Ignite Reading
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Artificial Intelligence Webinar
AI and Educational Leadership: Driving Innovation and Equity
Discover how to leverage AI to transform teaching, leadership, and administration. Network with experts and learn practical strategies.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
School Climate & Safety Webinar
Investing in Success: Leading a Culture of Safety and Support
Content provided by Boys Town

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security Download A Tip Sheet to Help Teachers Prevent and Respond to Doxxing
Teachers can be a target for malicious actors. Use this tip sheet to prevent and respond to doxxing.
1 min read
Image of digital safety against doxxing and privacy invasion.
Laura Baker/Education Week via Canva
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Privacy & Security Quiz
Quiz Yourself: How Much Do You Know About Cybersecurity For Schools And Districts?
Answer 6 questions about actionable cybersecurity solutions.
Content provided by FlexPoint Education Cloud
Privacy & Security What Schools Need to Know About These Federal Data-Privacy Bills
Congress is considering at least three data-privacy bills that could have big implications for schools.
5 min read
Photo illustration of a key on a digital background of zeros and ones.
E+
Privacy & Security Civil Rights Groups Seek Federal Funding Ban on AI-Powered Surveillance Tools
In a letter to the U.S. Department of Education, the coalition argued these tools could violate students' civil rights.
4 min read
Illustration of human silhouette and facial recognition.
DigitalVision Vectors / Getty