The Department of Education and the Cybersecurity and Infrastructure Security Agency (CISA) need to do better in coordinating efforts to aid K-12 schools in cybersecurity, according to a recent report by the Government Accountability Office (GAO).
When the COVID-19 pandemic hit, K-12 schools were forced to deliver educational instructions to their students remotely, but this shift amplified the vulnerability of K-12 schools to potentially serious cyberattacks that caused significant negative educational impacts. Officials from state and local entities reported that the loss of learning following a cyberattack ranged from three days to three weeks, and recovery time ranged from two to nine months.
Per the National Infrastructure Protection Plan, the Education Department and CISA are charged with coordinating K-12 cybersecurity efforts with Federal and non-Federal partners, but GAO found that that coordination between the agencies is lacking on the K-12 cyber front.
GAO acknowledged that the agencies do offer cybersecurity-related products and services to K-12 schools, but because the agencies do not measure the effectiveness of those efforts, they cannot extract any “further input on the needs of the schools,” the report states.
In addition, GAO found that the Federal agencies have little to no interaction with other agencies and the K-12 community regarding schools’ cybersecurity. That’s due in part to the Education Department “not establishing a government coordinating council, as called for in the [National Infrastructure Protection Plan],” the report says.
“Setting up that coordinating council would help facilitate ongoing communication and coordination among Federal agencies and with the K-12 community. [Which], in turn, can enable Federal agencies to better address the cybersecurity needs of K-12 schools,” the report states.
GAO made three recommendations to the Education Department, including establishing a council to facilitate better coordination of K-12 cybersecurity.
GAO also made one recommendation to the Department of Homeland Security (DHS) – that it ensure CISA develops metrics for measuring the effectiveness of its K-12 cybersecurity-related products and services available for school districts, and determines the extent that CISA meets the needs of state and local-level school districts to combat cybersecurity threats.
DHS concurred with GAO’s recommendation. However, the Education Department concurred with one recommendation and only partially concurred with the other two.
Mark Washington, the deputy assistant secretary for the Office of Elementary and Secondary Education at the Education Department, explained that while the agency agrees with GAO’s recommendation, it already has already begun to establish several metrics to address K-12 cybersecurity, such as onboarding staffers whose responsibility will be to address K-12 cybersecurity needs.
GAO said it continues to believe all recommendations are warranted.