The White House on Tuesday held its first-ever cybersecurity “summit” on the ransomware attacks plaguing U.S. schools, which has included hackers leaking sensitive student data such as medical records, psychiatric evaluations and student sexual assault reports.
“If we want to safeguard our children’s futures we must protect their personal data,” first lady Jill Biden, who is a teacher, told the gathering. “Every student deserves the opportunity to see a school counselor when they’re struggling and not worry that these conversations will be shared with the world.”
At least 48 districts have reported ransomware attacks this year — already three more than in all of 2022, according to the cybersecurity firm Emsisoft. All but 10 had data stolen, the firm reported.
An October 2022 report from the Government Accountability Office, a federal watchdog agency, found that more than 1.2 million students were affected in 2020 alone — with lost learning ranging from three days to three weeks. Nearly one in three U.S. districts had been breached by the end of 2021, according to a survey by the Center for Internet Security, a federally funded nonprofit.
“Do not underestimate the ruthlessness of those who would do us harm,” said Homeland Security Secretary Alejandro Mayorkas during the summit, noting that even reports on suicide attempts have been dumped online by criminal extortionists and urging educators to avail themselves of federal resources already available.
Among measures announced at the summit: The Cybersecurity and Infrastructure Security Agency will step up training for the K-12 sector and technology providers, including Amazon Web Services and Cloudflare, will offer grants and free software.
A pilot proposed by Federal Communications Commission Chair Jessica Rosenworcel — yet to be voted on by the agency — would make $200 million available over three years to strengthen cyber defense in schools and libraries.
“That's a drop in the bucket,” said Keith Kroeger, CEO of the nonprofit Consortium for School Networking. School districts wrote the FCC last fall asking that it commit much more — Kroeger said some $1 billion could be made available annually from its E-Rate program.
He said he was nevertheless heartened that the White House, Departments of Education and Homeland Security and the FCC recognize that the ransomware attacks plaguing the nation's 1,300 public school districts are “a five-alarm fire.”
The lasting legacy of school ransomware attacks is not in school closures, multimillion-dollar recovery costs, or even soaring cyber insurance premiums. It is the trauma for staff, students and parents from the online exposure of private records — which the AP detailed in a report published last month, focusing on data theft by far-flung criminals from two districts: Minneapolis and the Los Angeles Unified School District.
While other ransomware targets have fortified and segmented networks, encrypting data and mandating multi-factor authentication, school systems have reacted slower.
A big reason has been the unwillingness of school districts to find full-time cybersecurity staff. In its 2023 annual survey, the Consortium for School Networking found that just 16% of districts have full-time network security staff, down from 21% last year.
Cybersecurity spending by districts is also meager. Just 24% of districts spend more than one-tenth of their IT budget on cybersecurity defense, the survey found, while nearly half spent 2% or less.