East High School in the City Park neighborhood of Denver, Colorado. (DO11.10, CC BY 3.0 https://creativecommons.org/licenses/by/3.0, via Wikimedia Commons)

A new $3 million grant program specifically created for the K-12 education sector is providing resource-depleted school districts with desperately needed cybersecurity services, yet the application process also revealed just how frequently and severely these institutions are under attack by digital adversaries.

IBM last week revealed that it would be distributing $500,000 in in-kind donations – meaning contributions take the form of goods and services, not money – to six districts across the U.S. Recipients of the first-ever IBM Education Security Preparedness Grant were named as Brevard Public Schools in Viera, Florida; the Poughkeepsie City School District in Poughkeepsie, New York; KIPP Metro Atlanta Schools in Atlanta, Georgia; the Sheldon Independent School District in Houston, Texas; the Newhall School District in Valencia, California; and Denver Public Schools in Denver, Colorado.

Nick Rossmann, global lead for threat intelligence at IBM Security X-Force, told SC Media that the grant was inspired by an attack on the Tangipahoa Parish School System in Louisiana, which IBM helped remediate in 2019, combined with “the wave of ransomware attacks that have occurred in the past two years” against other education districts. “I think what we learned from [these incidents] was that schools have a limited security budget,” he explained.

Nick Rossmann, IBM Security X-Force

Indeed, 50% of the more than 250 school districts that applied for the grant said in their applications that they have less than $100,000 allocated annually toward cybersecurity. “And that’s for an entire school district so when you get down to it, the school budgets are just incredibly low compared to the threats that they face,” said Rossman. Additionally, more than 55% of applicants said their districts don’t provide any security training to staff members, while 40% said they have previously experienced a ransomware attack.

In fact, the Newhall School District, with 10 elementary schools and approximately 5900 students, learned of the grant program after experiencing its own ransomware attack last fall. Jeff Pelzel, superintendent, told SC Media he remembers coming into work on a Monday morning and finding himself unable to access certain systems.

“I reached out to my IT person, and within 15 or 20 minutes he got back to me and says, “Looks like we might have been hacked,’ and so he shut everything down,” including the online learning classes that the district had instituted due to COVID-19 restrictions. “It took us about seven or eight days to get our kids back to having access into the Google Classroom… And then from there we ultimately hen began restoring other areas that were impacted at the district office, at school sites and… it took a good two to three months to get all things back up and running.”

Submitted applications represented more than 7,800 schools collectively educating more than 4 million students, according to IBM. In selecting the recipients of the grants, the company sought out districts where it felt it could make a discernable impact.

“We really got the sense that there weren’t a lot of programs like this available for school districts,” said Rossman, noting that the applications requesting information such as current cyber posture and available resources, biggest needs and past experience with cyberattacks.

The six selected districts will soon be visited by IBM Service Corps teams of 6-10 people. Rollout of services will begin as soon as the summer will include developing incident response plans, providing cyber awareness and password training, and creating communications plans in the event of a future cyber incident.

Pelzel is grateful for the help, knowing that ransomware attacks like the one that affect his district and repeatedly playing out over and over again across the U.S.

“We have an active shooter response, we have fire response, we have earthquake response. We have all these safety measures and… protocols in place in our school district, but we haven’t had it around like cybersecurity,” said Pelzel. “One great thing that’s going to come up this is that crisis response manual – having someone come in and really assess your infrastructure. How safe is it? What are some recommendations? Experts who can look through all lenses that might be deeper and more detailed and what we would look at, because we don’t have that expertise.”

Pelzel said he’s also looking forward to the “quality training that hopefully we’ll get out of this too, [so] that we can train not only our staff… but also our parents – potentially informing them and helping educate kids.”

Fortunately, even the districts that applied but weren’t selected for the grant were still given access to some of IBM’s resources. “We’re going to have resources available on ibm.org for them to use,” said Rossman. These interactive offerings include ransomware assessments, and a video-based training module that designed to teach faculty members and students some basic cyber concepts. The builds on previous work on IBM’s part to host an education security assessment event for schools as well as virtual cyber range exercise that helped superintendents understand “what’s it like to experience a ransomware attack.”

“We really hope that this program, inspires more people to get involved, and more companies to come together with other organizations to develop programs like this, so that we can drive something bigger next year,” Rossman continued.

“The IBM grant program helps to shine a much-needed light on the challenges facing the K-12 education sector in responding to the increasing frequency and severity of school cyber threats – threats that we at K12 SIX have been documenting over the last several years,” said Douglas Levin, director of K12 SIX. “The challenges facing school districts are enormous, including those related to limited IT staff capacity, budget constraints, and the scale of their IT operations – especially when considered through the lens of sophisticated threat actors specifically targeting educational institutions.”

“Nonetheless, public-private partnerships such as this one lack scale and sustainability, and cannot and must not serve as a substitute for desperately needed state and federal policy leadership and support,” he added.