Critical Infrastructure Protection: Additional Federal Coordination Is Needed to Enhance K-12 Cybersecurity

What GAO Found

Kindergarten through grade 12 (K-12) schools have reported significant educational impact due to cybersecurity incidents, such as ransomware attacks. Cyberattacks can also cause monetary losses for targeted schools due to the downtime and resources needed to recover from incidents. Officials from state and local entities reported that the loss of learning following a cyberattack ranged from 3 days to 3 weeks, and recovery time ranged from 2 to 9 months. While the precise national magnitude of cyberattacks on K-12 schools is unknown, the research organization Comparitech reported the number of students affected by ransomware attacks between 2018 and 2021 (see figure).

Number of U.S. Students Affected by Ransomware Attacks on K-12 Schools and School Districts, 2018-2021

Number of U.S. Students Affected by Ransomware Attacks on K-12 Schools and School Districts, 2018-2021

Federal guidance, such as the National Infrastructure Protection Plan (National Plan), establishes roles and responsibilities for the protection of the nation’s critical infrastructure, including the Education Subsector. Specifically, the Department of Education (Education) is the lead agency, or sector risk management agency, for the subsector. As such, Education and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are to coordinate K-12 cybersecurity efforts with federal and nonfederal partners. In addition, the FBI is to provide criminal investigative support.

Education and CISA offer cybersecurity-related products and services to K-12 schools, such as online safety guidance. However, they otherwise have little to no interaction with other agencies and the K-12 community regarding schools’ cybersecurity. This is due in part to Education not establishing a government coordinating council, as called for in the National Plan. Such a council can facilitate ongoing communication and coordination among federal agencies and with the K-12 community. This, in turn, can enable federal agencies to better address the cybersecurity needs of K-12 schools. Regarding the products and services they do offer to schools, Education and CISA do not measure their effectiveness. Doing so would provide further input on the needs of the schools.

Why GAO Did This Study

The COVID-19 pandemic forced schools across the nation to increase their reliance on IT to deliver educational instruction to students. This amplified the vulnerability of K-12 schools to potentially serious cyberattacks. Several federal agencies have a role in enhancing the protection of our nation’s critical infrastructure, which includes the Education Facilities Subsector.

GAO was asked to review cybersecurity in K-12 schools. The objectives of this report are to (1) determine what is known about the impact of cyber incidents, and (2) determine the extent to which key federal agencies coordinate with other federal and nonfederal entities to help K-12 schools combat cyber threats.

To do so, GAO analyzed publicly reported K-12 cyber incidents and related documentation. In addition, GAO identified law and federal guidance that establish roles and responsibilities for coordinating K-12 cybersecurity. GAO also interviewed officials from federal agencies and selected state-level and local-level school-related organizations on the impact of cyber incidents and level of federal cybersecurity support received.


https://www.gao.gov/products/gao-23-105480