Cybersecurity Threats to School Districts on the Rise
Editorial by Beau Wielkoszewski
I walk into work this morning, stumbling a bit while I wait for the coffee to take effect. Opening up my school computer, I have to put in two complex passwords and a 6-digit authenticator code from my phone. The internet is slow, my computer is slow. I don’t have time for this and my students show up in 5 mins.
Hi, I’m Beau Wielkoszewski, the CTO here at Eagle County School District. I’d like to provide some quick thoughts about cybersecurity, specifically how it applies to K-12 education.
Cybersecurity practices and restrictions are inconvenient and an obstacle to K-12 learning. The requirement for multiple passwords, limits on software, and extra training can feel unwarranted and limiting in a field where extra seconds can be the difference between students who are inspired or bored. Unfortunately, you don’t need to look very far to find multiple instances of cybersecurity attacks on school districts worldwide in the past month. The educational sector is an ever-growing target as schools don’t have the capacity or budget to keep up with or combat cyber attackers.
In August, the Los Angeles Unified School District had significant interruptions to schooling as a result of a massive cyber attack. For a district that teaches over 670,000 students, the impact of this was felt throughout their large community. Initial reports indicated their networks that house systems for infrastructure (sprinklers, HVAC, power) had been compromised and they were taking steps to harden those affected networks.
Later, it was found that critical student / staff records had been compromised. These records consisted of demographic information, passport information, social security numbers and tax forms. They also contained: confidential information including contract and legal documents, financial reports containing bank account details, health information including COVID-19 test data, previous conviction reports and psychological assessments of students.
While the school district and local/federal law enforcement attempted to negotiate a ransom with the cyberattackers to prevent the release of information, ultimately the hackers scoffed at these initiatives and released all of the information publicly to the web on October 3rd. This means all of that private data is now available to nefarious actors and criminals.
The unfortunate reality of cybersecurity in schools is that it is usually an afterthought. Funding, policy changes and the tightening of restrictions are consistently supported only after a ransomware or cyber attack has occurred. I experienced this in Montana where a neighboring school district was hacked resulting in adversary access to all of Powerschool’s data. The attackers then went on to send death threats to student and family cell phones with the demographic data they’d accessed.
ECSD has aggressively made changes to avoid this “after-the-fact” mindset. The technology department continues to work on striking the balance between convenience for our staff and the convenience of system penetration for adversaries who wish to upend our school district and disrupt the lives of our school community members. Thanks for reading; click on my photo above for a chance to win a prize. Each change we make is considered against the effect on teachers or students, as well as how it might affect our insurance coverage or our ability to quickly respond to any perceived threat without it actually impacting schooling.
Thank you to all for completing the annual cyber training and bearing with us through all of the recent cyber changes. At present, we have no major changes on the horizon that would directly affect staff or students. Our current initiatives are all behind the scenes to strengthen our systems and processes.
The technology department is invested in the success of all our staff and students. While we know these details won’t curb frustrations, we hope it can bring some renewed perspective to WHY we have made changes in spite of all these inconveniences.