In December 2024, a teenage hacker, armed with just a contractor’s username and password, carried out the largest K-12 cyber incident to date. When the data of more than 60 million students and 10 million teachers can be accessed so easily, what can states and districts do to protect their students, teachers, and families?
On June 17, Institute for Security and Technology (IST) Senior Director for Preparedness and Response Michael Klein hosted a webinar unpacking how state and local leaders and policymakers are rethinking their approaches to third-party vendor risk in the wake of the PowerSchool cyber incident. He was joined by North Carolina Department of Public Instruction CIO Vanessa Wrenn, Mohawk Regional Information Center Executive Director Heather Mahoney, and F3 Law partner Mark Williams.
To kick off the discussion, Michael outlined the current state of cybersecurity in the education sector. “The speed, scope and impact of cyber threats to schools continues to increase. We’re seeing roughly five cyber incidents per week impacting K-12,” he said.
While districts are adopting stronger cybersecurity practices, third party risks that schools cannot directly manage, leave them vulnerable. So what can be done?
Wrenn explained the role her organization plays in the state of North Carolina, providing cybersecurity resources for 115 local agencies and 150 charter schools. Unlike many other states, the NC Department of Public Instruction, she explained, established a statewide student information system in 1980 which lifts and shifts the burden for managing cyber risk and financial cost from small and often under-resourced school districts to the state agency. And with that shifting of risk, Wrenn acknowledged that “we always knew that our biggest threats came from human error and third party integrations.”
Through mechanisms like data sharing agreements, third party audits, penetration tests, and many other cybersecurity controls, “we try to control for what we can control for,” Wrenn said.
Continuing the theme of shifting the burden for third-party risk from small school districts to more capable actors, Mahoney shared how New York’s 12 Regional Information Centers (RICs) serve as educational service providers for the state’s 700 school districts to “supplement their capacity in terms of technology and data.”
With the adoption of a state data privacy law in 2014, strong Data Protection Agreements (DPAs) and the recognition of a need for more support around vendor management, the RICs established a Risk Operation Center to manage third party risk across the state. In the wake of the PowerSchool incident, the state of New York convened state education, cybersecurity, and legal experts to engage in discussions on lessons learned and what could be done differently, Mahoney said.
“Communication continues to be one of the biggest challenges in these situations,” she said “You can never outrun sort of the information getting out to the public. And so how can we be responsive to that?”
The importance of situational awareness and strategic communication has led to a further focus on information sharing between state, regional, and local partners within New York as well as with organizations focused on K-12 cyber threats like K12 SIX (K12 Security Information eXchange). The goal is to take the next step to supporting districts with common resources and standardized processes that work for New York schools so they’re not reinventing the wheel in a moment of crisis.
As one of the original authors of the Student Data Privacy Consortium (SDPC) National Data Privacy Agreement (DPA), a standardized agreement between schools and organizations to protect student data information, Williams spoke to the PowerSchool incident’s effect on SDPC’s efforts.“I think what this incident has done is pressure test the DPA, and pressure test how we negotiate terms of service,” Williams said. “We need to tighten up and close any loopholes that have developed in the data disposal section.”
In June, IST stood up the K-12 Cyber Defense Coalition (K-12 CDC). Composed of 13 membership organizations representing superintendents, schools boards, technology leaders, principals, and state leaders, the K-12 CDC aims to drive state and local collaboration, policy development, and information sharing to defend our nation’s schools from cyber threats. We wanted to give a special shoutout to CCSSO for Vanessa Wrenn’s participation, AESA for Heather Mahoney’s participation, and K12 SIX, who received a mention from Heather during the webinar.
