It's Time for Legislation Addressing Information Security at Schools
Though we are only in its second quarter, 2021 is well on track to be the most significant year for cyber attacks against American K-12 school systems, colleges, and universities ever yet recorded. In just the last week alone, high-profile attacks occurred against the Centennial School District near Portland, Oregon, Madison City Schools in Madison, Alabama, and Guilderland School District near Albany, New York. Cybercriminals and threat actors do not discriminate and have launched costly and damaging cyber exploitation campaigns against school districts connected to every demographic group and type of American student imaginable. Addressing information security is a critical issue for communities since the first computer systems and databases began entering school systems in the early 1980s. However, the current situation has continued to spiral out of control. Currently, not a day goes by without more local, regional, and national coverage of data breaches, ransomware attacks, and phishing scams carried out against K-12 school districts endangering students and threatening institutional stability. America is facing a national emergency of epic proportions when countering the pervasive impact of cyber threats. Schools have emerged as a ground zero in deploying sophisticated crimeware-as-a-service (CAAS) tools such as the latest ransomware variants. A school's data is valuable to criminals for usage in identity fraud operations and to compromise leading research findings such as recent attacks against Coronavirus vaccine development. Our nation needs sensible cybersecurity laws to protect our schools. This article outlines the robust groundwork already in place through pieces of legislation such as Texas CyberSecurity and Senate Bill 820 and other leading work occurring to get tough on cybercrime facing our nation's classrooms and leading educational organizations.
Anatomy of a Cybersecurity Law for K-12 Schools: Lessons from Texas Cybersecurity and Senate Bill 820On January 10, 2019, Governor Abbot of Texas signed Texas Cybersecurity and Senate Bill 820 into law, paving the way for a more comprehensive statewide approach towards mitigating the devastating effects of cyber attacks against K-12 schools within the state. Senate Bill 820 came about following revelations connected to several high-profile cyber incidents involving Texas schools, as is typical of new legislation. Those incidents include a data breach on May 22, 2017, involving the Texas Association of School Boards (TASB), a private, nonprofit membership organization. In that single incident, the names and social security information of every school administrator, educator, and service staff professional was posted online in what was one of the most substantial public employee records breaches to date with the state. Texas was also one of America's first states to deal with the fallout of a ransomware attack. That data breach involved the personal information of over 700 students across 39 different school districts within the state releasing online. Senate Bill 820 is a groundbreaking piece of legislation for bolstering K-12 cybersecurity because it mandates:
- Creating a designated cybersecurity oversight position connected to enacting practices, policies, and procedures across state school districts.
- Policymakers to create a comprehensive cybersecurity threat response policy and clear guidelines about what must happen when incidents occur
- Any educational record or data compromised because of a cyber incident must be reported immediately to the Texas Education Agency (TEA) and communicated to parents throughout the district.
It's Time for New Local, Regional, and National Strategies for Bolstering K-12 CybersecurityIt's time for local, state, and federal legislators to take up data security, information security, and cybersecurity topics. This effort safeguards America's classrooms and ensures our students have access to the best educational opportunities available. Cybercrimes against schools are damaging in several ways because of the immense losses of time, educational resources, and opportunities they cause to communities. Some of the most significant and pervasive cyber threats facing our nation's K-12 school systems, colleges, and universities include:
- Ransomware Attacks: Schools have become the number one choice for criminal organizations seeking to earn money by encrypting data and demanding a fee be paid to be to return access. The average ransomware fee charged is $50,000 though sums as high as $1.5 million have been requested and paid by school districts recently. Unfortunately, even for schools that pay these fees, there is absolutely no assurance or guarantee of data returning, and that student identity details, including addresses, have not been published online.
- Data Breaches: The data schools have access to is highly valuable to criminal organizations for various reasons. Data breaches against schools are incredibly costly to resolve. It is not uncommon for large school districts to pay between $50 to 100 million or more to resolve the catastrophic losses caused by data breaches.
- Phishing Scams and Social Engineering: Young people and their educators are vulnerable to phishing scams playing on emotions that trick people into giving up access and information to data. Phishing scams are a principal way criminals can access networks to launch more devastating attacks, such as ransomware requests.
- Denial of Service Attacks: Modern classrooms rely on many software platforms to conduct educational activities. Hackers have the power to bring all of those systems down and make it impossible for educators to hold online classes, wasting time and money.
- Other Miscellaneous Intrusions: Attackers and provocateurs are targeting schools for a variety of criminal actions and mischief. Seemingly benign pieces of hardware such as cameras used for Zoom calls are frequently hacking targets, so intruders have access to the secured video conferencing of K-12 students.