As remote learning spreads, so have cyberattacks. Are schools ready?

Nam Y. Huh/AP
A Chicago charter school teacher Angela McByrd works on her laptop to teach remotely from her home in Chicago, Thursday, Sept. 24, 2020. As more districts adopt online learning, the risk of cyberattacks has increased.

Two ways to read the story

  • Quick Read
  • Deep Read ( 4 Min. )

Cyberattacks this fall across the U.S. have caused school districts to delay the start of school, cancel classes, and in some cases, resulted in the release of sensitive staff and student data.

Security experts say that K-12 education is increasingly targeted by criminals who are drawn by the rich trove of sensitive data held by districts and their historically weak online defenses. In 2019, for example, public schools in the U.S. recorded 348 cybersecurity incidents, according to one report, a three-fold increase from the prior year. This year’s totals may surpass that. 

Why We Wrote This

Districts are learning lessons that will serve them after the pandemic, like how to thwart hackers. As they have in many ways, schools are rising to the challenge and adapting to new threats.

The unprecedented reliance on remote learning during the pandemic has further emboldened attackers. Increased use of devices at home creates more avenues for cyberattack. 

The silver lining: Schools are viewing cybersecurity as a priority. From using strong passwords and multifactor authentication to storing data in a mix of virtual and on-site secure locations, districts are taking action to thwart attacks. Says Jeff Pelzel, superintendent of the Newhall School District in Santa Clarita, California: “I tell everyone now that there are things right away that you can do.” 

Students in the Newhall School District in Santa Clarita, California, were just hitting a rhythm with remote learning this fall when the district suddenly had to cancel online classes in mid-September due to a cyberattack that shut down the entire district computer network.

In a typical year, such an attack would result in teachers turning off technology and shifting lessons to the classroom, but that’s not an option with remote learning, says Superintendent Jeff Pelzel. 

“In this situation, the challenge was our kids didn’t get to interact with their teachers on a daily basis with live instruction,” he says. “And on the back end, we lost access to our drives. It’s never easy when you get shut down.” 

Why We Wrote This

Districts are learning lessons that will serve them after the pandemic, like how to thwart hackers. As they have in many ways, schools are rising to the challenge and adapting to new threats.

Cyberattacks this fall across the U.S. have caused school districts to delay the start of school, cancel classes, and in some cases, resulted in the release of sensitive staff and student data. Cybersecurity experts say that K-12 education is increasingly targeted by criminals who are drawn by the rich trove of sensitive data held by school districts and their historically weak online defenses.

The unprecedented reliance on remote learning during the pandemic has further emboldened hackers. Increased use of student and staff devices at home creates more avenues for cyberattack. Technology leaders are making years worth of changes rapidly, sometimes leading to less secure use of new applications. They warn that schools should anticipate further attacks, but also say that incidents can be reduced by better training and investing in strong cybersecurity defenses. 

“I think there’s clearly a shift,” with school superintendents and school boards viewing cybersecurity as a priority now, says Keith Krueger, CEO at the Consortium for School Networking (CoSN), a professional association for school technology leaders. “Especially with front page problems of networks failing or being attacked all around the country.”

Spike in attacks 

Recent high-profile cases include one in Miami-Dade County Public Schools in Florida, where a local teenager was arrested in September on charges of launching multiple attacks that flooded the district’s online learning system with internet traffic and prevented thousands of students from logging in to class.

Clark County School District in Las Vegas refused to pay a ransomware attack on its system in August, which reportedly resulted in the release of sensitive data, including employee Social Security numbers and student mailing addresses. Ponca City Public Schools in Oklahoma and Hartford Public Schools in Connecticut delayed the start of their school years after cyberattacks. 

The number and intensity of cyberattacks on school districts has increased for several years, says Doug Levin, an education consultant from Arlington, Virginia, who tracks cyberattacks on public K-12 school districts. 

In 2019, Mr. Levin recorded 348 cybersecurity incidents, a three-fold increase from the prior year. This year the number of cyberattacks dwindled during the first few months of the pandemic, but have shot up since the start of the school year and, if trends continue, may surpass last year’s totals. 

“It is a challenge for school districts no doubt,” says Mr. Levin. “Unfortunately the issue of cybersecurity has not been a priority by and large in schools.”

For Chris Gaines, the superintendent of Mehlville School District in St. Louis, the importance of cybersecurity best practices was reinforced this August when hackers overtook the email account of a construction company the district worked with and misdirected a $334,000 payment, according to Mr. Gaines. The district recouped most of the money, but is still working to get the last $75,000. 

“It boils down to human behavior is what allows access,” says Dr. Gaines, who initiated new business office protocols after this incident and a prior one, in which an individual tried unsuccessfully to use a hacked email account to change Dr. Gaines’ personal direct deposit account.

Cybersecurity solutions 

Mehlville Schools invests in cybersecurity by paying for cyberliability insurance, as well as hiring firms to deliberately conduct attacks to spot weaknesses. The district trains employees by running phishing campaigns to see if staff click on fraudulent links. Since the training, staff clicking on faulty links – one of the most common ways that cyberattacks begin – fell from 25%-30% to just 4%, says Dr. Gaines. 

School districts, like other local government entities, are often attractive targets because of the likelihood they are using older technology, relying on small IT teams, and holding sensitive data.

Vicki Anderson, a special agent with the FBI in Cleveland, says the FBI released a warning this summer to school districts nationwide about cybersecurity attacks during remote learning. She recommends that districts take preventative steps like training staff and students to use strong passwords and not to click on suspect links. The FBI advises schools not to pay ransomware attacks and instead get in touch with them immediately.

Groups like CoSN, the school technology association, are helping superintendents, school boards, and technology directors with cybersecurity by providing resources such as tip sheets and training. They’re also lobbying the Federal Communications Commission to allow cybersecurity to be covered under eligible services in the $4 billion E-rate program, a major source of funding for school technology. 

Mr. Krueger of CoSN says that school districts vary greatly in their ability to provide cybersecurity, with small and rural districts less likely to have the resources or expertise to enact strong policies. He also notes that the nation’s troubling digital divide extends to cybersecurity.

“We have to have the third leg of the stool, and that is secure broadband internet access,” along with enough devices and wireless connectivity for students, he says. 

Back at Newhall Schools in California, the district is working with an outside forensics team to restore access to their network drives. Teachers resumed live online lessons about 10 days after the ransomware attack. No student or employee data appears to have been released. 

Mr. Pelzel, the superintendent, says the experience was disconcerting for staff and families, and exhausting for the IT department working overtime. But “the silver lining out of this is you get lessons learned and things you can do to upgrade and support.” The district is reevaluating its cybersecurity and plans to take recommendations to its governing board. 

From using strong passwords and multifactor authentication to storing data in a mix of virtual and on-site secure locations, districts are taking action to thwart attacks. “I tell everyone now that there are things right away that you can do,” Mr. Pelzel says.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.