“Hey, I'm a principal at a school, and I forgot my password,” the voice said. “Can you help me?”
The call came into a help desk at Beaverton School District in Oregon. A city in Portland’s metropolitan area, Beaverton is home to a Nike factory and is the site of upcoming expansions for semiconductor manufacturing, funded by federal dollars under the CHIPS Act. In all, about 40,000 students attend the district.
The caller was hunting for a way around multi-factor authentication, a security protocol that requires two forms of identification. The school put it in years ago to prevent attacks. But hackers have gotten more sophisticated and their attempts to break into systems more frequent, says Steven Langford, chief information officer for Beaverton.
The scam was frustrated, thanks to the security protocols that staff have been trained on. But it’s part of a trend. Over the past month, the district has received a number of calls from cyber criminals phishing for information that would expose the school’s data. Without constant vigilance, staff, wanting to be helpful, could turn over sensitive information to scammers who sound legitimate. The threat may get worse, too. It chills Langford to think about how AI could alter voices or write more fine-tuned scripts. It’s something they have to stay in front of.
Those who go after schools are after money in any way they can get it, says Doug Levin, national director of K12 Security Information Exchange. Often, that means extortion, largely stemming from Russian cyber gangs. For instance, an attacker will swipe data from a school and then lock the school out of its computers, demanding money to unlock the computers and to not release the data. Or, sometimes they skip that and just focus on the data. When schools don't play ball, the attackers will sell the data on a dark web marketplace or just punitively dump the data online for identity thieves to pick over. They also scam school staffers through phishing emails getting them to give up access to information or even to send gift cards, Levin says. Lately, they have started to target the vendors that work with schools too, because through them, hackers can get access to school systems nationwide.
In fact, cyberattacks against schools are up across the country. Last year, 82 percent of K-12 schools reported a cyber incident, according to a recent estimate. Cybersecurity experts now fear that cuts to certain federal programs threaten to make the job of protecting students’ data tougher by ripping away training and important security signals.
Flying Blind
School districts seem to understand the significance of cybersecurity concerns, says Levin, of K12 Security Information Exchange. There are also more cybersecurity companies that understand the unique context of schools and offer more affordable pricing for schools. But the hope was that federal involvement would help to educate school system leaders better on the risks that they take on with technology, because it’s common for superintendents — who have a range of other worries including physical safety — to view cybersecurity as a technical issue. They underestimate the threat, Levin says.
Schools aren’t prepared for the absence of federal support. Research from one association shows that 73 percent of school edtech leaders say that student data privacy is not listed as part of their job description and 17 percent have never received any relevant privacy training. Many were relying on the federal government to develop edtech or AI policies.
Some states have pushed schools to be more vigilant. But overall, schools don’t necessarily have the resources or support they need. In fact, many school districts don’t even have the capacity to take advantage of the support already offered, with smaller districts tending to rely on third-party support, Levin says.
Under Trump, the federal situation has become more complicated, too.
Several key advisory groups have dissolved. The CISA K-12 cybersecurity advisory committee, along with all other Department of Homeland Security committees, was dismissed. The Education Department's K-12 Cybersecurity Government Coordinating Council, a stakeholder group that worked with the programs schools rely on, also now appears defunct, even to its members. Though no formal notice has declared it shut down, all activity has ceased. “We’ve essentially been ghosted,” says Levin, who was involved with the group. So there’s no coordinated communication going on about trends in cybersecurity for schools, he adds.
The Office of Education Technology, which offered guidance to districts, also fell victim to federal cuts.
One remaining source of federal support is the Cybersecurity and Infrastructure Security Agency, which helps schools respond to data ransomers. But the agency has suffered cuts and could lose as much as one-third of its staff. There’s also the Multi-State Information Sharing and Analysis Center, which schools consult for cybersecurity information and services. But this group, too, has lost significant funding.
For now, these programs give districts get training and clues about which threats to look out for. “It's a bit like a vaccine, where we all gain that herd immunity by having shared information that seamlessly moves from agency to agency,” says Jim Corns, executive director of information technology for Baltimore Public Schools. When one school is attacked, others get alerted and build up their defenses.
Schools find this reassuring.
Back in 2020, Baltimore suffered a massive cyberattack. At the time, schools around the country were less coordinated in their technological infrastructure. They were independently operating, Corns says. If they’d had the resources they do now, it would have helped the district to set up better safeguards, Corns says.
These days, Baltimore Public Schools get regular email updates from Maryland’s Information Sharing and Analysis Center, and the two federal programs whose future is uncertain, the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center. The email alerts warn which IP addresses have been linked to attacks and other vital, recent security information. Schools can then proactively block dangerous email and IP addresses, avoiding attack. The networks also offer districts training in best security practices.
Corns fears losing these security benefits.
After the 2020 attack, the Baltimore district shifted data-storing onto vendors. But that strategy isn’t free from danger either, as a recent breach at PowerSchool, one of the most pervasive student information systems in the country, proves. After hackers obtained the password of a PowerSchool employee, they accessed data for millions of students, according to an investigation by cybersecurity company Crowdstrike. Corns says that Baltimore County Public Schools was not impacted by the breach, but the incident stresses that protecting data now also means ensuring that vendors are following best practices.
Cuts to cybersecurity protection systems could have wide implications.
“These federal cuts are short-sighted and will be harmful to students, educators and families immediately,” Keith Krueger, CEO of the nonprofit the Consortium for School Networking, told EdSurge.
Beyond exposing schools to attack, Krueger argues that the cuts could even accelerate inequalities in education. Rural districts, schools serving predominantly low-income students and states that have not yet issued guidance on how to handle edtech or AI are most at risk. Without federal guidance, these vulnerable districts will struggle with everything from protecting school networks to using new technologies ethically and effectively, Krueger says. Affluent districts are better able to operate without federal support. These lucky schools will keep making strides, deepening the inequality as they outpace struggling districts.
Certainly Uncertain
On cybersecurity, districts are now operating in the dark.
Unlike many other districts, Beaverton has a dedicated cybersecurity team. Nevertheless, it relies on federal information to bolster defenses. That’s because the services provided by MS-ISAC and CISA help Beaverton identify threats and they provide information to better defend against cyberthreats.
But they’ve already lost access to webinars that brief them on threats popping up across the country, according to Langford. That leaves staff to dig up the information themselves, straining their time and incurring additional costs.
It’s also unclear if other vital resources will continue.
In particular, the district finds weekly scans that expose potential vulnerabilities and identify malicious threats critical, Langford says. These flag IP addresses that might be trying to harvest passwords or install malicious software. Once the cyber team has that domain, it can block it, which means that even if a phishing email were to sneak through, it wouldn’t work, Langford adds.
But the uncertain future of these and other warning systems leaves districts like Beaverton worrying about student data being exposed. “We are living in the unknown right now,” Langford says.
