The Education and Homeland Security departments still have much catching up to do against the continued ransomware threat against public school districts nationwide, according to a report released Monday by the U.S. Government Accountability Office.
The GAO, Congress’ auditing branch, found that ransomware attacks against K-12 schools cost between three days to three weeks of lost learning and that recovery times can take two to nine months. Those figures are based on interviews with state and local officials — the GAO report noted that the full magnitude of ransomware against the education sector is “unknown.”
But as the number of incidents continues to mount — a ransomware outfit known as Snatch claimed on Sunday to have hacked the school system in Kenosha, Wisconsin — the federal government is still not providing sufficient resources to help educators combat the threat, according to the GAO. While the Education Department and DHS’s Cybersecurity and Infrastructure Security Agency offer technical services and written materials, they have fallen short in taking steps seen in other critical infrastructure areas, like forming a coordinating council of agency, industry and local-level representatives. (Some critical infrastructure subsectors — like elections — have their own dedicated councils.)
According to the GAO, the Education Department has not established such a group, despite the DHS calling for one in its National Infrastructure Protection Plan. The report also found that the Education Department and CISA have not developed metrics to track the effectiveness of their services to K-12 schools, a task a coordinating council could handle.
“Without measuring the effectiveness of federal support, agencies remain unaware whether schools have adequate resources needed to address cybersecurity threats,” the report reads. “As a result, the K-12 community may be insufficiently equipped to protect and defend against growing cyber threats, thus impacting schools’ ability to adequately educate students and protect staff and students’ information.”
An ‘underwhelming’ response
While the departments agreed with the GAO’s recommendations for more formal coordination and metrics, Monday’s report also came about a year after the release of another GAO study that revealed the Education Department hasn’t updated it’s K-12 cybersecurity guidance in more than a decade. It also comes as CISA runs overdue in delivering a comprehensive study of K-12 cybersecurity that was ordered by a law President Biden signed in October 2021.
Doug Levin, executive director of the K12 Security Information Exchange, which tracks cyberattacks against schools, told StateScoop he was “deeply discouraged” by the lack of progress at the Education Department and CISA.
“I am completely underwhelmed by the responses of both those agencies,” he said. “It’s hard to say any other way but the Department of Education has been asleep at the wheel.”
The head of the federal Office of Education Technology said last March that a review of K-12 cyber guidance was underway, and the Department of Education this month said it is hiring someone to develop new policies and guidance.
Levin also said the K-12 sector is often treated as a “second-class citizen” in discussions of critical infrastructure security. While CISA has published materials for schools, Levin said it’s not always “well-targeted” to the budget and resource constraints many districts face, nor it is always communicated effectively.
CISA Director Jen Easterly said last week at a conference hosted by Mandiant that her agency plans to increase its focus over the next year on K-12 schools, in addition to the water and health sectors. The agency is also hosting a three-day online summit on school safety and security, with the second day focusing on cyber issues. (Levin said he is speaking during the event.)
Still, Levin said any progress that’s been made over the past year is “tepid.”
“Some things are beginning to change slowly,” he said. “I could argue that if our response to COVID didn’t convince us that having schools were open and operating that the sector is critical, I don’t know what will. The status quo is an unacceptable place.”