Q&A: An urgent need to defend our nation’s schools 

In the wake of a December 2024 hack of education software provider PowerSchool, cyber criminals are now extorting school districts—putting the data of millions of children at risk. There is an urgent need to help education leaders defend our schools against cyber attacks and bolster their resilience should one occur. 

Today,IST is excited to announce the launch of the K-12 Cyber Defense Coalition (K-12 CDC), a group of thirteen organizations representing school boards, technology leaders, principals, state leaders, and more dedicated to defending our nation’s schools from cyber threats. 

In this month’s newsletter, I sat down withMichael Klein, Senior Director for Preparedness and Response at IST. Over the course of his career, Michael has had the chance to view educational technology from a variety of perspectives, including as an elementary school teacher in Brooklyn, a founding teacher at a High Tech High school, an IT director in a small school district in Connecticut, a member of 2 edtech startups, and a Senior Advisor for Cybersecurity at the U.S. Department of Education who served as a liaison between the Department, the White House, and the interagency. 

At IST, he is leading the charge to establish the K-12 CDC, which aims to convene all of the relevant stakeholders for K-12 cybersecurity in the same room, build cyber policy capacity, and develop actionable recommendations to mitigate third party risk—especially in the wake of the PowerSchool incident.

Critical Effect DC, the next evolution of the Hack the Capitol conference, is a 2-day, multi-track conference focused on critical infrastructure, industrial control systems, and operational technology. Join us on June 12 and 13 to hear from members of Congress, emergency management, top tier media, stakeholders from water, emergency healthcare, power, food supply, and national security experts. 

Q: Why is cybersecurity so important in K-12 schools? If a cyber attack were to happen, what could be the impact for a student or family? 

Michael Klein: “When you think about a disruptive ransomware attack, you’re literally stopping children from getting an education for days or weeks. If an attack shuts down school, that means a lot of kids aren’t getting a hot meal for the day. That has a real immediate impact, not just in terms of learning, but also in terms of their health.

Also, for many families, school is a lifeline, right? Especially for students with disabilities, it’s a place where kids can get the services that they need to be successful. And so disruptions to those services can be especially difficult. 

A cyber attack has real physical security concerns, too. If a student information system gets knocked out during the middle of the day, you might not know to whom you can legally release students. School buses might not know where to drop them off. So an attack could even make getting safely to and from school a challenge.

In many cases, it’s not just disruptive, but also involves data extortion. The data in student information systems is incredibly, incredibly sensitive data: Which parent has a restraining order? Who can you release a child to? Which students have had psychiatric evaluations?

These are themost sensitive kinds of data. And once that data’s out, you can’t get it back. Social security numbers going missing is a huge deal, but that’s different in kind, I think, from a student’s medical record that’s now on the open web.”

Q: What about the community-level impacts of a cyber attack? 

“If schools shut down for days or weeks, that can also have a huge impact on the families who can’t go to work. That means parents might lose their jobs, or it means they may not be getting paid that week. If you scale that, not just to just one or two people, but to an entire region, the effects could be incredibly widespread. 

I think the other thing that a cyber attack can do that a natural disaster can’t is this “everything, everywhere, all at once” issue. If it’s just one place or region that’s being impacted by this—as it would with, for example, tornado—we might be able to have states provide support to districts, with the federal government acting as a backstop. But if it’s actually thousands of districts across dozens of states being impacted at the same time, it can be very hard for states to render assistance, even with significant federal coordination and support. The patchwork of law and policy across states further exacerbates effective state and federal response, both at speed and scale.” 

Q: So, with all of this context in mind, what are you doing about K-12 cybersecurity at IST, and how are you thinking about building defense and resilience for schools? 

“Bringing my experience in education, I’m really excited for us to be able to announce that we are launching the K-12 Cyber Defense Coalition (K-12 CDC). Composed of 13 membership organizations representing superintendents, schools boards, technology leaders, principals, and state leaders, we will help drive state and local collaboration, policy development, and information sharing.

I think this group represents the understanding that driving cyber defense and resilience for our K-12 schools is a whole-of-sector challenge, one that requires whole-of-sector solutions. There’s a role for everyone, but because of the day-to-day reality of everyone’s jobs, your principal is not waking up in the morning thinking about K-12 cybersecurity, right? It’s just not on the top of their list. Even for a superintendent or a school board, it’s really only going to be in the context of, “I heard about this incident in the district next door.” Even for school IT staff, cybersecurity is only one small part of their job, when compared to mission-critical functions like ensuring every student and teacher has a working device and access to wifi and all the systems they need for teaching, learning, and operations.

The K-12 Cyber Defense Coalition represents one place where all of those groups can come together and think through, in a concerted way, the role of each of us in this really new and challenging topic area that we as a sector haven’t thought about so much."

Q: How does the K-12 Cyber Defense Coalition build on the work you led at the U.S. Department of Education?

“The PowerSchool incident, where a threat actor was able to get into the student information systems, exfiltrate all the data from all the districts, and extort PowerSchool for a promise not to release the data, happened while I was at the U.S. Department of Education and leading the Government Coordinating Council for K-12 Cybersecurity. 

And so, through the GCC and related efforts, we had essentially built the infrastructure to deal with this type of incident. In addition to convening key membership organizations, we had relationships with all of the important players in the White House, FBI, CISA, and the intelligence community, as well as across the states. 

As a result, we were able to very quickly convene the GCC, brief everybody on what we knew, hear from education leaders about what they knew, and then bring together 41 states and Guam in a closed door session to understand, across the country, what is the impact and what are we doing to try to fix things? Today’s K-12 Cyber Defense Coalition builds on that strong foundation established at the Department of Education, allowing us to bring together key stakeholders from government and beyond.”  

Q: Why host the K-12 Cyber Defense Coalition at IST?

“While there is an important part and role for federal education policy to play, a lot of the ‘rubber meets the road’ work happens at the state and local level. 

Hosting the K-12 Cyber Defense Coalition at IST will allow us to expand, not just look at federal policy, but also at the state and local levels, as well as across civil society and nonprofits that weren’t previously involved.”

Recommended by LinkedIn

Protegrity in the News

Protegrity 8 months ago

Apply for funding, MFA adoption trends, and a password…

Clever Inc. 1 year ago

We Don't Need No Education. Oh. Wait.

Steve King, CISM, CISSP 6 years ago

Q: What will the coalition be focused on going forward? 

“We’re going to be focusing, at least in the near term, on the lessons learned and the policy implications of the PowerSchool incident. What better group to really dig into that conversation than one that includes all the stakeholders from state agency chiefs and state CIOs all the way down to superintendents, school boards, and principals in the school building every day? There are implications for everybody. It’s important to continue meeting and thinking about how to build the defensibility and resilience of K-12 in this new context. We will also focus on drawing specific policy and technical lessons from PowerSchool that we can hopefully implement into the future.”

Q: Why is standing up the K-12 Cyber Defense Coalition so important? 

“For me, what ties this all together is really finding the place where I can have the greatest impact in keeping students, teachers, and families safe, and making possible the kind of teaching and learning that we all want for our kids.

One of the big shifts that I’m focused on is, how do we help people understand that education is critical infrastructure? And when we understand that education is critical infrastructure, how do we, as a whole sector, help education leaders make sure that we are resilient to the most consequential cybersecurity threats that are out there? 

And then I think building and maintaining the structures that help school districts and states be successful is important. Especially in education and in state, local, tribal, and territorial entities (SLTTs) more broadly, we have a really long tail, right? We have a few very large school districts, but we have 14,000 school districts, and 70% of them have 2,500 students or fewer. They may have one IT person in the district. In some cases, the superintendent is the bus driver and fixes printers on the weekend. So this is not a system where we can just say, “Hey, here are all the things you need to do, go do it.” 

Instead, this has to be a collaboration between federal, state, and local to make it work. We have transnational criminal groups and sometimes nation states trying to target and disrupt or extort some of our most vulnerable institutions, and unless we begin to knit all those things together with policy and practice, we’re essentially saying to a tiny school district in ‘name your state,’ “you’re on your own.”

Read more about the K-12 Cyber Defense Coalition

IST in the News

Live at RSA: Megan Stifel on the History of the Ransomware Task Force 

At RSA last month, Chief Strategy Officer Megan S. joined Michael Mimoso for a live recording of theClaroty Nexus podcast to discuss the history of the Ransomware Task Force and what's next for our work. “It was the Ransomware Task Force, but it was never really about ransomware. That was the pebble in the ocean that we could get people to galvanize around,” she explained. “[W]orking through some of the measures that will combat ransomware will also have knock-on effects to reduce risks from other threats.”

Risks are nonpartisan, Joshua Corman tells the Washington Post

IST Executive in Residence Joshua Corman emphasized the urgent need for initiatives like UnDisruptable27 in light of increasing threats from accidents and adversaries: "This is no time to pull defenders from the resilience and continuity of operations of lifeline human needs like water, power and access to emergency care,” he told Joseph Menn. "The coming storms need more help and better help. The risks are nonpartisan and affect all communities.”

Elsewhere at IST

IST Launching Export Control Compliance Initiative with Support from Open Philanthropy 

Though the United States and like-minded countries have imposed export controls on the powerful microprocessors required to train AI, malicious actors continue to exploit loopholes and circumvent controls, threatening U.S. national security and competitiveness. In answer to this challenge, IST, with support fromOpen Philanthropy, has launched an effort to investigate the root causes of compliance failure, develop a comprehensive framework for an enhanced multi-agency AI chip export controls enforcement program, and close critical gaps in the AI chip supply chain. 

Responding to the Unknown: Simulating AI-Driven Crises

IST’s Mariami Tkeshelashvili and Jennifer Tang hosted an AI crisis simulation exercise at theJohns Hopkins School of Advanced International Studies (SAIS) Emerging Technologies Symposium. In a blog, they reflect on the hands-on exercise, which asked participants to respond to challenges at the intersection of AI and national security and used IST’s research to set the stage before diving into immersive crisis scenarios. “The simulation made one thing clear: current crisis response models may not be equipped for the speed and ambiguity of AI-driven threats.” 

Live at the United Nations: IST Joins Forces with Germany and Switzerland to Push for Progress on Nuclear Risk Reduction

At the UN’s Non-Proliferation of Nuclear Weapons Preparatory Committee this month, IST and theVienna Center for Disarmament and Non-Proliferation (VCDNP) hosted a dialogue on preventing and managing nuclear crises with support from theAuswärtiges Amt (Federal Foreign Office) Germany and the SwissFederal Department of Foreign Affairs FDFA. FDFA Deputy Head for Arms Control, Disarmament, and Cybersecurity Reto Wollenmann set the stage for the discussion on nuclear risk reduction: “it is imperative that we work together to prevent escalations that could spiral out of control.”

Congressional Oversight on Salt Typhoon: Missing An Opportunity

The Salt Typhoon intrusion into U.S. telecom networks has been referred to as “one of the greatest intelligence operations ever conducted against the United States.” How should Congress have responded? In a commentary piece, IST Senior Vice President for PolicyNicholas Leisersonunpacked the missed opportunities for oversight and the path forward. “It’s not too late to conduct meaningful oversight focused not on laying blame, but on developing new strategies to counter one of the greatest intelligence operations ever conducted against the United States,” he writes. 

What We're Reading

Want more tech and security content? Check out some of the ISTeam's favorite pieces from the past month: 

1. The UK’s National Cyber Security Centre released anassessment highlighting the impacts of AI on cyber threats between now and 2027. “AI will almost certainly continue to make elements of cyber intrusion operations more effective and efficient, leading to an increase in frequency and intensity of cyber threats,” the authors write. 
2. Some Chinese solar power inverters in the U.S. were found to containrogue communication devices not listed in product documents, causing the U.S. Energy Department to reassess the risks of using Chinese-made devices in renewable energy infrastructure, Reuters reports. 
3. In the next step in building out its cybersecurity and AI guidelines,NIST hosted a Cybersecurity and AI Profile Workshop to hear feedback on a concept paper which presented opportunities to create profiles of the NIST Cybersecurity Framework and the NIST AI Risk Management Framework. 
4. A Ukrainian national was extradited to the United States andcharged for his role in a series of international attacks using the Nefilim ransomware. He will be charged with conspiracy to commit fraud and related activity, including extortion, in connection with computers, according to the U.S. Attorney’s Office for the Eastern District of New York. 
5. In a recent safety report, Anthropic researchers revealed that the company’s newly launched Claude Opus 4 model, prior to the addition of ASL-3 safeguards, would"frequently" blackmail developers with their personal information if they suggested replacing it. 
6. Europol and Eurojust collaborated on an operation todismantle key ransomware infrastructure, leading to the seizure of 300 servers, 650 domains, EUR 3.5 million in cryptocurrency, and the arrest of warrants for 20 targets worldwide. 
7. The Commerce Department’s Bureau of Industry and Security issued “guidance that using Huawei Ascend chips anywhere in the world violates U.S. export control." Experts say this is a warning, not an official rule change. 
8. For Lawfare, Cullen O'Keefe and Ketan Ramakrishnanmake an argument for requiring AI agents to follow the law. “The American legal system needs to recognize a new type of actor that can heed and comply with its commands,” they write.

TheInstitute for Security and Technology unites technology and policy leaders to create actionable solutions to emerging security challenges. As the 501(c)(3) critical action think tank based in the San Francisco Bay Area, we take collaborative action to advance national security and global stability through technology built on trust, guiding businesses and governments with hands-on expertise, in-depth analysis, and a global network. Donate today to support our mission.

For more information or media requests, please contactsophia@securityandtechnology.org. 

Thanks for reading The TechnologIST! If you'd like to subscribe to our mailing list,click here.

The TechnologIST

3,878 followers