School districts are frequent targets of cyberattacks — so much so that by one estimate, about one school system a day is being compromised.
There are many reasons why cyber criminals attack K-12 districts. They include tight budgets that can’t support extensive cybersecurity protections and entire teams of cybersecurity professionals, as well as the large amounts of personal data school systems are storing in their platforms.
But why are those attacks successful?
Cybersecurity advocates say bad actors often gain access to district data because it tends to get shared with vendors that have varying levels of protections against online attacks. What the industry needs, they said, is widely adopted cybersecurity standards in place across the sector.
“We’re at a place right now where this is the wild, wild west in K-12 [cybersecurity,]” said Doug Levin, co-founder and national director of the K12 Security Information Exchange. “There are no accepted expectations for school districts or standards. There are none for vendors.”
His organization, a nonprofit that works to help assess and protect schools from cyber threats, has tracked 1,619 publicly-disclosed incidents between 2016-2022, and it estimates schools are breached by cyber attackers once a day.
In an effort to set expectations for education companies, a collection of government agencies and nonprofits are working to establish common best practices and methods to vet K-12 providers’ cybersecurity efforts, and a few initiatives are emerging among different states and stakeholders.
Much of existing frameworks, and those in the works, require vendors to have a set of specific assessments, protocols, and practices to prevent, assess, and react to potential data breaches and attacks against digital assets from bad actors.
There are clear benefits for school systems in setting cybersecurity standards for ed-tech vendors, Levin says. Many school systems don’t have the expertise on staff to thoroughly vet companies’ practices, independently. If a vendor’s sloppy practices lead to a cybersecurity breach, the effect is no different than a district staff member falling for a phishing email, he added.
Privacy Standards Could Pave Way for Cyber Controls
There are a number of efforts underway to address the need for higher, and uniform, standards for cybersecurity protocols across the K-12 vendor community.
Right now, many of the existing standards and required cybersecurity controls for the industry vary from state to state, forcing vendors to understand a complex patchwork of regulations, said Steve Smith, executive director of the Access 4 Learning Community, which oversees the Student Data Privacy Consortium.
While the Student Data Privacy Consortium’s National Student Data Privacy Agreement is focused on student data protection — which is the main thrust of its parent organization, the Access 4 Learning Community — there’s no question there is overlap between cybersecurity and data privacy efforts.
"[W]e don’t want 50 different sets of controls that vendors have to pay attention to." - Steve Smith, Executive Director, Access 4 Learning Community
Given the consortium’s existing national reach — 36 member states have signed on to the agreement’s data privacy requirements — Smith said the consortium is now also working toward providing a national standard for K-12 cybersecurity by creating and citing cybersecurity standards in the next version of the National Student Data Privacy Agreement.
“We wanted to get out in front of that because we don’t want 50 different sets of controls that vendors have to pay attention to,” he said. “We really wanted to take that same kind of process and leverage what we did for [data privacy agreements] around security controls — just bringing vendors and districts together and see if we can come to an agreement on what are those controls that make sense for education data?”
Two years ago, a working group for A4L began developing its Global Education Security Standards, or GESS, which Smith described as a “crosswalk” between the existing cybersecurity frameworks, including the National Institutes of Standards and Technology’s 800-53 and 800-171 standards; the U.S. government’s Cybersecurity and Infrastructure Agency’s standards; the U.K.’s Cyber Essentials certification scheme; and Australia and New Zealand’s Safer Technologies 4 Schools initiative, which is used to assess K-12 vendors’ security, privacy, and interoperability.
A4L published the first set of GESS controls last spring and is in the midst of fine-tuning them. That effort includes talking to third-party cyber auditors and services that typically monitor whether or not vendors are meeting different framework standards to make it possible for them to evaluate if companies meet GESS standards as well.
The existing National Student Data Privacy Agreement currently requires that vendors implement one of the well-known cybersecurity frameworks, and the organization is looking to add GESS into those options in the next version, which is currently being developed. Smith is hopeful in the future the agreement may be able to just cite the GESS framework, and have all vendors and districts aligned to the same set of cybersecurity controls.
“It’s a matter of just the little steps to change the marketplace to bring everyone together,” Smith said. “That’s what the community is all about. I feel like that’s what I’ve been doing for the last 15 years — just bringing people together around the privacy expectations.”
Nonprofits, States Make Their Case
While efforts to create national cyber security controls are in the works, states, nonprofits, and the federal government have created their own way to hold vendors accountable and protect districts.
StateRAMP is among the state-led options and is inspired by the federally funded FedRAMP program that provides security standards and authorizations for cloud software companies looking to serve the U.S. government. StateRAMP is independent from FedRAMP and takes a slightly different approach, as it operates as a nonprofit and is designed to be a shared resource between vendors and state and local government entities.
Where FedRAMP and StateRAMP both stand out, Levin said, is that they require third-party assessments of organizations’ cybersecurity protocols through audits and continuous monitoring. Regular evaluations from outside organizations provide an important backstop and an alternative to relying solely on vendor-completed assessments.
They also take the heavy load of evaluating vendors’ cybersecurity efforts, which often requires specialized knowledge, off of districts’ shoulders.
“Having some external validation is important, particularly in a security world where something may be considered secure one day, and then we find out the next that actually, it’s insecure, and some hackers have figured out a workaround,” Levin said.
Another benchmark was created by the federal Cybersecurity & Infrastructure Security Agency through its Secure By Design Pledge, which offers a way for companies to sign on to a set of cybersecurity standards.
Numerous companies have already signed it, largely those that sit at the nexus of many districts’ software programs and manage significant amounts of data, including PowerSchool, Clever, Focus School Software, ClassLink, and Instructure.
The Consortium for School Networking, which represents district tech leaders, recently rolled out the K-12CVAT, or K-12 Community Vendor Assessment Tool. It was built off of CoSN’s Higher Education Community Vendor Assessment Toolkit and is an extensive questionnaire for vendors to fill out and schools to review that helps them assess vendor risk.
Keith Kruger, CEO of CoSN, said his organization created the higher ed vendor assessment tool to allow universities and colleges to compare vendors based on the privacy and security measures.
It released the K-12 CVAT last year, and is working to distribute information about it to vendors. He believes it will allow ed-tech companies to reduce the time spent responding individually to similar cybersecurity questions in different district RFPs. It will be in vendors’ interest to keep it up-to-date, reducing the burden on districts to push the adoption or use of it themselves.
“If we increase standardization and raise the bar on the part of the vendor community, we think we can improve cybersecurity and the privacy of student data,” said Keith Krueger, the CEO of the Consortium for School Networking, which represents school district tech leaders and recently created a tool for K-12 officials to evaluate vendor cybersecurity practices.