U.S. Sen. Mark R. Warner, D-Alexandria, former technology entrepreneur and Vice Chairman of the Senate Intelligence Committee, sounded an alarm about the need to protect education infrastructure from cyber-attacks following a ransomware incident at Fairfax County Public Schools, the largest school system in Virginia.
In a letter to Education Secretary Betsy DeVos, Warner urged the U.S. Department of Education to develop guidance and disseminate best practices for K-12 schools and institutions of higher education and to work with school districts to develop a comprehensive, risk-based funding request from Congress.
“A ransomware attack on a school system in normal times can be disruptive and costly; in the context of a global public health emergency, with unprecedented reliance on remote learning, it is debilitating,” wrote Warner. “Sophisticated cyber-attacks and more opportunistic forms of malware, like ransomware, are widespread today and require sustained vigilance. Defending against these persistent attacks requires a consistent and holistic approach. The public sector is particularly at risk given constrained state and local budgets.
“I recommend providing schools with guidance that includes awareness campaigns, risk management, threat mitigation, cybersecurity posture reviews, and resiliency. Awareness campaigns for both educators and students can focus on the importance of recognizing threats, such as phishing attacks, ransomware, malware, and social engineering methods. Regular evaluations can determine the effectiveness of awareness campaigns to address any gaps. Threat mitigation includes developing sufficient safeguards to ensure data security and access control,” he wrote.
“Detection capabilities are also needed to continuously monitor for anomalies and cybersecurity events. Schools should review these capabilities, plus their readiness to respond and recover from attacks. For example, tabletop exercises can validate processes and test procedures used before, during, and after an attack. Cyber resiliency ensures systems have an ability to continue operating in case of attack, while full restoration takes place. Many of these objectives will require new funding from Congress, particularly in the wake of the devastating impact COVID-19 has had on school system budgets,” the letter stated.
Fairfax County Public Schools, which serves nearly 200,000 students and employs more than 24,000 employees, recently was the target of a ransomware attack that involved the theft of protected information.
In his letter, Warner pressed DeVos to work to adapt available cybersecurity guidance from the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) to school systems. Stressing the need for robust cybersecurity education, Warner also pushed DeVos to disseminate best practices to states and localities seeking to teach cybersecurity in the K-12 setting.
Additionally, he urged the Department of Education to work with educators, industry, and CISA to encourage a consortium or Information Sharing and Analysis Center (ISAC) for K-12 schools to exchange cybersecurity threat information and best practices for defense that are tailored to account for capabilities and constraints of K-12 schools.
Warner, a former technology executive, is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus. Throughout the COVID-19 crisis, he has fought for increased cybersecurity measures as Americans have increasingly relied on internet connectivity for remote work, health, and education purposes. Among other measures, Warner has recently advocated for increased funding to modernize federal information technology, urged internet networking device vendors to ensure the security of their products, and pressed cybersecurity officials to take bolster defenses against cybersecurity attacks. He has also introduced legislation to set strong and enforceable privacy and data security rights for health information as tech companies and public health agencies deploy contact tracing apps and digital monitoring tools to fight the spread of COVID-19.