Congress’ auditing branch on Friday made public a report on steps the federal government can take to better ensure the cybersecurity of K-12 schools nationwide, which have been walloped over the past few years by ransomware attacks.
In its report, the General Accountability Office concluded that the U.S. Education Department needs to update its plans for responding to cyberattacks against grade schools, as they face a slew of online threats, including ransomware, denial-of-service attacks, email scams and pandemic-era concerns like disruptions to virtual learning environments.
The GAO concluded that as the lead agency for the education sector, the Education Department is responsible for setting IT and cybersecurity guidelines for K-12 schools, but has not updated its planning documents since 2010.
The report states that other federal entities, including the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, along with non-governmental partners like the Multi-State Information Sharing and Analysis Center, routinely issue warnings about the cyberthreats faced by K-12 schools.
But GAO also found that Education Department officials believe that protecting K-12 schools is CISA’s responsibility and that they have not received instructions from the DHS branch on how to update their guidance.
“Education officials stated that the department has not updated the sector plan and not determined the need for sector-specific guidance because CISA has not directed it to do so,” the report reads.
K-12 schools are categorized as government facilities, one of 16 critical-infrastructure sectors identified by DHS. And GAO determined that an Education Department unit, the Office of Safe and Secure Schools, is responsible for drawing up the sector-specific cybersecurity plans for K-12 organizations — in consultation with CISA — and updating them once every three years.
While the Education Department said in its response that it agrees with the need to update its planning documents, it disagreed that it is responsible for K-12 cybersecurity, arguing instead its role is limited to protecting students’ privacy.
“While privacy and information security overlap in important ways, we do not believe that the Department’s privacy authority would allow us to develop general requirements in the area of information security,” the department’s response read. The Education Department agreed, however, that the department should consult with CISA on updating its 11-year-old plans.
The GAO’s investigation into K-12 cybersecurity was requested last year by Sens. Maggie Hassan, D-N.H., Kyrsten Sinema, D-Ariz., and Jacky Rosen, D-Nev., after a hearing where they pressed CISA’s then-acting director, Brandon Wales, to extend the agency’s efforts to counter ransomware targeting schools. Districts in all three senators’ home states have suffered attacks.
In a letter Monday to Education Secretary Miguel Cardona and DHS Secretary Alejandro Mayorkas, Hassan, Sinema, Rosen and Sen. Chris Van Hollen, D-Md., urged them to follow through on the GAO recommendations.
The letter, which was first reported by the Washington Post, also urged additional steps, including the creation of formal coordinating councils — made up education leaders and cybersecurity experts — that can make recommendations and promote collaboration across the K-12 sector, similar to efforts in other critical sectors like elections, financial services and health care.
“Bringing together the K-12 stakeholders would help ensure resources, services, and other support can be prioritized to allow schools to effectively utilize them,” the senators’ letter reads.