How do schools protect their sensitive data from cyberattacks?

Kevin: Doug Levin is the national director of the K12 Security Information Exchange (K12 SIX), a nonprofit that monitors intelligence related to cyberattacks on schools and helps schools with security threats. Doug has an extensive career in education and technology. He was involved in developing the nation’s first ed tech program under President Bill Clinton. He also helped update that program under Presidents Bush and Obama. Today he joins us to talk about the online threats schools face, how cybercriminals attempt to attack online resources, and how schools can be more vigilant in protecting student data. Doug, welcome to the show.

Doug: My pleasure, and I’m thrilled that you’re interested in shining a spotlight on this emerging issue.

Kevin: Now, before we talk about cybersecurity generally, I always like to glean from my guests how they got into their work, and you started in the education … in the technology world really, and what led you to cybersecurity?

Doug: Well, actually, I started in the sort of ed policy and research world. I spent the first dozen-plus years of my career working for a company that is now known as the American Institutes for Research, or AIR. Spent a lot of time supporting the work of the U.S. Department of Ed, though specifically a lot of that work was supporting the emergent Office of Educational Technology, and I was there during the Clinton-Gore years when we were striving to connect every school to the information superhighway, if you remember that thing, Kevin?

Kevin: I remember that, yes.

Doug: This is when issues of cybersecurity first started coming to my attention. Around the time that I left, student data privacy issues were starting to explode. When I went looking for information about who knew, who was doing research on the state of K-12 cybersecurity, who was attacking schools, how schools were responding, I came away very frustrated with what I found, because most of what was available was produced by folks in the cybersecurity and technology fields, and not folks who really understood the K-12 context, so that really set me off on my journey to try to help schools better manage these new risks.

Kevin: I mean, by and large, corporate America has responded to this threat by beefing up their security protections from a cyber point of view, by having real focused information technology teams in place, but if we look at schools, they’re a little behind, and why is that?

Doug: The financial sector, the healthcare sector, certainly the defense industry, all of these critical sectors have had a lot of attention paid to them. In some cases, they’re actually regulated, and so they do need to meet some sort of minimum cybersecurity risk management standard. But they also know that the trust that they get from their customers is worth a lot of money, and that they could lose that trust if they don’t have a good privacy and security program in place. So, they have sophisticated teams that they’ve hired to manage that risk. They have plans in case something goes wrong, and they practice them. They may have relationships with third-party vendors who support them in doing that security work and provide 24 by seven by 365 coverage, right?

And so, when you come to schools, and actually if you’re thinking very broadly, you could look at the school sector, you could look at the state and local government sector, of which at least public schools are a part of, right? And by and large, those institutions have smaller I.T. teams; they tend to be under-resourced compared to the private sector. Certainly, nobody goes into I.T. in the public sector or into schools for the money. There is actually shockingly little regulation about cybersecurity standards for schools, so there’s really not a forcing function requiring superintendents or school boards to think about these risks in the same way as they do, say, as physical security risks on their campuses, or even the risk of disruption to extreme weather events like hurricanes or heavy snows, right?

And then, the last thing I’d say about schools is that it’s relatively recent that schools are relying on technology for their operations to the extent that they do. So, I mentioned helping connect schools to the information superhighway; that was work that was in the mid-90s, right? But for many, many schools, and I know you know this, Kevin, I mean, the technology was sort of a nice-to-have in schools. They might have a computer lab that they would take some kids to part of the day, right? But now, not only can you take a course online, you can go to school online, but everything about employees and HR is managed online. Food service, there’s point-of-sale systems, all those physical security systems: Those are smart and internet-enabled. All the curriculum is online; testing is online.

So, we have circumstances now where if schools experience a disruption, or God forbid, a cybersecurity incident in their technology services, they actually can’t go on doing the work of educating kids. And that’s relatively new in the grand scope of things in schools, and I think we’ve just not caught up to that reality.

Kevin: Why are schools attractive targets to hackers, and is part of the reason because they aren’t regulated and there are easy pickings?

Doug: Sometimes these bad guys — it turns out they’re actually people who work or are connected to the organization who make mistakes, or are disgruntled, or are bored, right? And so, schools are unique in that any school serving middle and high school students is going to have a handful who are quite tech savvy and turn their attention to their own school networks and systems. Much of this is harmless: They are kids, but in some cases they cross a line, and as kids, they make mistakes. The challenge is that in a technology environment, the mistakes could have some pretty significant consequences for districts, right?

But in terms of cybercriminals, like the hackers that people are thinking about, maybe sitting overseas in Russia or China or North Korea or Iran, right? Those folks are motivated 99% of the time by money, right?

Kevin: Yes.

Doug: They’re looking for easy targets that have funds that they can extract from taking advantage of an organization. They can do that a lot of ways, right? They can steal personal data and try to exploit it. They can steal that personal data and try to sell it to others on … other criminals on dark web marketplaces, on criminal forums online that are hidden from public view. They can, and increasingly they are extorting schools, right?

Kevin: Yes.

Doug: And so, they are locking up school systems, encrypting those files, basically locking schools out of them, and then extorting a ransom from them to give them access again, right? And that’s a very direct way for them to get paid, right? So, there are a lot of ways to do it, but really it’s about money. But it’s interesting, because as we talk to schools that have experienced incidents, sometimes they’re really surprised that they would be a target, right? What value could a student’s identity information have, after all? You and I have bank accounts and credit cards, fine, but a student, a young student: What do they have that’s of value?

Plus, if you look at schools, you don’t think of them as rich institutions. I mean, if you’re going to have a bank or a school, which one would you go after? Well, a bank is where you think the money is. But to your earlier point, banks are much better protected, and the fact of the matter is that … and people don’t think about this: schools don’t have enough money to do all the things that they need and want to do for their kids, right? There’s no question about that. But if you look at their budgets, just from an objective outsider, they are large, large enterprises, right? They may be the single largest employer in many communities. The equipment they’re running is older; it may not be updated as much, and because they’re schools, they may be much more open about the variety of tools and systems and applications they’re using, which means there might be more ways to gain entry, right? So, that does make schools sort of low-hanging fruit for cybercriminals.

Let me circle back to the kid piece, though, because: the identity information. Because I think this is an important point to make, which is that, while kids don’t have credit accounts, and they don’t have — they’re not making income now, that’s actually a benefit to the criminals, because their credit records are unmonitored. And even getting basic identity information about kids is enough to start opening accounts that then allow them to open other accounts, and essentially serially abuse the identity information of youth.

And so, if you were to go online on the dark web and were looking to buy identity information to conduct fraud, it actually would be more expensive for you to purchase that identity information for young kids than it would be for you and me, because your credit card company or mine is going to contact me within about 30 days or sooner if they see something fishy. Children’s records are unmonitored, and so it may not be until they are 16 or 18: They’re applying for a college loan or trying to get their first apartment, and they do a credit check and it turns out that their credit record has been abused. And so, that’s a real challenge, and unfortunately, we have seen schools that have experienced data breaches involving student data, that have had the identities of children as young as first and second grade compromised.

Kevin: What are some of the more common attacks? For the big attacks that come from the cybercriminals that lead to ransomware requests where they’re trying to get money, or they’re trying to steal identity: What are some of the safeguards that schools should be considering?

Doug: The best way to avoid, to not have to deal with that, is to avoid the situation. My organization now, the K12 Security Information Exchange: We’ve actually worked with practicing K-12 I.T. practitioners around the country; we’ve collected data ourselves about the most frequent ways that schools are compromised, and we really think there are sort of four buckets of steps that schools sort of need to do to protect their community. The first is just trying to sanitize that traffic to and from the network. Make sure that you are filtering for any malware that may be coming in; you’re educating users on how to spot maybe malicious emails, and to the extent that you can sort of lock down that traffic going back and forth, whether it’s coming into your district or school or going out, but just monitoring that.

Doug:

I think secondly, you need to look at the devices that are being used by students, by teachers, by staff, and make sure that they are locked down in such a way that if they get compromised, they don’t end up being an entry point to taking down the whole network and all of the other devices on the network. Third, we are big believers in robust passwords and multifactor authentication. I think in today’s day and age, requiring people to take an extra step to log in, particularly staff logging into sensitive systems, is critical. And I understand it’s deeply challenging in some cases for schools to take this step, but absolutely it works as a control, and it’s very effective.

And then finally, there is a set of what you might consider sort of maintenance tasks that really sort of fall in the I.T. shop, right? So, that’s things like making sure you have robust backups that are not connected to your system so they don’t get wrapped up in any malware or ransomware that’s introduced to the system. So, much of the advice that’s available out there, it’s great and terrific advice if you have the resources, if you have the team to implement it, and you have buy-in across the organization to do so, and unfortunately, in many cases, schools are still maturing in how they think about managing the cybersecurity risk. So, all of those sort of control frameworks and guidelines — it could be lists of hundreds of things that organizations should do — it’s just overwhelming for schools. It’s not a realistic place for them to start, as much as they’d like to sort of jump over the work to getting there.

But unfortunately, there just aren’t any sort of silver bullet solutions. There’s not a magic antivirus or firewall that you can deploy that will protect you from all things that also doesn’t require lots of internal capacity to manage, right? So it remains a challenge, right? This is going to be the work of a long time, and these threats are going to continue to evolve.

Kevin: If you have a few dollars set aside in your budget and you want to hire someone, okay. How do you know whom to hire?

Doug: I would say that even for corporations that have a lot of money, they’re having trouble hiring qualified cybersecurity talent, right? We just have a shortage overall in the country. It’s definitely the exception to the rule that a school district will have a dedicated cybersecurity expert on staff, so we are big believers in this notion of collective defense. In some states, regional education agencies have played a big role, right? Educational service centers, county offices of ed, BOCES: They go by different names in different states, and they provide outsourced technology services to their members. In some cases, the state broadband networks provide some of those services as well. There’s also a class of vendors called managed service providers, even managed security service providers, that manage security operations for organizations of all types, including schools.

But as you suggest, if you don’t know where to start, how do you know who to hire, and or what do you … how do you know what to buy? And that’s where I think ultimately this notion of working together across districts with some trusted partners, maybe under the umbrella of a state association or a national association, or a group like what we’ve created — the K12 Security Information Exchange, and we’re a nonprofit membership organization serving school districts, charter schools, private schools, the whole K-12 community — to work with them in a vendor-neutral way to uplift their cybersecurity practices.

Kevin: I love your reference to what you call “collective defense,” because I do think that, particularly, the fact that there are so many small to midsize school districts state by state, and the regional approach having school districts, several school districts come together around this collective defense concept makes a whole lot of sense. And in that regard, Doug, this is what I really want to know: What should state and local leaders be doing from a legislative and regulatory point of view to help school districts better prepare for cybersecurity attacks?

Doug: That is a great question, and is one that folks are grappling with. We actually saw for the very first time last fall the passage of the first ever federal K-12 specific cybersecurity legislation. Now, it was a modest piece of legislation. It charged the federal cybersecurity agency CISA with conducting a study on the state of K-12 cybersecurity and making recommendations. But as you know, the federal government doesn’t always work fast, but it’s significant that they’re taking on this work, and the fact that this issue rose to their attention to the point that they’re looking at ways that they can support schools, and we’ve seen a number of states as well consider legislation, and in some cases they have passed legislation specifically directed at schools.

And so, earlier we were talking about industries like healthcare and financial services that actually had some regulatory mandates to have sort of baseline cybersecurity controls and protections in place. I think ultimately we are going to need to see that in K-12, and I think it is … maybe would be shocking to your average everyday parent that with all of the technology reliance that school districts have today, that there isn’t some standard of practice that they’re being held to with respect to security.

Kevin: For school district leaders who are grappling with this, and who have to juggle and manage priorities, this needs to be raised up the priority food chain, if you will. And if you’re a regional, If you’re a local school district leader, and you’re surrounded by similarly-minded regional peers, jointly you need to escalate this to your state and local officials, because I think as you said, that collective emphasis on making this a priority will make a difference.

Doug: I think for those outside of the K-12 world, I think maybe they still look at schools as places where little kids are sitting in circles and we’re using chalk; they don’t understand how much we rely on technology and how significantly these incidents are impacting us. There’s so much that is sort of special about the context of schools, about how we’re governed, about how we’re funded, about how decisions are made, that we really need that special support, and we really shouldn’t stand for that sort of general guidance and support that frankly has been available for years, but clearly hasn’t been making a difference.

Kevin: Yeah, and I’m going to tell school district leaders to listen to Doug Levin, make sure your name is on the check. So with Doug Levin, thank you so much for joining us on What I Want to Know.

Doug: Thank you very much for having me, Kevin; it’s been a pleasure.

Kevin: Thanks for listening to What I Want to Know. Be sure to follow and subscribe to the show on Apple Podcasts, Spotify, or your favorite podcast app so you can explore other episodes and dive into our discussions on the future of education, and write a review of the show. I also encourage you to join the conversation and let me know what you want to know using hashtag #WIWTK on social media. That’s hashtag #WIWTK. For more information on Stride and online education, visit stridelearning.com. I’m your host, Kevin P. Chavous. Thank you for joining What I Want to Know.