Introduction
Though child abuse is an odious comparison, it can be argued that the increasing cyberattacks on K12 schools, students, and their hapless families are just as devastating. ‘Catch ‘em young’ seems to be a phrase that is being cruelly twisted out of context by hackers intent on monetizing their nefarious ends at the cost of the nation’s educational systems and students. 2021 witnessed alarming trends; since then there has been no slowing down. The US Government Accountability Office (1) reports that 647,000 American students were affected by ransomware attacks on K-12 schools causing people to sit up. The report put the typical attack period between three days to three weeks, resulting in monetary losses, compromise of personal data, and disruptions in classes.
A year later, despite alarm bells sounding, there was no stopping the attacks. Cybersecurity firm Sophos found that almost 80 percent of schools across 14 nations, including the USA, had been hit by ransomware attacks, making them the preferred sector of attack over erstwhile leading sectors like health care, infrastructure, and government.
Cybersecurity Ventures put it succinctly: Schools don’t have snow days anymore. They have ransomware days!
Why schools
Once never on the radar, with hackers focused on targeting organizations and businesses, schools came into the picture more or less at the end of the last decade. Disgruntled students to hacker groups in rogue states found that schools were easy pickings. Here are some of the reasons:
- Schools provided hackers with a treasure trove of personal data of students and their families, including social security numbers, credit card data, and the like
- Hackers knew there was always an alternative source of ransom. Should school authorities refuse to meet the demands, parents could easily be approached to pay up to safeguard family information
- With low spending on cybersecurity, schools were ill-equipped to field major threats posed by cyberattacks
- Schools were deploying a variety of unprotected software suites to relay sensitive data.
How they happen
There is a general feeling that a cybersecurity spend of just 8% of their annual budgets is far too inadequate to quell today’s threats. Low spending means that infrastructure is more likely to be insecure, making them easy targets for hackers. Internet Safety Labs in a recent study opined that almost 96% of the apps used by schools have data-sharing practices that are not safe. Email, phishing, Denial of Service, Man-in-the-middle, stolen passwords, and bots are the most commonly used methods to perpetrate attacks. Amongst the more infamous of cyberattacks on K-12 schools are:
- Data breaches which involve exfiltration of student and parent data. Some estimates put the figure at almost a third of all the hacks that have been perpetrated
- Ransomware where school cyber defenses are breached to steal data, with hackers then demanding a ransom in exchange for the stolen data. Ransomware attacks are being increasingly experienced
- Denial of Service which involves crashing school servers by inundating them with fake requests. Accounting for an estimated 5% of all attacks, Denial of Service attacks result in disruption of school services
The fallout
The Center for Internet Security (CIS), responsible for monitoring and responding to cyber incidents, notes that attacks on K-12 schools are now occurring on a ‘near-weekly basis’. The CIS (1) found that there has been a 30% quarter-over-quarter increase in these attacks since the end of 2022.
Educators and school officials are bemoaning the fact the attacks severely set back students’ progress due to their inability to complete courses due to the cancellation of classes and in some extreme cases even the closure of schools. Coming in the wake of Covid, hacks on K-12 schools have been like a second body blow to officials who are keen to ‘maximize learning time and minimize disruptions.’
For parents of students whose data has been exfiltrated, the damage is no less devastating. Many families have experienced stress and loss of sensitive data that has wrought considerable financial loss.
The responses
By far the best response to the K-12 hacks has come from the Cybersecurity and Infrastructure Security Agency (CISA). Labeling them ‘an attack on the future of the country’ (3), CISA has pledged to work with its federal, state, local, and territorial partners, and directly with the K-12 community to arrest the menace, by providing grants, tools, and resources to the K-12 academic community.
In August 2023, the Biden administration (4) announced a slew of measures to strengthen the cybersecurity of K-12 schools, in collaboration with the US Department of Education and CISA.
In the wake of this announcement, many schools have signed up to avail of the offerings. There has also been some traction from the industry, with companies (2) (5) like Cloudfare, Amazon Web Services, Google, PowerSchool etc offering financial support or free courses to shore up K-12 school cybersecurity defenses. The Federal Communications Commission plans a USD 200 million pilot project to strengthen cyber defense in schools and libraries.
Mitigating the hacks
Since the advent of the K-12 hacks, many cybersecurity establishments including the government have released useful guides that attempt to stem the attacks. CISA’s recommendations for K-12 schools set the tone for the industry to follow. CoSN (6) released a 5-point action plan for school IT staff that covered:
- Training
- Technical expertise
- Network security
- Sustainability plans
- Leadership buy-in and funding
Other useful measures would be:
- Keeping patches up-to-date
- Restricting unnecessary access
- Implementing multi-factor authentication
- Following an incident response plan, including testing backups
- Following industry best practices
Forbes advocates evolving to a Zero Trust Network Access (ZTNA) policy (7), leaving the legacy systems that schools currently deploy behind. They also believe parents (8) should be brought into the conversation in order to ensure cyber hygiene at home, via:
- Making children aware of the risks inherent in online activity
- Ensuring software patches are updated and strong password management is practiced
- Use of a VPN rather than an unsecured WiFi
- Stringent practices for personal data privacy
Closing Thoughts
By the looks of it, hacks on K-12 schools and other academic institutions are far from being a thing of the past. Given the complexity of the problem and the humungous level of change that is needed at various levels, no change in the status is likely. In retrospect, perhaps the rallying cry of the US Government that the hacks represent an attack on the very future of the nation will galvanize pre-emptive action. Either that or hackers have to discover another lucrative destination to take their nefarious act to.
And that as we know is a sign of surrender, or as some would euphemistically put it, ‘living with the problem’.
References:
- The Top Target For Ransomware? It’s Now K-12 Schools (forbes.com)
- K-12 schools improve protection against online attacks, but many are vulnerable to ransomware gangs | AP News
- Protecting Our Future: Cybersecurity for K-12 | CISA
- Biden Administration Announces Cybersecurity Initiative for K-12 Schools (edweek.org)
- Biden-Harris Administration Launches New Efforts to Strengthen America’s K-12 Schools’ Cybersecurity | The White House
- K-12 Cybersecurity in 2023: Ransomware, AI, and Increased Threats | Tech & Learning (techlearning.com)
- Let’s Put (Zero) Trust In Our Educational Future (forbes.com)
- How To Protect Your Family’s Data From School Hacks (forbes.com)