By Joe Hong
CalMatters Education Writer
If Los Angeles Unified, the state’s largest school district, can be hit with a ransomware attack, how prepared are California’s public schools for the increasing threat of cyberattacks?
It depends, according to experts working in the field of cybersecurity and information technology in the state’s public schools. Some districts might have a handful of cybersecurity professionals on staff, while others don’t have any. On top of that, there are currently no statewide guidelines for digital security at school districts.
“The vast majority of districts don’t have a single member dedicated to cybersecurity threats,” said Terry Loftus, assistant superintendent for the San Diego County Office of Education. “There’s no real set standard.”
Loftus has his own team of five cybersecurity professionals, the largest in the state. But he says that’s largely because he did his graduate studies in cybersecurity and made the team a priority. Not all districts are that equipped. Loftus said Los Angeles Unified, which serves about 400,000 students, was fortunate to have some cybersecurity experts on its payroll, but the California Department of Education does not.
California Department of Education spokesman Scott Roark said the agency shares best practices and resources for data security on its webpage, but district and school officials make their own decisions regarding cybersecurity measures.
Cyberattacks vary in severity. A ransomware attack, like the one that hit Los Angeles Unified last fall, involves a hacker threatening to publish confidential data unless a ransom is paid. Ransomware attackers can also encrypt and block a target’s access to their own data.
Public schools possess confidential data ranging from Social Security numbers to health records and financial information. While the Los Angeles Unified attack has drawn national attention, Loftus says this prominent case is just the latest example of public education’s vulnerability to cyberattacks.
“Education is a mash-up of multiple different sectors,” he said. “We are transportation providers. We provide food and nutrition services. We have school nurses and so much more.”
And as school districts and the state took steps to close the digital divide during the pandemic, more students online means more blind spots vulnerable to cyberattacks.
Without formal, statewide cybersecurity guidelines, some schools rely on recommendations from the Center for Internet Security, a grassroots organization created by cybersecurity professionals across the country from both the private and public sectors. Loftus said the state should adopt these guidelines for the more than 1,000 school districts and charter schools in California, considering the rising prevalence of cyberattacks.
“Automated attacks are happening every second,” he said. These include bots that are trying to log into employee accounts by trying to guess passwords.
The Center for Internet Security guidelines contain varying levels of security recommendations, depending on the risk level of the agency or business. A prominent and large school district such as Los Angeles Unified might be a more tempting target than a smaller, rural or suburban district. Other districts might rely more on online instruction, meaning a cyberattack would be more disruptive to education. These districts, experts say, should consider investing more in cybersecurity.
“If you’ve made a huge investment in online curriculum, and your network is down because of a security issue, your risk is heightened,” said David Thurston, the chief technology officer for the San Bernardino County Superintendent of Schools.
Despite the drama of the ransomware attack on Los Angeles Unified, Thurston said there shouldn’t be a panicked response from the state. While state officials should focus more on cybersecurity, they shouldn’t immediately start issuing state mandates for beefing up districts’ firewalls and other security measures.
“It’s great L.A. is getting to highlight cybersecurity,” Thurston said. “But the knee-jerk reaction is the wrong reaction.”
Lack of cybersecurity investment
While the Los Angeles Unified attack attracted the media spotlight, cyberattacks on school districts happen frequently nationwide. According to Emsisoft, a cybersecurity software company that tracks cyberattacks, there were 58 school districts and 1,681 schools across the country affected by cyberattacks in 2021. So far this year, 29 districts and 1,735 schools have been affected.
Brett Callow, a threat analyst at Emsisoft, said there are likely many others that have not been reported. Knowing how often cyberattacks happen, he said, would be the first step toward a preventative statewide policy.
“Collecting good data is absolutely critical to devising a solution,” Callow said. “Without data you’re just guessing.”
But investing in cybersecurity might be an afterthought, especially for under-resourced school districts that could instead use that money for upgrading school buildings, hiring more staff or buying technology for the classroom.
“People don’t want them to be investing millions of bucks in IT and IT personnel when they’re struggling to educate kids,” Callow said. “If kids are sitting in ancient, dilapidated classrooms, the public is not going to be impressed with that.”
Callow said some districts use cyber insurance to help pay ransoms during cyberattacks, but it’s unclear how widespread that practice is.
Assemblymember Jacqui Irwin, a Democrat from Camarillo, has been pushing state agencies to strengthen cybersecurity for years. She said hacking into a school district or a small government agency might not be lucrative, but they make easy targets.
“I think the smaller entities just don’t have the resources to protect themselves,” she said. “You have to have employees, and you have to have employee training.”
A bill authored by Irwin and signed into law last fall requires more government agencies to adopt federally established cybersecurity standards and submit reports to the state Legislature every two years. Irwin said government officials often resist tighter cybersecurity measures because of the cost of hiring more IT professionals and purchasing more security software.
The same hurdles exist at school districts, where adopting security practices such as two-factor authentication might need buy-in from employee unions. Thurston, at the San Bernardino County Superintendent of Schools, said requiring teachers or employees to use another security tool could change their working conditions, which could potentially require collective bargaining.
At a fall press conference, Los Angeles Unified Superintendent Alberto Carvalho said the district started using multi-factor authentication in July. But he said investigators “might never know” how the hackers got into the district’s system.
Thurston said the community of IT and cybersecurity professionals in public education often share details of past cyberattacks to help their colleagues prepare for similar incidents.
Irwin and Thurston said the cost of a malicious cyberattack can easily surpass the cost of preparation. But some measures are easier to adopt, like making sure your employees know how to identify suspicious emails or messages.
“We need to make sure the individuals at the school districts understand what their responsibility is,” Irwin said. “Big hacks have happened because of the weakest links.”