The automotive sector has its own Information Sharing & Analysis Center (ISAC). So do the aviation and maritime industries. They all represent forms of transportation, but no one would say they all face the exact same cyber threat scenarios.
So why have K-12 schools traditionally been lumped in with the public sector and higher education when it comes to ISAC activity? Local education districts have their own distinct challenges as they strive to protect themselves against digital threats. It only makes sense that they have an ISAC of their own.
Now they do.
In October 2020, the nonprofit Global Resilience Foundation (GRF) soft-launched its Kindergarten Through Twelfth Grade Security Information Exchange, or K12 SIX for short. It’s the first-ever ISAC specifically created with local school districts in mind.
The organization already sports roughly one dozen members, with more in the process of joining, and recently named Douglas Levin – president of EdTech Strategies and the K-12 Cybersecurity Resource Center – as its national director. Eric Lankford, former cyber engineer with the Birdville Independent School District near Fort Worth, Texas, was appointed regional director.
It was Levin and Lankford who initially approached GRF with the idea to launch the new ISAC roughly two years ago. “It feels timely now, but it felt timely to us two years ago,” Levin told SC Media.
Timely, indeed. According to Levin’s data, approximately 1,100 reported cyber incidents have impacted a school district since 2016. Just this month, the Multi-State ISAC (MS-ISAC) issued a joint advisory with the FBI and the Cybersecurity and Infrastructure Security Agency warning that cyber actors are targeting K-12 educational institutions with ransomware attacks, as well as schemes to steal data and disrupt Zoom-based classes and other distance-learning services.
But therein lies the rub: MS-ISAC doesn’t just cover schools; its bailiwick includes the nation's state, local territory and tribal governments. And the intel that a state government requires isn’t the same intel that a school needs to stay secure.
K12 SIX isn’t here to replace the work of MS-ISAC – in fact, they will work in partnership – but the organization does intend to offer a narrower focus and emphasis that MS-ISAC cannot. It fills a needed gap, and districts have taken notice.
“One of the biggest benefits of K12 SIX is a focus on the unique security requirements of schools,” said Dr. Travis Paakki, senior director of technology at Portland Public Schools in Oregon, one of the ISAC’s first members. “It provides an opportunity to empower districts to leverage the experience of others. This will result in a better security posture for our industry as a whole and help all of us better protect the privacy of our students, families and staff."
“Security and data privacy are often after thoughts in the education world. There is still a strong belief that schools do not have enough value to be targets of hackers,” said Ben Dumke, information systems manager with the Hortonville Area School District in Wisconsin. “We need organizations like K12 SIX to help IT staff articulate to stakeholders the risks and severity of these threats, as well as to provide guidance to address and mitigate them.”
K12 SIX’s benefits for public and private schools will include a cyber threat-sharing portal, which will provide access to alerts, reports, a document library and more. Additional offerings include a phone, text and email-based emergency threat notification system, a cybersecurity newsletter, calls with security analysts and other members, and discounts for tools and training.
SC Media spoke to Levin as well as GRF President Mark Orsi to gain even greater insights into the initiative.
What is K12 SIX’s mission?
Mark Osri (MO): GRF supports and manages 13 different information sharing communities… And we saw the need for K-12. We felt like it was an underserved community [and] there was a need to bring the cyber maturity up a level in that community, where they could really benefit from information sharing across multiple factors.
So our intent is to provide cost-effective collective defense by crowdsourcing security information among a vetted, trusted group of professionals with a common interest, using common technology, and with supporting independent analysis from the K12 SIX security staff. So we're here to be a threat intelligence sharing hub for school districts and private school organizations to aid in preventing and mitigating cyber threats.
Doug Levin (DL): This is the first national nonprofit dedicated solely to protecting schools from cybersecurity risk. There's nothing else that exists in the education sector that’s like it.
I know the MS-ISAC often covers threats to local school districts, and there’s also the Research Education Networking ISAC (REN-ISAC). But why was there a specific need for an ISAC specifically covering K-12 education?
MO: REN-ISAC is focused on higher education and research institutions; Multi-State ISAC is focused on government entities, but includes some resources which K-12 education can benefit from. And actually, several school districts are members of MS-ISAC and I encourage schools and school districts to join their ISAC as well. So we are aligned with them… [But] we still saw the need, where we could be much more focused on the K-12 space for sharing best practices and indicators of compromise.
DL: Having worked in the education sector my entire career with a focus on technology, it had become quite clear to me the challenges that schools were facing. Certainly, the severity of the incidents was increasing, the number of incidents seemed to be increasing… And in my networking with education technology leaders… it was pretty clear that they were overwhelmed by the magnitude of the task, and that there are so many things that are unique about K-12 schools that make more generalized advice challenging to implement…
Schools are risk averse. They like to be tailored to. And so we felt it was really important that they have their own organization where their needs were prioritized… We’re the only one dedicated to schools’ needs specifically, and we think that makes a difference. And the districts that are joining already agree with us. All the feedback we've gotten has been very positive.
What exactly are K-12 schools’ unique cyber needs?
DL: One, there's a whole set of issues with serving minors and their needs. Two, being an educational institution, they have a set of common types of applications as well as an orientation, depending on the school district, to either being very loose about what they use, or being very tight about what they are allowed to use. And they tend to be generally understaffed with respect to IT and absolutely understaffed with respect to IT security. And so they're definitely facing a resourcing issue.
Can you expand on what it means to serve minors and also what you mean by “common type of applications?”
DL: One of the applications that has become central in schools is something called a Student Information System, or an SIS – and there's a number of tools that are available on the market. [In November 2019], a regional provider called Aeries, which based in California, was compromised. And that resulted in a data breach.
The Student Information System holds, if you will, the crown jewels about students: contact information, date of birth… social security number. They’ll have information on parents. It may have medical information. It may have information about whether they've been involved in the juvenile justice system. If there's an unusual home situation, or maybe custody issues, that's going to be dealt with in the Student Information System… If the student identifies as a non-conforming gender, that's going to be in there. So it's very sensitive information that, in some cases, needs to be withheld from parents or other people because of court orders.
There’s lots of sensitive information about minors that schools hold that if it became public would be a big problem. And there's special rules under FERPA [the Family Educational Rights and Privacy Act], under student privacy laws, for how you handle this information about students. So that's one example of a common application.
But we've also seen third party student-testing vendors being compromised. Pearson was one and 13,000 of their customers’ accounts were compromised. More recently, in Iowa, a company named Timberline Billing, which helps school districts with Medicaid reimbursement for students was compromised, and so 190 school districts had information about Medicaid reimbursement for individual minors, wrapped up in that incident.
What do you think the reason was that up until now, K12 educational institutions were folded into the broader members of the MS-ISAC and REN-ISAC?
DL: Education, K-12 education particularly… is in the midst of its own digital transformation. It's very recent, and unless you are deep in the K-12 sector, it's hard to see the pace at which it's happening.
And so while there's been technology in schools, and schools have had their issues with phishing and malware for years… it’s only in the last decade or really five years that schools have begun to rely on technology for teaching and learning – but also for back office operations like HR, facilities management and food service. And that's new. And because it's new, the infrastructure to support digital security isn't as mature in any way as it is with, for instance, physical security – because there have been concerns about school shootings. That [physical security] is way more mature in terms of risk management in K12 than digital cyber risk.
But these are big deal incidents that are happening to school districts. They're closing down. They're being extorted out of hundreds of thousands, if not millions, of dollars. Mass phishing campaigns with identity theft and payroll redirection and tax fraud. This is all happening to schools – increasingly not just as incidental targets of mass campaigns, but being specifically targeted.
Tell me more about some of the future services K12 SIX will offer as it grows.
DL: We're interested in continuing to raise awareness and advocate for the needs of K-12. We'll be having a March public event for the education sector, broadly, to raise awareness about these issues and the steps that education leaders and policymakers can take to help protect the sector. So there's an advocacy for the needs of K-12 that is part of this work, and that'll be shaped by the community members themselves.
Over time, we certainly would love – when schools are in a mature enough place to be able to do it – to provide some automated tooling as well. So [you can] automatically update firewall rules or even offload what you might think of as SOC-like services from their plate. Because I think ultimately schools are under resourced.
There are a lot of school districts. The notion that each is going to be able to hire their own CISO and security team, and have the training and time to do the monitoring and proactive work they should be doing is hard to foresee. So [we want to] offload some of that burden to them, and then to filter out a lot of the noise to really help them prioritize in very basic ways what are the three things they have to do this week to better protect themselves, and just help them up the maturity curve.
Will K12 SIX cross-collaborate with other sectors and their corresponding ISACs?
MO: With [the GRF] in the center of 13 different ISACs and ISAOs, we act as an information hub. So we aggregate and analyze security information, disseminate actionable intelligence back out and streamline cross-sector collaboration.
One of the things that we're doing in that role too is… we are working with the National Council of ISACs on an application process for K12 SIX to become a member.