In the wake of a December 2024 hack of education software provider PowerSchool, cyber criminals are now extorting school districts—putting the data of millions of children at risk. There is an urgent need to help education leaders defend our schools against cyber attacks and bolster their resilience should one occur.
On June 5, IST announced the launch of the K-12 Cyber Defense Coalition (K-12 CDC), a group of thirteen organizations representing school boards, technology leaders, principals, state leaders, and more dedicated to defending our nation’s schools from cyber threats.
In this month’s newsletter, Director of Strategic Communications Sophia Mauro sat down with Michael Klein, Senior Director for Preparedness and Response at IST. Over the course of his career, Michael has had the chance to view educational technology from a variety of perspectives, including as an elementary school teacher in Brooklyn, a founding teacher at a High Tech High school, an IT director in a small school district in Connecticut, a member of 2 edtech startups, and a Senior Advisor for Cybersecurity at the U.S. Department of Education who served as a liaison between the Department, the White House, and the interagency.
At IST, he is leading the charge to establish the K-12 CDC, which aims to convene all of the relevant stakeholders for K-12 cybersecurity in the same room, build cyber policy capacity, and develop actionable recommendations to mitigate third party risk—especially in the wake of the PowerSchool incident.
“[T]his has to be a collaboration between federal, state, and local to make it work. We have transnational criminal groups and sometimes nation states trying to target and disrupt or extort some of our most vulnerable institutions, and unless we begin to knit all those things together with policy and practice, we’re essentially saying to a tiny school district in ‘name your state,’ “you’re on your own.”
Q: Why is cybersecurity so important in K-12 schools? If a cyber attack were to happen, what could be the impact for a student or family?
“When you think about a disruptive ransomware attack, you’re literally stopping children from getting an education for days or weeks. If an attack shuts down school, that means a lot of kids aren’t getting a hot meal for the day. That has a real immediate impact, not just in terms of learning, but also in terms of their health.
Also, for many families, school is a lifeline, right? Especially for students with disabilities, it’s a place where kids can get the services that they need to be successful. And so disruptions to those services can be especially difficult.
A cyber attack has real physical security concerns, too. If a student information system gets knocked out during the middle of the day, you might not know to whom you can legally release students. School buses might not know where to drop them off. So an attack could even make getting safely to and from school a challenge.
In many cases, it’s not just disruptive, but also involves data extortion. The data in student information systems is incredibly, incredibly sensitive data: Which parent has a restraining order? Who can you release a child to? Which students have had psychiatric evaluations?
These are the most sensitive kinds of data. And once that data’s out, you can’t get it back. Social security numbers going missing is a huge deal, but that’s different in kind, I think, from a student’s medical record that’s now on the open web.”
Q: What about the community-level impacts of a cyber attack?
“If schools shut down for days or weeks, that can also have a huge impact on the families who can’t go to work. That means parents might lose their jobs, or it means they may not be getting paid that week. If you scale that, not just to just one or two people, but to an entire region, the effects could be incredibly widespread.
I think the other thing that a cyber attack can do that a natural disaster can’t is this “everything, everywhere, all at once” issue. If it’s just one place or region that’s being impacted by this—as it would with, for example, tornado—we might be able to have states provide support to districts, with the federal government acting as a backstop. But if it’s actually thousands of districts across dozens of states being impacted at the same time, it can be very hard for states to render assistance, even with significant federal coordination and support. The patchwork of law and policy across states further exacerbates effective state and federal response, both at speed and scale.
Q: So, with all of this context in mind, what are you doing about K-12 cybersecurity at IST, and how are you thinking about building defense and resilience for schools?
Bringing my experience in education, I’m really excited for us to be able to announce that we are launching the K-12 Cyber Defense Coalition (K-12 CDC). Composed of 13 membership organizations representing superintendents, schools boards, technology leaders, principals, and state leaders, we will help drive state and local collaboration, policy development, and information sharing.
I think this group represents the understanding that driving cyber defense and resilience for our K-12 schools is a whole-of-sector challenge, one that requires whole-of-sector solutions. There’s a role for everyone, but because of the day-to-day reality of everyone’s jobs, your principal is not waking up in the morning thinking about K-12 cybersecurity, right? It’s just not on the top of their list. Even for a superintendent or a school board, it’s really only going to be in the context of, “I heard about this incident in the district next door.” Even for school IT staff, cybersecurity constitutes only one small part of their job, when compared to mission critical functions like ensuring every student and teacher has a working device and access to wifi and all the systems they need for teaching, learning, and operations.
The K-12 Cyber Defense Coalition represents one place where all of those groups can come together and think through, in a concerted way, the role of each of us in this really new and challenging topic area that we as a sector haven’t thought about so much.
Q: How does the K-12 Cyber Defense Coalition build on the work you led at the U.S. Department of Education?
The PowerSchool incident, where a threat actor was able to get into the student information systems, exfiltrate all the data from all the districts, and extort PowerSchool for a promise not to release the data, happened while I was at the U.S. Department of Education and leading the Government Coordinating Council for K-12 Cybersecurity.
And so, through the GCC and related efforts, we had essentially built the infrastructure to deal with this type of incident. In addition to convening key membership organizations, we had relationships with all of the important players in the White House, FBI, CISA, and the intelligence community, as well as across the states.
As a result, we were able to very quickly convene the GCC, brief everybody on what we knew, hear from education leaders about what they knew, and then bring together 41 states and Guam in a closed door session to understand, across the country, what is the impact and what are we doing to try to fix things? Today’s K-12 Cyber Defense Coalition builds on that strong foundation established at the Department of Education, allowing us to bring together key stakeholders from government and beyond.”
Q: Why host the K-12 Cyber Defense Coalition at IST?
“While there is an important part and role for federal education policy to play, a lot of the ‘rubber meets the road’ work happens at the state and local level.
Hosting the K-12 Cyber Defense Coalition at IST will allow us to expand, not just look at federal policy, but also at the state and local levels, as well as across civil society and nonprofits that weren’t previously involved.”
Q: What will the coalition be focused on going forward?
“We’re going to be focusing, at least in the near term, on the lessons learned and the policy implications of the PowerSchool incident. What better group to really dig into that conversation than one that includes all the stakeholders from state agency chiefs and state CIOs all the way down to superintendents, school boards, and principals in the school building every day? There are implications for everybody. It’s important to continue meeting and thinking about how to build the defensibility and resilience of K-12 in this new context. We will also focus on drawing specific policy and technical lessons from PowerSchool that we can hopefully implement into the future.”
Q: Why is standing up the K-12 Cyber Defense Coalition so important?
For me, what ties this all together is really finding the place where I can have the greatest impact in keeping students, teachers, and families safe, and making possible the kind of teaching and learning that we all want for our kids.
One of the big shifts that I’m focused on is, how do we help people understand that education is critical infrastructure? And when we understand that education is critical infrastructure, how do we, as a whole sector, help education leaders make sure that we are resilient to the most consequential cybersecurity threats that are out there?
And then I think building and maintaining the structures that help school districts and states be successful is important. Especially in education and in state, local, tribal, and territorial entities (SLTTs) more broadly, we have a really long tail, right? We have a few very large school districts, but we have 14,000 school districts, and 70% of them have 2,500 students or fewer. They may have one IT person in the district. In some cases, the superintendent is the bus driver and fixes printers on the weekend. So this is not a system where we can just say, “Hey, here are all the things you need to do, go do it.”
Instead, this has to be a collaboration between federal, state, and local to make it work. We have transnational criminal groups and sometimes nation states trying to target and disrupt or extort some of our most vulnerable institutions, and unless begin to of knit all those things together with policy and practice, we’re essentially saying to a tiny school district in ‘name your state,’ “you’re on your own.”