GAO says confusion over responsibilities has left schools vulnerable to cyber attacks
Confusion over which government department or agency is responsible for protecting school networks against cyber attacks has left the nation’s K-12 institutions especially vulnerable to ransomware, according to a new report from the Government Accountability Office.
After speaking with officials from schools across the country, the GAO said that they found officials were uniformly unclear about whether upgrading their 2010 cyber security plan fell under the purview of the Department of Education or the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
“Education officials state that the department has not updated the sector plan and not determined the need for sector-specific guidance because CISA has not directed it to do so,” the report said, adding that it had determined that the Department of Education “is responsible for updating its sector plan and determining the need for guidance.” The confusion, the report said, had essentially allowed updating the cyber security plan to fall through the cracks.
Cyberattacks against schools have been on the rise. According to a database of publicly reported ransomware attacks maintained by Recorded Future, there were 56 cyber attacks against schools in 2020 and there have already been 77 so far this year. In 2019, there were 62 publicly reported ransomware attacks against schools, compared with just 11 in 2018.
The four Democratic senators who asked the GAO for the review — Maggie Hassan of New Hampshire, Krysten Sinema of Arizona, Jacky Rose of Nevada, and Chris Van Hollen of Maryland — said in a joint letter released after the report that the rapid rise in ransomware is fueling the growing number of K-12 cyber attacks.
“2019 saw almost three times more incidents than 2018 and 2020 saw a further 18 percent increase over 2019,” they wrote. “These incidents include ransomware attacks on school districts in New Hampshire, Nevada, Arizona, and Maryland.“
The four Senators urge the Department of Education and DHS’s Cybersecurity and Infrastructure Security Agency (CISA) to work together to update the Department of Education’s cyber security plan for schools. The lawmakers also urged the Department of Education and CISA to determine whether K-12 schools need specific guidance and best-practices to help improve their cybersecurity.
Among other things, the GAO report provided a comprehensive list of resources from the Education Department, CISA, and the FBI aimed at helping K-12 schools fend off attacks. But the report said that schools either weren’t aware of the offerings or do know how to get them.
“As a result,” the report said, “K-12 schools are less likely to have the federal products, services, and support that can best help protect them from cyberattacks.”