Cybersecurity in K-12 Education

School systems experience nearly daily security incidents with increasing sophistication, resulting in data breaches, financial losses, and operational disruptions. Recent reductions in federal support have created additional challenges, but the sector demonstrates unique strength through collaborative information sharing and grassroots support networks. The conversation highlights the critical importance of focusing on fundamental security practices, vendor accountability, and cross-district cooperation to strengthen K-12 cybersecurity despite limited resources.

Guest Speaker:
Doug Levin is co-founder and national director of the K12 Security Information eXchange (K12 SIX), a national non-profit dedicated solely to helping schools protect themselves from emerging cybersecurity threats.

Computer generated transcript below:

Kevin Hogan
OK. Hello and welcome to the latest episode of Innovations and Education, eSchool News’s podcast on the latest and Greatest and Everything, Ed Tech. I’m your host, Kevin Hogan on the content director for eSchool News, and I’m glad he found us in this episode. I’m joined once again by our resident cybersecurity expert, Doug. 11 to discuss the evolving landscape of digital threats in schools. Doug is the co-founder and national director of the K12 Security Information Exchange. That’s a national nonprofit dedicated solely to helping schools protect themselves from emerging cybersecurity threats. He brings over 3 decades of experience in at tech policy issues to this. Role. Those school districts increasingly rely on technology for both classroom instruction and administrative operations. They face growing cybersecurity risks. From ransomware attacks, forcing school closures to sophisticated fishing skins that target administrators, these threats continue to evolve. So in this episode, we explore the current state of cybersecurity incidents. We look into how attackers are becoming more sophisticated in targeting schools, and we identify practical steps that district leaders can take to protect their systems. Have a listen. I think Doug’s Insights will be very valuable for you. OK, Doug, as always, a pleasure to see you through the zoom and to have a conversation. I always appreciate your insights over the years on, on what our readers and our listeners can do to help protect their schools and districts. So, thanks for joining me.

Doug Levin
Yeah, my pleasure to be with you, Kevin.

Kevin Hogan
I guess usually we have our annual updates. We did these through COVID, right and you think that that might have been the craziest of times as we sit here, it’s a different flavor of crazy, but things, things continue to be interesting, right?

Doug Levin
Right, I think it’s what may you live in interesting times, right? Is is the curse as it goes.

Kevin Hogan
Yeah. So let’s dive right into it. I’m assuming from, you know, reading your work and and others that it’s not like cyber security has gotten any less worrisome, right? If not it it, it’s gotten even worse.

Doug Levin
The trend lines are certainly continuing, right. We’re seeing school systems, you know, pretty frequently becoming victims of cyber security incidents, typically seeing nearly one a day happen to some school system, large or small, across the US we are seeing an increase in sophistication and target. Running against K12, so less drive by and more targeted, they understand they’re attacking schools. They may understand who the Superintendent is or who the principal is. They may be grabbing graphic elements, you know, from the school system website or spoofing that. So that’s. Certainly quite worrisome. And then of course, we’ve seen the impact of these incidents continue to grow as well. Well, and we can think about impact really anyway you want to conceive of it, whether it’s the amount of data that has been stolen and leaked from school systems, the sensitivity of that data, the amount of money, maybe that school systems have been extorted out of or has been stolen from them through scams or even through operational disruptions. And it’s increasingly common that we’ve seen school systems literally have to close, send students and teachers home and not even be able to deliver any services whatsoever. And responding to a significant incident. The only bright side on that latter point is typically when school systems are, you know, essentially have that worst case scenario happen. They usually they’ll limit closures to maybe two or three days. Usually book ended around a weekend or something like that. But even still, when students and teachers are back in school, it can be weeks, or sometimes even months. Before their IT systems are restored. You know, it’s just what needs to get restored in order to guarantee sort of the safety of kids to come back to school is is what they’re dealing with. So definitely still a challenge for us and frankly, you know, we continue to rely on technology more and more for everything from the classroom to operations. And so this is. Risks and threats that we’re facing and we’re going to continue to face really forevermore, I.

Kevin Hogan
Think and one of the distinctions that I know in our in our. Past conversations. It’s as much about human behavior as it is about the technology itself, right? I mean, it’s most of these. Things get more sophisticated and you know, I just personally find myself continue to have to fend off, you know, that text from the boss, right, asking me to go buy a gift card and not talk a little bit about, you know, that it might not even suit me as much as the software as about training of your of your faculty and students.

Doug Levin
Yeah, I may have a little bit of a contrary take on that issue, right. It’s certainly something that I hear all all the time and there’s no question that people being aware of. Of scams and common scams in ways that you know, cyber criminals are trying to convince people to click links or share information. I mean on on offers ways that that certainly is common. But I think what we try to focus on in our work, our technical solutions that hopefully. Protect all users if we can avoid getting that phishing e-mail into somebody’s inbox, we don’t have to worry about them clicking it. If we can neutralize that malware or ransomware before it takes hold in a school system. Without a user having to intervene so much the better, because I think at the end of the day, even the training programs that send simulated phishing attacks and try to get people to click less and identify those phishing emails more accurately, you know you’re never going to get that down to 0. The real challenge I think we’re facing and. And you know our members school, it directors are facing. Is creating systems that are resilient enough that a single teacher, a single student, their access being compromised doesn’t result in the downfall of everybody’s being affected. And I’d also note we’ve seen this, you know, pretty dramatically in recent months. The weakest link that can bring down a system in some cases that link is within the school district. Itself, but in other cases it’s maybe their vendors or partners, right? And given that so many of the solutions that schools rely on are cloud hosted nowadays, it turns out that if a threat actor can compromise A vendor, they may be able to get data information from hundreds or thousands of school systems versus just. One district at a time. Couple that with the fact that school systems and a lot of these online systems have data that is not just on current students and staff, but historical records going back 10/20/30, even 40 years, just staggering to think of. About the amount that that amount of information, but also if if it gets breached like how do you even find people who were associated with the school system 20 years ago? It’s nearly an impossible task. So what?

Kevin Hogan
Sort of suggestions. Would you have in terms of measures that our readers, our district executives right now? Let’s say they have some sort of level of cyber security.

Doug Levin
Sure, of course.

Kevin Hogan
Yeah, everything’s basic. There’s an understanding that’s that’s there. What are some?

Doug Levin
Next steps that they should be thinking about taking, or even just should they be asking their vendors and their partners? Yeah. So I mean, we are big believers in in simplicity, right? School systems don’t have their resources of Fortune 500 companies with the federal government. It’s a rare school system that has. A siso or someone with a cybersecurity background in an IT role and they’ve got tremendous number of responsibilities and things they’re juggling every day just in supporting the teachers and administrators and students and doing their work and keeping the systems up and running. What we do is we focus on the ways that school systems are frequently compromised, most frequently compromised versus the edge cases where folks are taking advantage of sort of super sophisticated attacks that may involve 0 days, things for which we hadn’t seen before. They may hit school systems, but the fact of the matter is that. The cyber criminals, who tend to go after schools tend to use well worn techniques that we have pretty good defenses for. One set of practices is around password management and multifactor authentication. It is frequently the case that when school systems are compromised, it is through a compromised credential, so literally the threat actor has stolen or social engineered someone into giving a username and password to them, and then they will try that against a school system, and then once they’re enabled, you know they’re able to escalate and get. Into a lot of mischief, so multi factor authentication is a a super important step to to guard against that. School systems have made tremendous progress in rolling that out, but too often it is just on some systems or maybe for some user. And interestingly, in the last few years, we’ve seen students become a vector for school incidents as well. So I think it wasn’t that long ago we thought of student accounts as being pretty innocuous and it wouldn’t be unusual for a school system to assign easily guessable username and password to a student. Maybe their birthday, and maybe that wouldn’t change for their whole academic career. Well, it turns out that you know kids reuse usernames and passwords across services. Once you understand how that algorithm works, it’s easy to generate it for us. Others as well, and that’s led to some some large incidents that have affected school systems nationwide, coupled with sort of over sharing that’s going on in either Google Workspace or Microsoft 365, depending on the system that the school system uses. So locking down those credentials. For all users. I think is a big thing to do. The second is really limiting what school systems are exposing to the. That right? So it’s trivial for folks to use scanners online to look for known vulnerable software. So people issue patches, issue vulnerability alerts and then the bad guys can go to search engines online that are sort of very similar to Google and search for servers that are running vulnerable. Software and then take advantage of that using known exploits. So there’s really two things that we ask all systems to do. 1 is to sort of know what you have facing the Internet. And limit what you can. If it’s a service running and you don’t need it, shut it down. Or if you can’t shut it down, find a way to limit its exposure to the web. You can Geo IP block to keep traffic from certain countries coming. You can put a web application firewall in front of it. You can put a VPN. In front of it, but just something that is not just leaving it exposed unprotected to the web and then related to that. Making sure to keep tabs on when patches are are available for your Internet facing products and making sure that you’re patching those systems frankly pretty promptly. Some threat actors. The time from vulnerability to actually, you know, vulnerability and just disclosed to an exploit built and then sort of used in the real world. That timeline is shrinking rather quickly. And so, you know, there may be older rules of thumbs that you want to patch with in 30 days or 90 days. Well, we’re seeing, you know, exploits in some cases within hours. So we certainly encourage folks to get onto a faster patching cadence and particularly for security patches for Internet facing systems. So those are really the things that we encourage people to focus on most. I mean, there’s a whole set of other practices that are good that are important, but those, you know, working on those I think would go a long way to reducing the the challenges that that a lot of school systems continue to. Face.

Kevin Hogan
Yeah. Now in terms of resources, obviously your organization is is up there at the top of the list to to reach out to, but also in the past few years there there were a number of federal programs and federal kind of initiatives that we would point to these school news to say you know upon. Further review and you need to do so. What is that looking like these days? And I’ll assume that those are limited now versus in the past. Where else would they reach out to?

Doug Levin
An interesting story, right? I guess interesting in quotes. So I think you know over the last couple of years we had started to make I think pretty significant in roads with the federal government to help them understand that the K12 sector was under assault and needed needed support. And we saw support being marshalled out of Sisi. The Federal cybersecurity agent. And see, we saw the US Department of Education starting to embrace its role in in helping school systems navigate this issue. We’ve seen the FCC launch a cyber security pilot program as well, and there was other money devoted to sort of SLT, state and local governments, broadly speaking, for which schools could benefit. Depending on your. Unfortunately, what we’ve seen in the first what three months of this new administration is a pretty significant sea change in how this administration is viewing the federal role with respect, at least let me speak narrowly to cybersecurity, right. So the US Department of Education’s work has ceased. And there’s obviously been large cutbacks there, so we there’s no longer an A venue for stakeholders to engage with the department on these issues. We’re not expecting more resources on these issues. That we’re aware of to be coming out of the department and some of what they. Have. Produced previously is no longer to be found on their website. For its part, this is still provides resources for K12, but just even earlier this week there been announcements that they are going through their own significant downsizing. And one of. The projects that SISA and its parent organization, the Department of Homeland Security, have been funding is a group called. Msac or the multi state Isaac. And so they serve all of state and local government, including school systems. They’ve had flat 50% funding to them, cut suddenly without warning. And I should say so far, right. And so that support is gone from schools. And at least right now it does appear that the FCC pilot program is continuing the pace, but obviously I would say that right now its prospects for becoming. A permanent part of the E rate program and the Universal Service Fund, I think are probably a little bit longer than they were. You know a few months ago. So you know, in talking to some colleagues, it it almost feels like we’re just sort of back to where we were maybe about four or five years ago where you know, enterprising groups of districts and regions and states. Working together or really having to bootstrap this support themselves. So on a I guess a good news front at K-12 6K12 security information exchange. We we act as a Ketel specific isec. We don’t have any federal funding. The federal government doesn’t dictate what we cover and they’re not the primary source for our threat. Intel for our members. So we work with a number of private providers and others to source. That threat? Until so, our work continues apace, but it’s a big country and there’s a lot of people engaged in it and. And there’s no question that, you know, while some resources remain, these sorts of cuts, coupled with other financial pressures that districts are facing from threats to school lunch funding, you know there’s concerns about, you know, Esser, stimulus money being yanked back without warning, right? All that creates uncertainty for school systems. And at the end of the day. The choice is between, you know, busing kids to school and feeding them, or buying that new advanced firewall system, or, you know, getting 24/7 sock. Monitoring like you know where that money is gonna gonna go and and there’s sort of no argument with that. But it does suggest that schools are going to be even softer targets than they have been in the past. And there’s certainly no reason to believe that the threat landscape is going to be changing whatsoever as far as schools are concerned. Certainly cyber criminals are have been successful and. Getting money one way or another from school systems, either by directly extorting it or or selling data that they’ve stolen from schools. So we don’t have any reason to believe that’s going to change so challenging times. But opportunities for us to come together. Continue to come together develop, you know, sort of common sense. Best practice, really. Our emphasis is really just focusing on a few key things and working to kind of raise the tie for all the boats there on those, you know, getting the basics.

Kevin Hogan
Right. Yeah. And it desperate attempt on my part to leave this conversation with the glass half full. Talk a little bit about the fact that districts do come together, right? I mean, there there are those sort of grassroots sort of things that I know from various Ed tech conferences that I go to. It’s like sharing best practices as an industry. It seems like this group wants to help each other as opposed to keeping secrets to themselves.

Doug Levin
Yeah, you know, that’s absolutely right, Kevin. So I I was contacted by a reporter in regards to the power school incident and they felt that it was remarkable that they saw online and in various groups that school systems were collaborating with each other to respond to this incident. And because I guess they don’t see that in other sectors and I think it’s just the most natural thing in the world for us. You know, I think we’re used to not having a lot of resources certainly as compared to other sectors, we’re in no way really competing with each other on this stuff, right. And everybody is under resourced. Everybody you know, people change jobs and go from district to district or from the district to the state. Or to other you know, outside groups and so you know, we build these networks of support and I think they’re critically important. I mean, one of our primary recommendations sort of in our long our list of recommendations for school systems and what to do is to communicate a. Celebrate right. And when I first started getting into this work, I joked that it sort of felt like Fight Club, which is, you know, the first World Fight Club is you don’t talk about it. Yeah, I think we are well beyond that now. And I think people are actively talking about it and sharing in groups within states, in groups, across States and even, you know, just based for instance. In our national conference, which you hold in February of every year, the conversations are a level. Upper right and people are sort of engaging with much more nuance about these issues and sort of talking through like trying to figure out how to to meet this moment, if you will. I also think by the way, that there’s an incredible opportunity right now for E tech vendors and suppliers to come together. You know, there’s been some recent research that suggests something that we’ve seen coming, which is that school systems are going to be asking more from their vendors and suppliers with respect to cyber security, and they’re asking for many more assurances that they’re doing the right things. This feels very much like the emergence of the. Student data privacy issue about a decade ago and right now, it feels like school systems are struggling with figuring out what questions to ask and then kind of what the right answers are to those questions. It’s a complicated thing, but I would argue that this is a moment in time where, you know, the tech companies. Probably could help the K12. Get smarter about what to ask for, like what are signals of trust with respect to cybersecurity that school district leaders should be looking for before they make a purchase or adoption decision. And so we’re relatively low in our maturity as a sector compared to others. The good news is that we can make. Pretty dramatic progress. Pretty fast if we can drive to some consensus. On some key issues.

Speaker
No.

Kevin Hogan
Well, obviously you’re very busy and get busy here every day. I really appreciate you taking the time out to speak with me. Always really informative conversation with insights that are are really helpful for our readers and listeners. So thank you and thank you your group for the work that you do. It’s hugely important and look forward to keeping the conversation going.

Doug Levin
Yeah, you beg Kevin, keep up the good fight.

Kevin Hogan
And that’s all we have for this month’s edition of Innovations and Education here at East School News. I’d like to thank you for getting to the end. I think the conversation with Doug was really instrumental, and I hope that it’s helpful for you. Until next time I’m Kevin Hogan and thanks again for clicking through.