Almost a year after hackers exfiltrated 500GB of data including 2,000 student records from the Los Angeles Unified School District, Superintendent Alberto Carvalho joined White House officials in calling for improved cybersecurity at K-12 schools across the nation.
The September 2022 hack against LAUSD is one of several major recent attacks against school districts. In the 2022 to 2023 academic year alone, at least eight K-12 school districts fell victim to cyberattacks, four of which prompted schools to temporarily close doors or cancel classes.
In light of the spike in attacks, the U.S. Department of Education hosted the first ever Cyber Security Summit for K-12 Schools on Monday convening leaders from the government, education and cybersecurity sectors to discuss strategies to increase schools’ cyber resilience.
“This signals to the nation the administration’s awareness and proactive leadership in acknowledging this issue is a risk to national security at all levels,” said Carvalho, at a Monday press conference. “This is the first time in my tenure as superintendent which now is sixteen and a half years that I have seen this synergistic coming together of all parties rallying around policy, practice, information, knowledge and financial support for cybersecurity.”
Past attacks have exposed sensitive information of students and staff including grades, medical records, documented home issues, behavioral information, and financial information. Learning loss following attacks has ranged from three days to three months, while recovery time has taken between two and nine months, and monetary loss has ranged from $50,000 to $1 million, according to a 2022 U.S. Government Accountability Office report.
In addition to the summit, the Department of Education is also in the process of establishing a Government Coordinating Council and just released three K-12 Digital Infrastructure briefs to instruct schools on how to strengthen their digital security.
“Schools have access to more devices and connectivity than ever before, and this technology in education has incredible potential to help students better connect with their learning and achieve, and teachers better engage with their students,” said U.S. Secretary of Education Miguel Cardona. “But to make the most of these benefits, we must effectively manage the risks. Just as we expect everyone in a school system to plan and prepare for physical risks, we must now also ensure everyone helps plan and prepare for digital risks in our schools and classrooms.”
The Government Coordinating Council will ensure new developments in cyber security and information on attacks is communicated between federal, state, local, tribal, and territorial governments. The briefs provide school districts across the nation with a detailed playbook on how to shore up their cyber security and train students and staff to defend from attacks.
“The vast majority of infiltrations and exfiltration out of systems specific to data and information are done not because of very sophisticated attacks, but because somebody left the backdoor open,” said Carvalho. “So multi-factor authentication, the constant creation of new passwords and professional development on the management of data systems for internal employees as well as private sector partners is critical.”
These are among the strategies that LAUSD has doubled down on following the hack in September 2022. In addition, the district has established an advisory committee on cyber security, intensified its internal penetration tests to uncover weaknesses in its own security system, and tightened its protocols for contracts with private sector entities that have access to LAUSD data.
“We are on the right path of vigilance,” said Carvalho. “I do believe we are in a far better place than we were just a couple years ago.”