Schools across the US have increasingly been the target of cyberattacks, ranging from digital vandalism to identity theft to ransomware. According to data from the 2021 midyear Global Threat Landscape Report from FortiGuard Labs, education was the second-most targeted sector in the first half of 2021, just behind Telcos/Carriers. And according to The State of K-12 Cybersecurity: 2020 Year in Review report, there was a 491 per cent increase in school cyber incidents between 2016-2020. The report goes on to state: “During the calendar year 2020… [there were] 408 publicly-disclosed school incidents, including student and staff data breaches, ransomware and other malware outbreaks, phishing attacks and other social engineering scams, denial-of-service attacks, and a wide variety of other incidents. This is 18 percent more incidents than were publicly disclosed during the prior calendar (and—for the second year running—the most since the K-12 Cyber Incident Map first started tracking these incidents in 2016). This equates to a rate of more than two incidents per school day over the course of 2020.”
The transition to distance learning during the COVID pandemic played a role in this increase, as students and teachers relied on technology to deliver lessons, complete homework, and interact with students. So, when attackers target schools, learning is often disrupted, sometimes for days, as critical systems are taken offline
Schools and Libraries are a Top Target of Cybercriminals
One of the reasons schools have been so frequently targeted is that budget-constrained school systems have not been able to invest in cybersecurity. Over-burdened IT teams have struggled to simply ensure that students have the tools and connections they need to connect to school remotely. And teachers have had to wrestle with unfamiliar technology to upload and download lesson plans and homework assignments broadcast in their classrooms, and provide one-on-one assistance for struggling pupils. There has been little time or money left over for adequate security measures.
The attacks faced by schools run the gamut, from sophisticated ransomware and denial of service (DDoS) attacks to classroom disruption tactics that expose students to hate speech, shocking images, sounds, and videos, and even threats of violence. Such incidents have resulted in class disruptions and cancellations and even school closures in extreme circumstances. Two of the most high-profile multi-day school closures involved the Miami-Dade County Public Schools in Florida, which suffered a multi-day denial-of-service attack that closed school for more than 350,000 students, and Fairfax County Public Schools in Virginia, which had to close school for several days for over 189,000 students due to widespread classroom invasions.
School board meetings have also been disrupted and canceled, email services to and from school community members have been compromised, and children as young as kindergarteners have been exposed to racist, sexist, and anti-Semitic hate speech, threats of violence, and inappropriate images. Moody’s Investors Service says the rate of attacks on schools has “increased exponentially” since it began tracking cyberattacks in 2018.
The big question is why? There are many answers, but the most common reason is money. Schools are a treasure-trove of personally identifiable information (PII) that can be stolen and sold on the dark web. And schools also process a relatively high volume of financial transactions, such as paying school fees, over poorly secured networks. And ransomware attackers target schools because they know they cannot remain offline for long. In 2020 alone, ransomware attacks affected nearly 1,800 schools, impacting over 1.3 million students. Ransoms ranged from $10,000 to over $1 million per incident. But experts estimate that “these attacks cost education institutions $6.62 billion in downtime alone. Most schools will have also faced astronomical recovery costs as they tried to restore computers, recover data, and shore up their systems to prevent future attacks.”
But money is just one reason. Hacktivists target schools and school board meetings with extreme political agendas. Vandals target schools for the notoriety or the thrill of disrupting a social mainstay. And disgruntled students are often just looking for a way to exact revenge or disrupt school.
The one thing all these attacks have in common is that it is notoriously easy to breach the cyber defenses of underfunded school network security.
Technology is the Foundation of Today’s Education
Technology is one of the most critical components of 21st-century education. Digital classrooms, websites that host assignments, online parent-teacher engagement, remote tutoring, and digital online libraries are all possible because of technology. More students have devices, and more teachers are now relying on the internet as an effective way to teach and communicate with students, than ever before. And allowing some percentage of students to remotely attend hybrid classrooms is likely to remain a permanent fixture of many schools even after the pandemic is over.
These advances are not unique to education. Businesses, retailers, and government agencies have also moved to remote or hybrid environments enabled by technology. The government’s investment to connect students and anchor institutions during the pandemic is significant, and those technologies are unlikely to be abandoned once life returns to normal. To ensure that students are prepared to compete in today’s digital marketplace, schools not only need to be sure that students remain connected but securely connected.
Effective Cybersecurity Requires Updating E-Rate Funding to Protect Schools
The most significant barrier is funding. The E-Rate Program’s outdated focus has made it difficult for schools to keep up with the technology—and accompanying security—demands of our digital society. The Federal Communications Commission (FCC) has a unique opportunity before it and a recognized demand across the country to provide schools with the flexibility to utilise funds to stay ahead of the growing cyber threat.
The intent for the E-Rate programme to include cybersecurity is clearly evident because a “basic firewall” had been an allowable expense since the policy was written in the late 1990s. Cyberthreats have evolved since then, and the need for more robust cybersecurity has advanced well beyond what a basic firewall can offer. Today’s digital security needs to cover the range of threats schools and students face while protecting the variety of technologies now in place at most schools—as well as devices used by remote students, who need them to ensure equal access to digital classrooms and online resources.
This isn’t a leap. The change required is simple, as we noted to the FCC. E-Rate funding should evolve to ensure the advanced cybersecurity tools that enable schools to protect the digital presence of students and teachers are permissible. Such an update of the rules is necessary if we expect our children and their data to be protected in an ever-growing digital world.