Improving the basic cybersecurity postures of K-12 school districts doesn’t have to be an expensive undertaking, even as costly ransomware incidents targeting the sector slogs on, speakers said Wednesday during an online event hosted by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Ransomware attacks, CISA Director Jen Easterly said in pre-recorded comments, “strike at the core of schools’ financial stability and ability to carry out fundamental educational mission.” She said they’re also unlikely to fade away.
“Cyber intrusions are here to stay,” she said. “We have to build an ecosystem where these intrusions are minimized and contained.”
But building up those defenses can often be an impediment for resource-strapped districts. While education officials nationwide are optimistic they may get a bite of the $1 billion DHS is distributing in state and local cyber grants over the next four years, that money will be spread thin.
Rather than hope for the funds needed for expensive technology purchases, schools can avail themselves of free or low-cost improvements, several officials and education security advocates said during a panel discussion.
“There’s a misconception we need a lot of money to do anything,” said Doug Levin, executive director of the K12 Security Information Exchange, a nonprofit group that tracks cyber incidents affecting schools.
Levin said school IT administrators can turn on security features included in the software they’ve already purchased, install patches and updates regularly and delete or archive old data that’s no longer needed, reducing odds it can be stolen by malicious actors and published online. He also recommended that schools sign up for membership in organizations like the Multi-State Information Sharing and Analysis Center, a DHS-funded operation that offers free services like malicious domain blocking and malicious-code analysis.
“Membership in any of those is money well spent,” Levin said.
‘It is a journey’
Amy McLaughlin, the cybersecurity program director at the Consortium for School Networking, a K-12 information technology group, said she’s seen more districts start to take a firmer line on user-account hygiene, like requiring longer passwords and multi-factor authentication. Derek Moore, chief technology officer of the Palo Alto, California, Unified School District, said his Silicon Valley school system has quietly implemented MFA on nearly user accounts over the past five years.
“It is a journey and it takes a bit of lifting but our entire user base is in a good spot,” Moore said, conceding that an effort to extend it to parents’ accounts was a bit limited.
Another basic step schools can take is to collect inventories of their tech assets.
“You don’t know what steady-state is until you know what’s in your environment,” said Michael Klein, a digital infrastructure fellow at the U.S. Education Department.
He said that includes items like VoIP phones and keycards to unlock doors, both technologies that are sometimes disabled by ransomware attacks.
“The notion there are physical security risks and other operational risks that don’t have some technology component is really important to underscore,” K12 SIX’s Levin said.
But many working in K-12 are still looking to CISA — and other federal agencies, like the Education Department — to do more on school cybersecurity. The department’s Office of Education Technology last issued K-12 cybersecurity guidance in 2010, and only started working on an update earlier this year.
Meanwhile, CISA was ordered last October to deliver a report on the state of K-12 cybersecurity, a document that’s still yet to be delivered. Easterly told StateScoop in an interview last week that “you will see it soon,” though she did not specify when.