Cybersecurity for K-12

An interview with the Cybersecurity and Infrastructure Security Agency (CISA) Assistant Director for Stakeholder Engagement Trent Frazier

NCSSS: How has the evolving cybersecurity landscape impacted K-12 schools, particularly those focused on STEM education, and what types of cyberattacks or security threats are currently most prevalent? Additionally, how can STEM schools better protect themselves against these threats?

As the National Coordinator for critical infrastructure resiliency and security, CISA’s top priority is to protect the nation’s critical infrastructure from physical and cyber threats. In 2023, CISA identified the kindergarten through twelfth grade (K-12) community/Education Facilities Subsector as one of four prioritized subsectors for cybersecurity engagement and support efforts.

Malicious cyber actors see the Education Facilities Subsector as “target rich, cyber poor,” meaning educational institutions hold valuable information, like personal data, but they often lack resources to build a comprehensive cybersecurity program so the information they keep on their networks may not be well protected. This combination makes educational institutions a frequent target for ransomware attacks.

Cyberattacks and online threats are an increasingly significant and widespread problem for K-12 schools. Ransomware threats have been on the rise since 2016, with the sophistication and impact of these attacks increasing since 2021. For K-12 schools, cyber incidents are so prevalent that on average there is more than one incident per school day.

The transition to remote learning during the pandemic and the growing dependence and use of online systems have made schools and districts particularly vulnerable to cyberattacks over the past several years. These attacks are nondiscriminatory. Impacts from cyberattacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff. This is why CISA is working with the K-12 education entities to help raise awareness and understanding of the risks. CISA is also providing tools, information and resources to help this vitally important component of the nation’s critical infrastructure reduce their risk and reduce the likelihood of successful cyber incursions. cyber actors see the Education Facilities Subsector as “target rich, cyber poor”. This combination makes educational institutions a frequent target for ransomware attacks.”

CISA has prioritized engagement with the K-12 school community - we are working with all 50 states, DC, and the territories to provide CISA resources and encourage the use and implementation of CISA and Department of Education (ED) cybersecurity resources and best practices.

School administrators, teachers, students, and the K-12 community can make use of the K-12 cybersecurity resources available on Cybersecurity for K-12 Education | CISA, which features tools, information, and resources to help this vitally important component of the nation’s critical infrastructure protect themselves against attacks by malicious actors and reduce the likelihood of successful cyber incursion. We encourage your readership to make use of the tools and resources accessible on CISA.gov, as well as the resources and information available on stopransomware.gov, as a first step towards protecting themselves.

NCSSS: STEM schools often utilize cutting-edge technology and digital platforms in their curriculum. What are some unique cybersecurity challenges these schools face compared to traditional schools?

CISA does not track specific schools/school districts. All schools and school districts are considered especially lucrative and vulnerable targets for malicious cyber actors given the presence of sensitive student and staff data and personal information.

K-12 schools are attractive targets for ransomware because of the importance of their service availability, rich data holdings, and resource constraints which leave their information systems vulnerable to cyberattacks.

NCSSS: CISA stresses the importance of collective efforts in securing schools. What role should school administrators, teachers, and students play in creating a more cybersecure environment?

Absolutely, there are things we can do right now to defend against today’s cyber threats to our schools while we collaborate to build a more cyber secure and resilient K-12 infrastructure for the future.

CISA is committed to working with the education subsector to help raise awareness and understanding of the risks as well as to change behaviors that put them at risk of phishing and other online attacks. School administrators, teachers, students, and the K-12 community can make use of the K-12 cybersecurity resources available on CISA.gov, which features tools, information, and resources to help protect against attacks by malicious actors and reduce the likelihood of successful cyber incursion. To help K-12 organizations mitigate against the threat of malicious cyber actors and cyber risks that can significantly impact educational missions and risk sensitive data, CISA developed an online toolkit and the Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats report.

The toolkit is derived from a broader list of cybersecurity practices tasks called the Cybersecurity

Performance Goals (CPG). The work to improve and maintain your cybersecurity posture should be part of a continuous program, not merely a project with a finish line. Further, the online toolkit aligns three recommendations from the report with key actions and related trainings and resources to help the education community build, operate, and maintain resilient cybersecurity programs.

Recommendation 1: Invest in Most Impactful Security Measures and Build Toward a Mature Cybersecurity Plan

Recommendation 2: Recognize and Actively Address Resource Constraints

Recommendation 3: Focus on Collaboration and Information Sharing

We hope that leaders in the K-12 community— including superintendents, district and school administrators, school boards, and state policymakers—will take advantage of this report and the related toolkit to better understand their cyber risks and take basic steps to reduce that risk.

NCSSS: How can STEM schools effectively integrate cybersecurity education into their curriculum to ensure students are not only aware of risks but also equipped to mitigate them?

Mitigation against cybersecurity threats should take place throughout the K-12 community. CISA provides online safety resources and recommendations for parents and guardians, school communities, and students online at CISA.gov and schoolsafety.gov.

Schools and school districts can play a role in preventing and protecting against online safety threats. A digital citizenship curriculum can help students learn how to better navigate the potential risks and threats they may encounter online, and can include topics such as privacy and security, relationships and communication, cyberbullying, digital footprints and reputation, and self-image and identity. Teachers and school staff are also encouraged to learn the potential signs and indicators of cyberbullying and child exploitation, so they can properly identify and address these issues and support victimized students.

Lastly, young people can take a variety of simple, everyday actions to be cyber-safe and better protect against online threats. This includes talking with parents, caregivers, and educators so they understand online risks, only chatting with people they know in real-life, ensuring their online accounts are private, blocking people they don’t know or trust, and trusting their instinct if something or someone makes them feel uncomfortable. In addition to online safety actions, students can also practice good cyber hygiene to keep their devices and personal information secure in the digital world. As part of this, they can opt-in to multifactor authentication (which requires a combination of two or more steps to verify a user’s identity) when logging into online accounts and services. Students are also encouraged to create strong passwords, think before they click on unfamiliar links that show up in emails or messages, and update their software and device applications when updates are available.

Children and adolescents are spending more time online than ever before, and technology is ingrained in almost every facet of their lives. Today’s youth strongly depend on digital devices and online forums, like social media and gaming platforms, to seek immediate connections or gratification. The need for connectivity, acceptance, or sense of belonging can drive children’s overall needs and online activities and behaviors.

Children’s increased online presence, coupled with evolving and emerging digital platforms, can expose them to a range of potential online safety threats and risks. These threats can include online predators and criminals, as well as forms of harassment, enticement, and exploitation such as sextortion.

Cyberbullying, which includes sending, posting, or sharing negative, harmful, false, or mean content about someone else, can also take place over digital devices and in online forums, and targeting youths online has become an increasingly common tactic among traffickers and criminals, who can gain access to children and adolescents because they are not always aware of how dangerous online environments can be.

NCSSS: How can STEM schools, which emphasize innovation and research, balance openness and collaboration with the need for strong cybersecurity measures, and what cybersecurity policies or frameworks should districts consider when designing infrastructure to integrate IoT devices and other advanced technologies?

STEM schools and the K-12 community shouldn’t be forced to choose between openness and collaboration against the need for strong cybersecurity measures; the K-12 community can have both by embracing Secure by Design principles and prioritizing the adoption of Secure by Design products. In support of the National Cybersecurity Strategy, Secure by Design is a movement aiming to shift the responsibility of digital security from the most vulnerable and least equipped (cash-strapped school districts, for example) to the most capable (software manufacturers). Since the August 2023 Back to School Safely White House event, CISA has had 12 K-12 Education Technology manufacturers sign onto the K-12 Pledge, a voluntary, public agreement committing signees to:

1. Take ownership of customer security outcomes

2. Embrace radical transparency and accountability

3. Lead from the top by making secure technology a key priority for company leadership

4. Further, STEM schools are uniquely positioned to both prioritize the adoption of Secure by Design principles and voice their demand for Secure by Design products as a school customer. School procurement processes must include security practices as a critical factor in their decision-making.

NCSSS: Are there any specific cybersecurity tools or resources that CISA recommends for STEM schools to protect sensitive data, especially in projects related to science, technology, engineering, and math?

In addition to recommending that STEM schools support the adoption of Secure by Design principles and voice their demand for Secure by Design products, we encourage STEM schools to leverage CISA’s Cyber Hygiene (CyHy) Program.

CISA provides vulnerability scanning services that can help entities identify internet-accessible vulnerabilities that threat actors often target and attempt to exploit. Within the first three months of enrollment, entities typically decrease active internetaccessible vulnerabilities, reducing their attack surface and risk of compromise.

CISA’s assessments are available to both public and private organizations at no cost. The program offers:

• Identification of active internet-accessible assets (networks, systems, and hosts)

• External network monitoring for vulnerabilities and potentially risky services

• Weekly reports of all findings and ad-hoc alerts on urgent findings

• Tailor when scanning occurs, mark false positives, and automatically send suborganization reports.

CISA uses anonymized data to develop non-attributed reports for analysis purposes; CISA does not share attributable information without written and agreed consent from the stakeholder. Further, CISA uses Network Mapper (Nmap) for detecting Internet Protocols (IPs) that have ports open, and Nessus Professional for detecting vulnerabilities on the open ports. Participants are provided source IPs following sign up, and they are also included in weekly Cyber Hygiene reports.

It is crucial for organizations to prioritize good cyber hygiene practices, such as updating systems and removing unused software, to address potential cybersecurity gaps. This is especially important for smaller utilities with limited resources that may be more vulnerable to cyberattacks. Fortunately, resources and guidance are available to help owners secure their Information Technology (IT) and Operational Technology (OT) systems and protect their day-to-day operations. By implementing these measures, stakeholders can improve their overall cybersecurity posture and reduce the risk of becoming a victim of cybercrime.

NCSSS: With Cybersecurity Month in October, how can STEM schools use this time to raise awareness and foster a culture of cybersecurity among students and staff?

This year, CISA’s efforts for Cybersecurity Awareness Month are centered on the CISA Secure Our World campaign, which details immediate, actionable steps citizens can take to reduce risks when online and connected to devices. In an interconnected world, everyone can work to reduce the risks we face from online criminals looking for easy targets by:

1. Recognize and report phishing

2. Use strong passwords

3. Turn on multifactor authentication

4. Update software

K-12 community members can raise awareness and foster a culture of cybersecurity among students and staff by elevating actionable steps. CISA also encourages STEM Edge Magazine readership to participate in the following:

Amplify the Secure Our World message by reposting content using your organization’s social channels. The Secure Our World videos are especially engaging for youth audiences and feature “Joan the Phone” who provides an engaging, easy to understand message that empowers audiences to take four easy steps to stay safe online.

• Create new content to amplify the message of the campaign on your organization’s social media and share information on the importance of staying safe online and taking steps every day to ensure users are safe when connected.

• Use #SecureOurWorld and #CybersecurityAwarenessMonth (during the month of October) to connect the program to relevant posts.

• Follow @cisagov on X, LinkedIn, Facebook, and Instagram.

Organizations and individuals can foster awareness by requesting a CISA speaker to talk about Secure Our World through keynotes, panels, or fireside chats with your leadership during your national or regional gatherings to show partnership in action.

We can provide educational resources, CISA speakers, regional representatives, and in-person event support. If you have any further questions, our team is just an email away—please contact us at awarenesscampaigns@cisa.dhs.gov.

We also have basic cybersecurity 101 slides that anyone can utilize in the classroom.