WASHINGTON, D.C. — When a ransomware attack hit the Los Angeles Unified School District at the start of the 2022-23 school year, the country's second-largest school system had "above average" defenses, including trained staff, assurances that ed tech companies would not put student data at risk, and tools to help prevent vulnerabilities, said Superintendent Alberto Carvalho.
But what the district did not have was a "Rolodex of influencers" — or cybersecurity experts whom the district had built relationships with, Carvalho said during the K-12 cybersecurity summit at the White House on Tuesday. He added that when the attack happened, the district did receive quick responses from local, state and federal agencies.
"Have that Rolodex ready to call an individual who can help you manage a crisis, a situation that you yourself alone cannot manage," the superintendent said. "You do not have the tools or the intelligence federal agencies have, and they can deliver big time very, very quickly."
During the summit, Carvalho and others shared advice and best practices for protecting schools against rising cyberattacks targeting elementary and secondary school systems.
The event, dubbed Back to Back to School Safely: Cybersecurity Summit for K-12 Schools, came a day after the federal government released a resource document and announced other investments to protect student, family and staff data. As part of the efforts, several ed tech company leaders also announced their own cyber security solutions.
In the face of increased cyberattacks, school systems and advocacy groups called for national attention and support for this issue. A quarter of school administrators surveyed in October said their district had experienced a hack, phishing incident, data breach or other cyberattack in the previous year, according to Clever, a single sign-on provider for learning apps.
Last year 65 ransomware attacks affected 1,436 schools and colleges serving about 1 million students, according to Comparitech, a cybersecurity research website. The attacks cost education institutions nearly $9.45 billion in downtime alone, the company estimates.
"Do not underestimate the ruthlessness of those who wish to do us harm."
Alejandro Mayorkas
U.S. Secretary of Homeland Security
Schools are "target rich" with lots of sensitive data but are also "resource constrained," because officials often lack the knowledge or capability to prevent attacks, said Jen Easterly, director of the federal Cybersecurity and Infrastructure and Security Agency.
CISA wants to "make sure that you all have what you need to raise the baseline in cybersecurity, but also importantly, to know how to respond effectively to reduce and mitigate that risk," Easterly told the summit attendees.
U.S. Secretary of Homeland Security Alejandro Mayorkas advised schools to be on guard against cyber criminals. "Do not underestimate the ruthlessness of those who wish to do us harm," he said.
Here's other advice and resources participants shared during the summit:
'Call us immediately'
One of the nation's highest law officers exhorted school officials to use federal defenses in the war against cyberattacks.
Paul Abbate, deputy director of the FBI, said the bureau's goal is to prevent attacks from ever happening. To help do that, districts should build relationships with its nearest FBI regional office to prepare for and respond if an event does happen, he said.
"In the event that something does happen, if there is a cyber attack, please call us immediately because timeliness does matter," Abbate said.
In fact, the FBI is part of the coordinated federal approach announced Monday to help schools mitigate cyber vulnerabilities and respond to ransomware attacks. Other agencies involved are the Education and Homeland Security departments, along with CISA, the Federal Communications Commission and the White House.
Additionally, Congress is considering bicameral and bipartisan legislation to better track school cyberattacks and provide tools and guidance to school systems.
"We can't talk about potential collaboration at the local level, at the state level, if we're not modeling it here at the federal level," U.S. Education Secretary Miguel Cardona told the summit. He added that schools and their partners need to be proactive and not wait for emergencies to happen.
Cardona highlighted the department's creation of a government coordinating council that will organize information and resources about K-12 cyber defense and response.
Also under the Biden administration's new initiatives, CISA will provide cybersecurity training to 300 school systems over the next year, and the FCC has proposed a $200 million, three-year pilot program for school and library cyberattack prevention.
Use ed tech resources
One panel at the summit featured leaders from private companies who emphasized tech security is at the forefront of their business models. Their initiatives include training for school staff, guidance to safeguard software and hardware, security tools and more.
Amazon Web Services will provide $20 million in grants to districts and state education agencies for cyber skill building, according to Kim Majerus, vice president of U.S. public sector education for AWS. The company will also provide free security reviews to U.S. ed tech companies, Majerus said.
Cloudflare, an IT service management firm, is offering free tools to help small school districts minimize cyber risks.
"We are committed to helping our nation's schools better protect themselves so they can focus on what they do best — teaching children," said Zaid Zaid, head of U.S. public policy at Cloudflare.
PowerSchool, Google and D2L also announced steps their companies are taking to prevent malicious cyber activities as part of the White House efforts.
Create federal-state-local partnerships
State education agencies have launched several initiatives to shore up K-12 cyber defenses, panelists said.
In North Carolina, for example, a Joint Cybersecurity Task Force — consisting of law enforcement, emergency management services, local government and others — aims to help government and schools respond to a cyberattack, according to Vanessa Wrenn, chief information officer at the North Carolina Department of Public Instruction. In addition, the state education agency has a cybersecurity program to align prevention resources.
Michael Gregg, North Dakota's chief information security officer, said difficulty in recruiting tech security experts led the state to become the first to require cybersecurity education for all K-12 students. Students in junior high and high school can compete in a cybersecurity competition with winners getting college scholarships.
The San Diego County Office of Education has worked closely with the California Department of Education and other partners to build out a distributed denial of service, or DDos mitigation service, which helps block efforts by bad actors to disrupt digital activity. That mitigation service is available to every educational entity in the state, said Terry Loftus, chief information officer for the district.
Carvalho emphasized how vital these federal, state and local partnerships were in helping LAUSD recover and respond to the September 2022 cyberattack. "It was the unparalleled bringing down [of] the governmental silos" that helped the district recover quickly from the attack, he said.