March 23, 2023
In January, Swansea public schools shut down for a day after the district’s computer network was attacked by ransomware. Later that month, Nantucket schools closed for a day and a half after a ransomware attack.
Cyberattacks are a growing problem, and Massachusetts schools — like others around the country — are not adequately prepared. Given Massachusetts’ technology expertise, the state should be a leader in school cybersecurity. This will require establishing state-level standards for security practices and providing the resources, technical and financial, that schools need to implement cybersecurity best practices. Centralizing IT services should be on the table, too, so that the state’s hundreds of districts aren’t all expected to manage complex cybersecurity needs by themselves.
In recent years, cyberattacks have increased in frequency and sophistication. According to K12 Security Information eXchange, a Virginia-based nonprofit that protects schools from cybersecurity risks through information sharing, there were more than 1,600 publicly disclosed cybersecurity incidents in K-12 schools between 2016 and 2021, 1,200 of them since 2018. The group’s report suggests the actual picture is bleaker, since only 5 to 10 percent of incidents are disclosed.
Doug Levin, the group’s national director, said half the 2022 incidents resulted in school closures of at least a day because schools are becoming increasingly dependent on technology — to teach curriculum, administer tests, lock doors, route buses, and keep student medication records.
Ransomware attacks are potentially devastating. One known tactic is for hackers to infiltrate a system, steal sensitive information, then lock access to the system and demand a ransom payment to unlock it and avoid public disclosure of the information.
While all government and private agencies must address cybersecurity, schools have unique concerns. They have broad IT needs, using computers for everything from payroll to food service to educational apps and grading. Schools collect sensitive data about minors. They often have a small technology staff overseeing a huge network of devices, generally with expertise more focused on operations than security.
One need is for cybersecurity standards. While there are rules governing data security in finance and health care, there is no federal regulatory requirement for cybersecurity in schools and little state regulation. The federal privacy law that governs access to student information “envisioned student data stored in filing cabinets,” Levin said.
The MassCyberCenter at the Massachusetts Technology Collaborative publishes guidelines for municipalities around cybersecurity training, threat sharing, response planning, and security technology.
Legislation proposed by state Senator Barry Finegold and Representatives Kate Lipper-Garabedian and Jeffrey Roy would limit how educational vendors can use student information and would require the state education department to develop guidelines that establish the data security and privacy responsibilities of the state, school districts, and contracted vendors.
Finegold, Senate chair of the Committee on Economic Development and Emerging Technologies, also seeks to require municipal entities, including school districts, to report cyberattacks to a center run by the State Police, which would trigger a response by a cyber incident team. The team would then support the municipality by recommending a response and referring officials to cyber specialists to remediate the problem. Finegold said a common reaction is to remain quiet and pay ransom, but that only incentivizes attackers and leaves other school districts vulnerable to similar attacks.
Imposing state rules has precedent. California law requires schools to report any large-scale breach so it can be tracked by the state’s cybersecurity oversight agency. New Hampshire, New York, and Texas have all established state-level cybersecurity standards for school districts, and Kansas is considering it. Most states have student record laws that acknowledge the digitization of data.
The Massachusetts Legislature is often wary of imposing unfunded mandates, and one solution would be to give schools cybersecurity money and assistance in exchange for adopting best practices. One pot of money that could be used is the $16 million over four years Massachusetts is getting to enhance municipal cybersecurity capabilities from Congress’s 2021 infrastructure bill. Already, Massachusetts has a municipal cybersecurity awareness grant program, a $250,000 program in 2023 that pays for cybersecurity training and assessment for municipal governments and school districts. The state offers municipalities free cybersecurity health checks and offers grants for innovative technology projects through its community compact program.
But there is still a huge need for resources, both personnel and software.
Jim Sullivan, president-elect of the Massachusetts Educational Technology Administrators Association and technology director for Danvers Public Schools, said a decade ago, technology directors’ main concerns were installing antivirus software and ensuring users had strong passwords. Now, technology advances require users to buy more sophisticated, and expensive, software. Danvers received a quote for EDR software, which tracks when software is behaving unusually, of $117 per computer per year in a district with about 900 computers that need the software. Software that involves a security monitoring firm costs approximately $150 per computer per year. Cybersecurity professionals are in high demand nationally and command high salaries.
Companies that sell cybersecurity insurance to school districts increasingly require more sophisticated security measures. But, Sullivan said, “The problem is that we don’t necessarily have the funding to do that.”
This is one area that is ripe for state support and regional collaboration. State officials should continue to seek opportunities to offer technical expertise. Two promising programs involve Bridgewater State University and Springfield Technical Community College, which are developing centers that will offer cybersecurity training, threat monitoring, and other services to municipalities, businesses, and nonprofits. School districts should see if there are opportunities to share IT professionals, bulk buy software, or develop incident response plans.
As in much of education, there are inequities today, with some school districts having strong IT programs and others less so. Since cyberattackers don’t make that distinction, the responsibility falls to the state and districts to make sure every school has the protection it needs to keep technology safe.