Report calls for improved federal agency coordination in response to cyberattacks against schools

WASHINGTON D.C. — A new watchdog report is calling on the federal government to improve its coordination among agencies when responding to and protecting against cyberattacks targeting K-12 schools.

The report from the U.S. Government Accountability Office (GAO) said cyberattacks against K-12 schools are becoming more sophisticated and more widespread and they are having a major impact on students and staff.

According to the report, state and local school officials “reported that the loss of learning following a cyberattack ranged from 3 days to 3 weeks, and recovery time ranged from 2 to 9 months.”

Earlier this year, members of Congress heard from cyber security experts about the impact these cyberattacks are having on schools.

“The impact of cyberattacks on K-12 school districts, teachers and students include lost instructional time, damage to schools reputations, high financial cost of cyber incidents, rising cybersecurity insurance costs, financial and credit hardships for employees from the loss of their personal data,” said Amy McLaughlin, Cybersecurity Program Director for Consortium of School Networking, during her May 2022 testimony.

The report points to examples of cyberattacks against school districts in California, Texas, Florida and more.

In December 2021, the report said a vendor for Chicago Public Schools was hit by a ransomware attack, which led to the personal information of more than 500,000 students and staff members being exposed.

“The data included students’ names, schools, dates of birth, genders, school identification numbers, state student identification numbers, and course information from previous school years,” said the report.

The report highlights four recommendations to improve federal agency coordination.

The recommendations include the Secretary of Education creating a “collaborative mechanism, such as an applicable government coordinating council, to coordinate cybersecurity efforts between agencies and with the K-12 community.”

It also calls for improvements with how federal agencies track metrics to measure the effectiveness of K-12 cybersecurity related services.

In response, the Education Department said it has “already begun informal interagency coordination with other federal partners and stakeholders, including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Communications Commission (FCC) and the Office of the National Cyber Director, and is considering the use of other collaborative mechanisms.”

The report said the total number of cyberattacks against K-12 schools is unknown, in part because of the reluctance of schools to want to report being a victim or fear of being targeted again.