Cyberattacks on K-12 schools are becoming an increasingly serious problem, costing districts money and lost learning time. But the federal government, including the U.S. Department of Education, has largely dropped the ball on some key steps to help schools prevent, plan for, and deal with these attacks.
That鈥檚 the message of a , Congress鈥 investigative arm. It鈥檚 the of K-12 cyberattacks and the second in a row that criticizes the federal response. It comes on the heels of one of the most high-profile cyberattacks yet, on the Los Angeles Unified school district, the nation鈥檚 second largest.
Cyberattacks have cost districts anywhere from three days to three weeks in lost instructional time, while recovery times tend to range from two to nine months, the GAO reported. It鈥檚 tough to know the exact number of attacks that have occurred, because many aren鈥檛 publicly reported, the agency noted. (The K12 Security Information Exchange, or K12 SIX, that there have been more than 1,330 publicly disclosed attacks since 2016, when the nonprofit first began tracking these incidents.)
The Education Department is supposed to be serving as a communications and collaboration hub among K-12 districts and federal agencies that work on cybersecurity, including the Cybersecurity Infrastructure Security Agency (CISA), GAO said. But right now, it鈥檚 falling down on the job, the watchdog reported.
鈥淭he biggest issue we found is that there needs to be better coordination between the federal-level and the actual K-12 organizations,鈥 said . 鈥淭here鈥檚 very little actual direct interaction between the agencies or with the K-12 community.鈥
That disconnect, he said, may be happening in part because the Education Department hasn鈥檛 acted on federal guidelines that call for it to create a government coordinating council, to help the feds and school districts collaborate and share information on attacks.
The GAO formally recommended the department create the council or find another way to ensure there鈥檚 continuing coordination and communication among school districts and the feds on cybersecurity. In response, the Education Department told the GAO it had begun informal coordination with other agencies, to which the GAO reiterated its recommendation for a more formal approach.
What鈥檚 more, while the Education Department and CISA have some products and services aimed at helping schools with cybersecurity, neither agency measures the effectiveness of those resources, GAO said. That鈥檚 something the GAO recommended the agencies get started on, noting that 鈥渄oing so would provide further input on the needs of the schools.鈥 CISA agreed.
The Education Department, on the other hand, promised only to explore what kinds of metrics would be best for measuring the effectiveness of its cybersecurity resources.
Finally, the GAO wrote that the Education Department should figure out how to help districts cope with challenges like inadequate staff, limited funding, and difficulty getting cybersecurity insurance. The department said it would.
Reading between the lines of the report, Doug Levin, the national director of K12 SIX, was stunned by what he saw as the department鈥檚 lackadaisical response to a major K-12 threat.
鈥淚 think that we have had more than enough evidence that this issue is serious and that schools need support specifically targeted to their context, their unique circumstances,鈥 he said. Despite multiple letters from members of Congress, K12 SIX鈥檚 reports, and more, he doesn鈥檛 鈥渟ee any sense of urgency by the federal agencies who are best positioned to help. I just think that there is a leadership void here.鈥
