This time last year, Jaggar Henry was enjoying the summer like so many other teens. The 17-year-old had a job, was hanging out with friends on the weekends, and just generally spending a lot of time online. But then, at the end of July, Henry combed his hair, donned a slightly oversized Oxford shirt, and appeared before his school district’s board in Polk County, Florida—one of the larger school districts in the US—to outline a slew of security flaws he had found in its digital systems. His presentation was the culmination of months of work and focused on software used by more than 100,000 students.
Those vulnerabilities have been fixed, but Henry, who now works full time on education technology, says that his experience illustrates the challenges facing school districts across the United States—and a problem that’s grown more acute in the wake of Covid-19.
The coronavirus pandemic has had major cybersecurity implications around the world. Tailored phishing attacks and contact-tracing scams prey on fear and uncertainty. Fraudsters are targeting economic relief and unemployment payments. The stakes are higher than ever for ransomware attacks that target health care providers and other critical infrastructure. For businesses, the transition to remote work has created new exposures and magnified existing ones.
School districts in the United States already had significant cybersecurity shortcomings. They often lack dedicated funding and skilled personnel to continuously vet and improve cybersecurity defenses. As a result, many schools make basic system setup errors or leave old vulnerabilities unpatched—essentially propping a door open for hackers and scammers. Schools and students also face potential exposure from third-party education technology firms that fail to adequately secure data in their platforms.
The pandemic amplified these risks, as school districts around the country transitioned to distance learning in the spring. Suddenly, millions of teachers and students relied on video chat software, lesson portals, digital message boards, and other online tools. If these systems are set up without proper authentication and controls, any of them can potentially become vectors for attack. And tools to access school networks remotely, including VPNs and Remote Desktop Protocol, can be abused by attackers to gain unauthorized access to sensitive systems. Last week, the Federal Bureau of Investigation issued a security alert about the threat of ransomware to schools amidst the Covid-19 crisis. “K-12 institutions have limit