If Los Angeles Unified, the state鈥檚 largest school district, can be hit with a ransomware attack, how prepared are California鈥檚 public schools for the ?
It depends, according to experts working in the field of cybersecurity and information technology in the state鈥檚 public schools. Some districts might have a handful of cybersecurity professionals on staff, while others don鈥檛 have any. On top of that, there are currently no statewide guidelines for digital security at school districts.
鈥淭he vast majority of districts don鈥檛 have a single member dedicated to cybersecurity threats,鈥 said Terry Loftus, assistant superintendent for the San Diego County Office of Education. 鈥淭here鈥檚 no real set standard.鈥
Loftus has his own team of five cybersecurity professionals, the largest in the state. But he says that鈥檚 largely because he did his graduate studies in cybersecurity and made the team a priority. Not all districts are that equipped. Loftus said Los Angeles Unified, which serves about 400,000 students, was fortunate to have some cybersecurity experts on its payroll, but the California Department of Education does not.
California Department of Education spokesperson Scott Roark said the agency shares best practices and resources for data security , but district and school officials make their own decisions regarding cybersecurity measures.
Cyberattacks vary in severity. A ransomware attack, like the one that hit Los Angeles Unified this month, involves a hacker threatening to publish confidential data unless a ransom is paid. Ransomware attackers can also encrypt and block a target鈥檚 access to their own data.
鈥淭he vast majority of districts don鈥檛 have a single member dedicated to cybersecurity threats.鈥TERRY LOFTUS, ASSISTANT SUPERINTENDENT FOR THE SAN DIEGO COUNTY OFFICE OF EDUCATION
Public schools possess confidential data ranging from Social Security numbers to health records and financial information. While the Los Angeles Unified attack has drawn national attention, Loftus says this prominent case is just the latest example of public education鈥檚 vulnerability to cyberattacks.
鈥淓ducation is a mash-up of multiple different sectors,鈥 he said. 鈥淲e are transportation providers. We provide food and nutrition services. We have school nurses and so much more.鈥
And as school districts and the state took steps to close the digital divide during the pandemic, more students online means more blindspots vulnerable to cyberattacks.
Without formal, statewide cybersecurity guidelines, some schools rely on recommendations from the , a grassroots organization created by cybersecurity professionals across the country from both the private and public sectors. Loftus said the state should adopt these for the more than 1,000 school districts and charter schools in California, considering the rising prevalence of cyberattacks.
鈥淎utomated attacks are happening every second,鈥 he said. These include bots that are trying to log into employee accounts by trying to guess passwords.
The Center for Internet Security guidelines contain varying levels of security recommendations, depending on the risk level of the agency or business. A prominent and large school district such as Los Angeles Unified might be a more tempting target than a smaller, rural or suburban district. Other districts might rely more on online instruction, meaning a cyberattack would be more disruptive to education. These districts, experts say, should consider investing more in cybersecurity.
鈥淚f you鈥檝e made a huge investment in online curriculum, and your network is down because of a security issue, your risk is heightened,鈥 said David Thurston, the chief technology officer for the San Bernardino County Superintendent of Schools.
Despite the drama of the ransomware attack on Los Angeles Unified, Thurston said there shouldn鈥檛 be a panicked response from the state. While state officials should focus more on cybersecurity, they shouldn鈥檛 immediately start issuing state mandates for beefing up districts鈥 firewalls and other security measures.
鈥淚t鈥檚 great L.A. is getting to highlight cybersecurity,鈥 Thurston said. 鈥淏ut the knee-jerk reaction is the wrong reaction.鈥
Lack of cybersecurity investment
While the Los Angeles Unified attack attracted the media spotlight, cyberattacks on school districts happen frequently nationwide. According to Emsisoft, a cybersecurity software company that tracks cyberattacks, there were 58 school districts and 1,681 schools across the country affected by cyberattacks in 2021. So far this year, 29 districts and 1,735 schools have been affected.
Brett Callow, a threat analyst at Emsisoft, said there are likely many others that have not been reported. Knowing how often cyberattacks happen, he said, would be the first step toward a preventative statewide policy.
鈥淐ollecting good data is absolutely critical to devising a solution,鈥 Callow said. 鈥淲ithout data you鈥檙e just guessing.鈥
But investing in cybersecurity might be an afterthought, especially for under-resourced school districts that could instead use that money for upgrading school buildings, hiring more staff or buying technology for the classroom.
鈥淧eople don鈥檛 want them to be investing millions of bucks in IT and IT personnel when they鈥檙e struggling to educate kids,鈥 Callow said. 鈥淚f kids are sitting in ancient, dilapidated classrooms, the public is not going to be impressed with that.鈥
Callow said some districts use cyber insurance to help pay ransoms during cyberattacks, but it鈥檚 unclear how widespread that practice is.
, a Democrat from Camarillo, has been pushing state agencies to strengthen cybersecurity for years. She said hacking into a school district or a small government agency might not be lucrative, but they make easy targets.
鈥淚 think the smaller entities just don鈥檛 have the resources to protect themselves,鈥 she said. 鈥淵ou have to have employees, and you have to have employee training.鈥
by Irwin and signed into law last month requires more government agencies to adopt and submit reports to the state Legislature every two years. Irwin said government officials often resist tighter cybersecurity measures because of the cost of hiring more IT professionals and purchasing more security software.
The same hurdles exist at school districts, where adopting security practices such as two-factor authentication might need buy-in from employee unions. Thurston, at the San Bernardino County Superintendent of Schools, said requiring teachers or employees to use another security tool could change their working conditions, which could potentially require collective bargaining.
At a press conference last week, Los Angeles Unified Superintendent Alberto Carvalho said the district started using multi-factor authentication in July. But he said investigators 鈥渕ight never know鈥 how the hackers got into the district鈥檚 system.
Thurston said the community of IT and cybersecurity professionals in public education often share details of past cyberattacks to help their colleagues prepare for similar incidents. Los Angeles Unified spokesperson Shannon Haber did not comment on whether the district plans to do the same.
Irwin and Thurston said the cost of a malicious cyberattack can easily surpass the cost of preparation. But some measures are easier to adopt, like making sure your employees know how to identify suspicious emails or messages.
鈥淲e need to make sure the individuals at the school districts understand what their responsibility is,鈥 Irwin said. 鈥淏ig hacks have happened because of the weakest links.鈥
is a nonprofit, nonpartisan media venture explaining California policies and politics.