From the U.S. Government Accountability Office, www.gao.gov Transcript for: As Remote Learning Increased, So Did the Cyber Threats Facing K-12 Schools Description: During the pandemic, many schools moved from in-person to remote learning. Students and teachers use laptops and personal computers to connect for lessons while at home. And while technology allowed for continued education, this increased reliance on IT also made K-12 schools more vulnerable to cyberattacks. So what resources were provided to schools to help protect them against these attacks? We find out more from GAO's Nick Marinos, an expert on cybersecurity and data protection and a director in our Information Technology and Cybersecurity Team. Related GAO Work: GAO-22-105024, Critical Infrastructure Protection: Education Should Take Additional Steps to Help Protect K-12 Schools from Cyber Threats Released: November 2021 [Music] [Nick Marinos:] The Department of Education should carefully look at whether more guidance might be needed to better protect young students, parents and teachers from cyber threats. [Holly Hobbs:] Hi, and welcome to GAO's Watchdog Report. Your source for news and information from the U.S. Government Accountability Office—celebrating 100 years of fact-based, nonpartisan government oversight. I'm Holly Hobbs. During the pandemic, many schools moved from in-person to remote learning. Students and teachers use laptops and personal computers to connect for lessons while at home. And while technology allowed for continued education, this increased reliance on IT also made K-12 schools more vulnerable to cyberattacks. So what resources were provided to schools to help protect them against cyber threats? Today, we'll find out more from GAO's Nick Marinos, an expert on cybersecurity and data protection and a director in our Information Technology and Cybersecurity Team. Thanks for joining us. [Nick Marinos:] Thanks a lot for having me, Holly. [Holly Hobbs:] Nick, why would someone want to target schools with a cyberattack? [Nick Marinos:] Well, there are a few reasons. I mean, a cyber-threat actor or a criminal might view a school system to be a desirable target of attack simply because of the fact that K-12 schools have increasingly used information technology more during the pandemic. These criminals could be motivated by the potential to obtain money or steal data from attacks or might just want to disrupt K- 12 classes. In some cases, there may even be a student or a school employee that could be motivated to conduct a cyberattack in order to, for example, alter grades or other school records or for other personal reasons. [Holly Hobbs:] So can you give us some specific examples of cyberattacks that have happened? [Nick Marinos:] So a real-life example, back in March of this year, a Florida school district with more than 260,000 students was victim of such an attack carried out by a criminal group. And the group encrypted the school's district data and demanded a $40 million dollar ransom to decrypt the data. And even though we've seen an increase in ransomware attacks, we continue to see bad guys using phishing scams as well. And actually, back in April 2019, a Kentucky school district was victim of this kind of attack when attackers sent a fraudulent email, disguising themselves as a vendor. And the school district mistakenly paid an invoice of $3.7 million to the attackers, thinking it was a payment to a legitimate vendor. [Holly Hobbs:] So how did the number of attacks change during the pandemic? [Nick Marinos:] So according to data from MS-ISAC [Multi-State Information Sharing and Analysis Center], which is an information sharing analysis center that focuses on state and local governments, we did see an increase in the number of ransomware incidents against K- 12 schools. Back at the beginning of the 2020 school year, 57 percent of all ransomware incidents that were reported to the Center involved K-12 schools. And this was almost a double increase in what they had seen in the prior year. [Holly Hobbs:] It seems like this increase in cybersecurity issues was a foreseeable problem? [Nick Marinos:] I think yes and no. Yes, in the sense that the reality is that as a society, we're starting to increasingly use more and more technology, and we're also teaching our students to leverage that technology themselves. But no, in the sense that, the efforts that the schools had to go through last year to convert from in-person to virtual learning put a lot of strain and stress on the technology services that they either had or they needed to acquire very quickly. In other cases where we've seen entities have to rush to put forward technology, cybersecurity often can be an afterthought or something that might not get attention until, unfortunately, an attack or an incident occurs. [Holly Hobbs:] And so the Department of Education is the federal entity most involved with schools. What cyber guidance or support did Education provide during the pandemic? [Nick Marinos:] Well, the Department has done a few things in this area. First, it issued guidance for parents and students on preparing themselves for when they may be confronted with cyber threats online. The department also provided guidance to schools through best practices for online learning. And we've seen the Education Department continue to provide other resources to help schools with their cybersecurity, including through data breach response training, and by sharing a sample of training drills and tabletop exercises that were actually developed by other schools. [Holly Hobbs:] And the examples you provided, they sound like crimes. So our departments like Homeland Security or federal law enforcement involved? [Nick Marinos:] Yeah, you named it right there, Holly. The Department of Homeland Security's Cyber Security Infrastructure Security Agency, which is known as CISA, provides a variety of ways that it can help folks to enhance their cyber hygiene. So, for example, CISA can actually provide schools with assistance at their request to help them figure out the cause of an incident and to help them restore their systems. They also provide voluntary assessments of school systems. They can provide training exercises. They do cyber alerts and guidance on other cyber topics as well. And they also provide these services indirectly to K-12 schools, through an agreement with MS-ISAC, which is a resource center also for those state and local government agencies. And these services include network monitoring services, cyber-risk assessments and incident response services. Now, on the law enforcement side, the FBI primarily conducts investigations when schools have been victims of cyberattack and they help the schools in attributing the attack, figuring out who did it, and they conduct analysis to determine other affected groups because a cyberattack may not only be limited to just one school system. The FBI also provides public alerts about specific cyber threats and also public reports on emerging threats and trends. {Music} [Holly Hobbs:] So it sounds like remote learning exposed K-12 public schools to increases in cyberattacks, but that there were also supports and guidance available from the Department of Education and federal law enforcement to protect students, and teachers and their schools. Nick, did we make any recommendations to improve the federal effort to protect schools? [Nick Marinos:] Yeah, so we're making two recommendations in this report to the Department of Education. We believe that Education needs to work closely with CISA to update its outdated plan for protecting schools to address the growing threat of cybersecurity attacks. It's been 11 years since Education updated this plan, and the lot has obviously changed in how schools use technology and what are the types of cyber threats that they confront. We also think the department should determine whether more guidance is needed for schools based on current cybersecurity risks. [Holly Hobbs:] And this is our first of two reports on K-12 cybersecurity. Can you tell us a little bit about the next report? [Nick Marinos:] Sure. Yeah. So that second report will be a review looking at what's needed at the state level based on conversations and perspectives of key state officials. We're also going to be looking at how schools have dealt with the incidents and the steps they took to recover. [Holly Hobbs:] And last question, what's the bottom line of this report? [Nick Marinos:] I think the bottom line is that even though federal agencies do already provide a variety of products and services to help schools protect themselves against cyber threats, it's time for them to ensure that these efforts meet current needs. Given the increasing number of cyberattacks we've seen schools face across the country, it's clear that the plan needs to be updated and that the Department of Education should also carefully look at whether more guidance might be needed to better protect young students, parents and teachers from cyber threats. [Holly Hobbs:] That was Nick Marinos talking about GAO's recent review of federal efforts to protect public schools from cyberattacks. Thanks for your time, Nick. [Nick Marinos:] Thanks so much, Holly. [Holly Hobbs:] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts, Spotify or wherever you listen. And make sure to leave a rating and review to let others know about the work we're doing. For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at GAO dot gov.