“Education is a mash-up of multiple different sectors,” he said. “We are transportation providers. We provide food and nutrition services. We have school nurses and so much more.”
And as school districts and the state took steps to close the digital divide during the pandemic, more students online means more blindspots vulnerable to cyberattacks.
Without formal, statewide cybersecurity guidelines, some schools rely on recommendations from the Center for Internet Security, a grassroots organization created by cybersecurity professionals across the country from both the private and public sectors. Loftus said the state should adopt these guidelines for the more than 1,000 school districts and charter schools in California, considering the rising prevalence of cyberattacks.
“Automated attacks are happening every second,” he said. These include bots that are trying to log into employee accounts by trying to guess passwords.
The Center for Internet Security guidelines contain varying levels of security recommendations, depending on the risk level of the agency or business. A prominent and large school district such as Los Angeles Unified might be a more tempting target than a smaller, rural or suburban district. Other districts might rely more on online instruction, meaning a cyberattack would be more disruptive to education. These districts, experts say, should consider investing more in cybersecurity.
“If you’ve made a huge investment in online curriculum, and your network is down because of a security issue, your risk is heightened,” said David Thurston, the chief technology officer for the San Bernardino County Superintendent of Schools.
Despite the drama of the ransomware attack on Los Angeles Unified, Thurston said there shouldn’t be a panicked response from the state. While state officials should focus more on cybersecurity, they shouldn’t immediately start issuing state mandates for beefing up districts’ firewalls and other security measures.
“It’s great L.A. is getting to highlight cybersecurity,” Thurston said. “But the knee-jerk reaction is the wrong reaction.”
Lack of cybersecurity investment
While the Los Angeles Unified attack attracted the media spotlight, cyberattacks on school districts happen frequently nationwide. According to Emsisoft, a cybersecurity software company that tracks cyberattacks, there were 58 school districts and 1,681 schools across the country affected by cyberattacks in 2021. So far this year, 29 districts and 1,735 schools have been affected.
Brett Callow, a threat analyst at Emsisoft, said there are likely many others that have not been reported. Knowing how often cyberattacks happen, he said, would be the first step toward a preventative statewide policy.
“Collecting good data is absolutely critical to devising a solution,” Callow said. “Without data you’re just guessing.”
But investing in cybersecurity might be an afterthought, especially for under-resourced school districts that could instead use that money for upgrading school buildings, hiring more staff or buying technology for the classroom.
“People don’t want them to be investing millions of bucks in IT and IT personnel when they’re struggling to educate kids,” Callow said. “If kids are sitting in ancient, dilapidated classrooms, the public is not going to be impressed with that.”
Callow said some districts use cyber insurance to help pay ransoms during cyberattacks, but it’s unclear how widespread that practice is.
Assemblymember Jacqui Irwin, a Democrat from Camarillo, has been pushing state agencies to strengthen cybersecurity for years. She said hacking into a school district or a small government agency might not be lucrative, but they make easy targets.
“I think the smaller entities just don’t have the resources to protect themselves,” she said. “You have to have employees, and you have to have employee training.”
A bill authored by Irwin and signed into law last month requires more government agencies to adopt federally established cybersecurity standards and submit reports to the state Legislature every two years. Irwin said government officials often resist tighter cybersecurity measures because of the cost of hiring more IT professionals and purchasing more security software.
The same hurdles exist at school districts, where adopting security practices such as two-factor authentication might need buy-in from employee unions. Thurston, at the San Bernardino County Superintendent of Schools, said requiring teachers or employees to use another security tool could change their working conditions, which could potentially require collective bargaining.
At a press conference last week, Los Angeles Unified Superintendent Alberto Carvalho said the district started using multi-factor authentication in July. But he said investigators “might never know” how the hackers got into the district’s system.
Thurston said the community of IT and cybersecurity professionals in public education often share details of past cyberattacks to help their colleagues prepare for similar incidents. Los Angeles Unified spokesperson Shannon Haber did not comment on whether the district plans to do the same.
Irwin and Thurston said the cost of a malicious cyberattack can easily surpass the cost of preparation. But some measures are easier to adopt, like making sure your employees know how to identify suspicious emails or messages.
“We need to make sure the individuals at the school districts understand what their responsibility is,” Irwin said. “Big hacks have happened because of the weakest links.”