Skip to main content

Critical Infrastructure Protection: Additional Federal Coordination Is Needed to Enhance K-12 Cybersecurity

GAO-23-105480 Published: Oct 20, 2022. Publicly Released: Oct 24, 2022.
Jump To:

Fast Facts

U.S. schools rely on information technology for many operations. But cybersecurity incidents, like ransomware attacks, could significantly affect everything from educational instruction to school operations.

Three federal agencies assist schools in protecting against cyber threats. But there are no formal channels for how agencies coordinate with each other or with K-12 schools to address cybersecurity risks or incidents. Also, the agencies don't measure or obtain feedback on whether their cybersecurity-related services are effective.

Our recommendations could improve how agencies coordinate cybersecurity assistance with K-12 schools.

Cyberattacks Used Against K-12 Schools

A graphic illustrating phishing, ransomware, DDOS, and video conferencing disruption cyberattacks

Skip to Highlights

Highlights

What GAO Found

Kindergarten through grade 12 (K-12) schools have reported significant educational impact due to cybersecurity incidents, such as ransomware attacks. Cyberattacks can also cause monetary losses for targeted schools due to the downtime and resources needed to recover from incidents. Officials from state and local entities reported that the loss of learning following a cyberattack ranged from 3 days to 3 weeks, and recovery time ranged from 2 to 9 months. While the precise national magnitude of cyberattacks on K-12 schools is unknown, the research organization Comparitech reported the number of students affected by ransomware attacks between 2018 and 2021 (see figure).

Number of U.S. Students Affected by Ransomware Attacks on K-12 Schools and School Districts, 2018-2021

Number of U.S. Students Affected by Ransomware Attacks on K-12 Schools and School Districts, 2018-2021

Federal guidance, such as the National Infrastructure Protection Plan (National Plan), establishes roles and responsibilities for the protection of the nation's critical infrastructure, including the Education Subsector. Specifically, the Department of Education (Education) is the lead agency, or sector risk management agency, for the subsector. As such, Education and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) are to coordinate K-12 cybersecurity efforts with federal and nonfederal partners. In addition, the FBI is to provide criminal investigative support.

Education and CISA offer cybersecurity-related products and services to K-12 schools, such as online safety guidance. However, they otherwise have little to no interaction with other agencies and the K-12 community regarding schools' cybersecurity. This is due in part to Education not establishing a government coordinating council, as called for in the National Plan. Such a council can facilitate ongoing communication and coordination among federal agencies and with the K-12 community. This, in turn, can enable federal agencies to better address the cybersecurity needs of K-12 schools. Regarding the products and services they do offer to schools, Education and CISA do not measure their effectiveness. Doing so would provide further input on the needs of the schools.

Why GAO Did This Study

The COVID-19 pandemic forced schools across the nation to increase their reliance on IT to deliver educational instruction to students. This amplified the vulnerability of K-12 schools to potentially serious cyberattacks. Several federal agencies have a role in enhancing the protection of our nation's critical infrastructure, which includes the Education Facilities Subsector.

GAO was asked to review cybersecurity in K-12 schools. The objectives of this report are to (1) determine what is known about the impact of cyber incidents, and (2) determine the extent to which key federal agencies coordinate with other federal and nonfederal entities to help K-12 schools combat cyber threats.

To do so, GAO analyzed publicly reported K-12 cyber incidents and related documentation. In addition, GAO identified law and federal guidance that establish roles and responsibilities for coordinating K-12 cybersecurity. GAO also interviewed officials from federal agencies and selected state-level and local-level school-related organizations on the impact of cyber incidents and level of federal cybersecurity support received.

Recommendations

GAO is making three recommendations to Education and one to DHS to improve coordination of K-12 schools' cybersecurity and to measure the effectiveness of products and services. Education concurred with one recommendation and partially concurred with two; DHS concurred with its recommendation. GAO continues to believe all recommendations are warranted.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Education The Secretary of Education, in consultation with the Cybersecurity and Infrastructure Security Agency and other stakeholders involved in updating the Education Facilities Sector-Specific Plan, should establish a collaborative mechanism, such as an applicable government coordinating council, to coordinate cybersecurity efforts between agencies and with the K-12 community. (Recommendation 1)
Closed – Implemented
The Secretary of Education agreed with and implemented this recommendation. Specifically, in its August 2024 response to GAO, responsible Education department officials stated and provided related documents that it had established a Government Coordinating Council to coordinate cybersecurity efforts with the K-12 subsector. By implementing this recommendation, the department will now be able to better coordinate with the K-12 subsector and assist schools with protecting against cyber threats.
Department of Education The Secretary of Education should develop metrics for obtaining feedback to measure the effectiveness of Education's K-12 cybersecurity-related products and services that are available for school districts. (Recommendation 2)
Open
The Secretary of Education agreed with our recommendation. In August 2024, responsible department officials stated that it plans to work with relevant stakeholders to identify appropriate metrics for obtaining feedback from the K-12 community. We will continue to monitor Education's progress in fulfilling this recommendation.
Department of Education The Secretary of Education, in coordination with federal and nonfederal stakeholders, should determine how best to help school districts overcome the identified challenges and consider the identified opportunities for addressing cyber threats, as appropriate. (Recommendation 3)
Open
In August 2024, responsible department officials provided a signed Government Coordinating Council Charter, which stated that working groups shall be established, as needed. The officials stated that a working group may be formed to address the identified challenges. We will continue to monitor Education's progress in establishing a working group to enable coordination between federal and nonfederal stakeholders on how to best help school districts overcome the identified challenges for addressing cyber threats.
Department of Homeland Security The Secretary of the Department of Homeland Security should ensure that the Director of the Cybersecurity and Infrastructure Security Agency develops metrics for measuring the effectiveness of its K-12 cybersecurity-related products and services that are available for school districts and determine the extent that CISA meets the needs of state and local-level school districts to combat cybersecurity threats. (Recommendation 4)
Closed – Implemented
The Secretary of the Department of Homeland Security agreed with and implemented this recommendation. Specifically, in its March 2024 response to GAO, responsible department officials stated and provided related documents that it had developed metrics for measuring the effectiveness of its K-12 cybersecurity-related products and services. By implementing this recommendation, the department will now be able to determine whether its products and services are useful and meets the needs of the K-12 subsector.

Full Report

GAO Contacts

Topics

Critical infrastructureCritical infrastructure protectionCybersecurityCyberspace threatsE-rateInformation sharingSchool districtsSchoolsFederal agenciesStudents