Title: Ransomware and Other Cyberattacks on K-12 Schools Description: Ransomware and other cyberattacks on public schools increased dramatically during the pandemic as schools across the nation increased their reliance on IT to deliver instruction to students. Now that classes are back in-person, what vulnerabilities remain? We find out from GAO's Dave Hinchman. Related GAO Work: GAO-23-105480, Critical Infrastructure Protection: Additional Federal Coordination Is Needed to Enhance K-12 Cybersecurity Released: October 2022 [Music] [Dave Hinchman:] Although cyberattacks on K-12 schools are on the rise, there's a lot of federal guidance governing the roles federal agencies play in fighting this increasing threat. [Holly Hobbs:] Hi, and welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. I'm your host, Holly Hobbs. Ransomware and other cyberattacks on public schools increased dramatically during the pandemic, as schools across the nation increased their reliance on IT to deliver instruction to students. Now that classes are back in-person, what vulnerabilities remain, and what's being done to better protect K- 12? We'll find out more from GAO's Dave Hinchman, an expert on cybersecurity and data protection. Thanks for joining us. [Dave Hinchman:] Hi, Holly. Thanks so much for having me here today. [Holly Hobbs:] So, Dave, how big of an issue is this? How many cyberattacks have there been and what changed during COVID? [Dave Hinchman:] Unfortunately, Holly, there's no good, accurate count on how many of these attacks are actually taking place. There are not many reporting requirements-- and none at the federal level, even fewer at the state level. And so absent voluntary reporting, we just really don't know. There seems to be a reluctance on the part of schools to voluntarily disclose these attacks, both for fear of self-identifying as the victim, but also fear of being targeted again, because they've demonstrated that they have a certain vulnerability. However, ongoing research has shown that the prevalence of K-12 cyberattacks that can be identified continues to grow year over year. It's generally assumed that this is a significant problem that's getting worse. Research has also shown that the pace of attacks increased with the onset of the pandemic. And if you think about it, that makes a lot of sense. All of a sudden, school districts all over the country pivoted to educating students online in this prism that many more electronic targets for malicious actors. [Holly Hobbs:] Why would somebody want to target a school with a cyberattack? Who would do this? [Dave Hinchman:] So schools get targeted for a number of reasons. Schools are often viewed as not being tech savvy or unfortunately, as is often the case, schools can't afford to make cybersecurity a priority. And so there are different drivers behind these attacks. Threat actors may be motivated by monetary gain, by the desire to steal data or simply to cause disruption of classes. And these attacks can take a number of different forms, such as ransomware attacks in which bad actors gain control of the system and deny access to services or data until they're paid a ransom. There are also disruptions of video conference feeds and attacks that prevent users from being able to access a network. [Holly Hobbs:] Do we have any examples of where this has happened? [Dave Hinchman:] Unfortunately, there are far too many examples. Some notable ones. Most recently, there was a very public ransomware attack on the Los Angeles Unified School District in September 2022. And as part of that attack, and after the district publicly refused to pay the requested ransom, the perpetrators released 500 gigabytes of sensitive data that had been stolen from the district. There was also a December 2021 attack on a vendor for Chicago Public Schools, in which more than 500,000 students and staff members' personal information was disclosed. But at the other end of the scale, we heard of several instances in which it was believed that students were able to go on the dark web and essentially rent the software they needed to crash their schools' online systems. And coincidentally, these attacks sometimes happen on days of big tests. And so you really get a wide variety of people attacking these schools. And the reasons vary and the methods vary as well. [Holly Hobbs:] And do we know what impact this has had on students in schools? [Dave Hinchman:] So this is perhaps the most important aspect of this. In many of these attacks, compromised data has included student's names, dates of birth, genders, other personally identifiable information. So the type of data that, once released online can make victims even further vulnerable and subject to greater risk. But as I mentioned, there's also a financial cost. And the organizations that we talked to cited the cost of system downtime, system recovery time, and also pure monetary loss. Organizations that we talked to told us the loss of learning could be as much as three weeks. So that's three weeks where students aren't able to access important systems for their learning. And that incentive recovery times could be as much as nine months due schools limited resources as they slowly rebuild these systems that were taken down by bad actors. The monetary lose school districts experience can range from $50,000 to over $1,000,000. And for a school system that might be already stretched financially, any of these situations could have a really devastating impact. {MUSIC} [Holly Hobbs:] So Dave just told us that cyberattacks on public schools are increasing, and can have a devastating impact--including weeks of disruptions to classes, heavy financial costs, as well as long-term implications for those whose personal information is stolen. So Dave, what is the federal role in protecting schools from cyberattacks? [Dave Hinchman:] So Holly, the federal role is spelled out in various federal laws, policies and public-private plans that have been developed over years. But the most important responsibilities are covered primarily by three federal agencies. The first is the Department of Education and is responsible for coordinating with federal partners to address cybersecurity risk management for schools. And this can include things like providing guidance for parents and students on preparing for cyber threats online and other online resources. Additionally, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency is in charge of information sharing programs to help spread awareness about cyber threats. And finally, the third federal agency is the FBI, which investigates reported K-12 cyberattacks and intrusions, and is also the focal point for coordinating and sharing information on cyber threat investigations within the federal government. [Holly Hobbs:] So we have several agencies helping to protect schools from cyberattacks, but they're still happening. What more do we think federal agencies should be doing to better protect schools? [Dave Hinchman:] The biggest issue we found is that there needs to be better coordination between the federal-level and the actual K-12 organizations. There's very little actual direct interaction between the agencies or with the K-12 community. We felt that this disconnect was due to the lack of a coordination function for the education sector, which is a practice the U.S. National Infrastructure Protection Plan say should be in place for all critical infrastructure sectors. And the idea behind this is that some sort of coordinating organization would facilitate communication and coordination between the various stakeholders in the sector. So that's both federal agencies as well as K-12 organizations themselves. And so our report recommends that a collaborative mechanism, such as a coordination council, be created to achieve these goals. We think that such a council would prove to be a really valuable tool for facilitating better communication and coordination among federal agencies and with the K-12 community. [Holly Hobbs:] And last question, what's the bottom line of this report? [Dave Hinchman:] I think the bottom line is that although cyberattacks on K-12 schools are on the rise, there's a lot of federal guidance out there governing the roles various federal agencies play in fighting this increasing threat. Obviously, the government is serious about fighting this. In executing these various responsibilities there are also a lot of opportunities for those responsible agencies to improve how they engage with K-12 schools and better address K-12 cybersecurity needs. [Holly Hobbs:] That was Dave Hinchman talking about GAO's recent review of federal efforts to protect public schools from cyberattacks. Thanks for your time, Dave. [Dave Hinchman:] It was great to talk to you, Holly. Thanks again for having me here today. [Holly Hobbs:] And thank you for listening to the watchdog report. To hear more podcasts, subscribe to us on Apple Podcasts, Spotify, or wherever you listen and make sure to leave a rating and review to let others know about the work we're doing. For more from the congressional watchdog, the US Government Accountability Office, visit us at GAO.gov.