U.S. schools rely on information technology for many operations. But cybersecurity incidents, like ransomware attacks, could significantly affect everything from educational instruction to school operations.
Three federal agencies assist schools in protecting against cyber threats. But there are no formal channels for how agencies coordinate with each other or with K-12 schools to address cybersecurity risks or incidents. Also, the agencies don't measure or obtain feedback on whether their cybersecurity-related services are effective.
Our recommendations could improve how agencies coordinate cybersecurity assistance with K-12 schools.
Cyberattacks Used Against K-12 Schools
What GAO Found
Kindergarten through grade 12 (K-12) schools have reported significant educational impact due to cybersecurity incidents, such as ransomware attacks. Cyberattacks can also cause monetary losses for targeted schools due to the downtime and resources needed to recover from incidents. Officials from state and local entities reported that the loss of learning following a cyberattack ranged from 3 days to 3 weeks, and recovery time ranged from 2 to 9 months. While the precise national magnitude of cyberattacks on K-12 schools is unknown, the research organization Comparitech reported the number of students affected by ransomware attacks between 2018 and 2021 (see figure).
Number of U.S. Students Affected by Ransomware Attacks on K-12 Schools and School Districts, 2018-2021
Federal guidance, such as the National Infrastructure Protection Plan (National Plan), establishes roles and responsibilities for the protection of the nation's critical infrastructure, including the Education Subsector. Specifically, the Department of Education (Education) is the lead agency, or sector risk management agency, for the subsector. As such, Education and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) are to coordinate K-12 cybersecurity efforts with federal and nonfederal partners. In addition, the FBI is to provide criminal investigative support.
Education and CISA offer cybersecurity-related products and services to K-12 schools, such as online safety guidance. However, they otherwise have little to no interaction with other agencies and the K-12 community regarding schools' cybersecurity. This is due in part to Education not establishing a government coordinating council, as called for in the National Plan. Such a council can facilitate ongoing communication and coordination among federal agencies and with the K-12 community. This, in turn, can enable federal agencies to better address the cybersecurity needs of K-12 schools. Regarding the products and services they do offer to schools, Education and CISA do not measure their effectiveness. Doing so would provide further input on the needs of the schools.
Why GAO Did This Study
The COVID-19 pandemic forced schools across the nation to increase their reliance on IT to deliver educational instruction to students. This amplified the vulnerability of K-12 schools to potentially serious cyberattacks. Several federal agencies have a role in enhancing the protection of our nation's critical infrastructure, which includes the Education Facilities Subsector.
GAO was asked to review cybersecurity in K-12 schools. The objectives of this report are to (1) determine what is known about the impact of cyber incidents, and (2) determine the extent to which key federal agencies coordinate with other federal and nonfederal entities to help K-12 schools combat cyber threats.
To do so, GAO analyzed publicly reported K-12 cyber incidents and related documentation. In addition, GAO identified law and federal guidance that establish roles and responsibilities for coordinating K-12 cybersecurity. GAO also interviewed officials from federal agencies and selected state-level and local-level school-related organizations on the impact of cyber incidents and level of federal cybersecurity support received.
GAO is making three recommendations to Education and one to DHS to improve coordination of K-12 schools' cybersecurity and to measure the effectiveness of products and services. Education concurred with one recommendation and partially concurred with two; DHS concurred with its recommendation. GAO continues to believe all recommendations are warranted.
Recommendations for Executive Action
|Department of Education||The Secretary of Education, in consultation with the Cybersecurity and Infrastructure Security Agency and other stakeholders involved in updating the Education Facilities Sector-Specific Plan, should establish a collaborative mechanism, such as an applicable government coordinating council, to coordinate cybersecurity efforts between agencies and with the K-12 community. (Recommendation 1)||
|Department of Education||The Secretary of Education should develop metrics for obtaining feedback to measure the effectiveness of Education's K-12 cybersecurity-related products and services that are available for school districts. (Recommendation 2)||
|Department of Education||The Secretary of Education, in coordination with federal and nonfederal stakeholders, should determine how best to help school districts overcome the identified challenges and consider the identified opportunities for addressing cyber threats, as appropriate. (Recommendation 3)||
|Department of Homeland Security||The Secretary of the Department of Homeland Security should ensure that the Director of the Cybersecurity and Infrastructure Security Agency develops metrics for measuring the effectiveness of its K-12 cybersecurity-related products and services that are available for school districts and determine the extent that CISA meets the needs of state and local-level school districts to combat cybersecurity threats. (Recommendation 4)||