Ransomware attacks impacted over 2.6 million students between 2018 and 2021, according to new analysis from the U.S. Government Accountability Office (GAO). The number of affected students peaked at nearly 1.2 million in 2020, and declined to 647,000 students in 2021, the GAO report said.

Besides offering cybersecurity-related products and services to schools, the U.S. Department of Education and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency have little to no interaction with other agencies and the K-12 community over cybersecurity in schools, the report noted.

To improve coordination among federal agencies over K-12 cybersecurity, GAO recommends U.S. Education Secretary Miguel Cardona establish a coordinated cybersecurity council between federal leaders and schools, and, alongside stakeholders, “consider the identified opportunities for addressing cyber threats, as appropriate.” Additionally, the Education Department should create metrics to gather feedback and gauge the effectiveness of cybersecurity products available to schools, the report said.

Why? There are still no formal channels between federal agencies and schools for addressing cybersecurity risks or incidents, GAO said.

The lack of federal support and coordination with schools over cybersecurity is in part because the Education Department has not created a council to foster ongoing communication between schools and federal agencies, the report found.

Federal guidance in the National Infrastructure Protection Plan, which establishes responsibilities needed to protect critical infrastructure, includes the education subsector. In that plan, the Education Department is expected to manage this subsector, GAO said. CISA and the Education Department should also be coordinating K-12 cybersecurity efforts with federal and nonfederal partners, the agency said.

The GAO report comes soon after about 500 gigabytes of data were stolen from the Los Angeles Unified School District in a major ransomware attack. That led to personal and possibly damaging information on students and staff in the nation’s second-largest school system being posted on the dark web.

From a district perspective, experts recommend that schools and their IT leaders vet new district technology and create their own security team, notes K12 Dive in a recent article.

Collaboration between instructional and IT leaders to teach cybersecurity to students should be another focus, experts suggest. In such an effort, one Ohio school district — Lakota Local Schools — is among those offering a cybersecurity program for high school students. This course, begun four years ago, also gives students skills to improve safety online, and that can include cybersecurity certifications that can help them get a job in the field, too.

Cyberattacks on schools can have consequences both on academics and finances, GAO said, noting that recovery time has ranged from two to nine months.

Learning loss after a cyberattack can range from three days to three weeks for a district, the agency said. Cyberattacks also create expenses as districts recover. Overall, GAO said, the exact national impact of these cyberattacks on schools is still unknown.