America has been ill-prepared for the challenges of cybersecurity in schools over the last decade. Cyber criminals view educational entities as “target rich” because of the amount of data they hold and the increasing prevalence of technology in classrooms. Schools are “cyber poor” because they are almost always stretched thin financially with many more immediate needs taking precedence over cybersecurity.
A Growing and Costly Threat
In 2022, there was a 44% increase in the number of cyber attacks on schools. During the 2022/2023 academic year, at least eight K – 12 schools faced significant cyber attacks, and at least four of those schools were forced to cancel classes or close their doors temporarily. Learning losses continued anywhere from three days to three weeks after the typical incident.
These disruptions to learning, and by extension childcare, are disorienting for children and a burden for parents. Even when schools remain open, families are victimized when their personal data is leaked. Plus, cyber security incidents are expensive–each incident costs schools between $50,000 and $1 million.
Many schools are not prepared for the spate of cybersecurity attacks that are likely headed their way this year. The Biden Administration has acknowledged this threat as critical to both education and homeland security. In an attempt to address the issue, they recently convened a coalition of public and private resources that are pledging to improve cybersecurity in schools across the nation.
First Ever Federal Summit to Address Cybersecurity in U.S. Schools
The first ever K-12 Cybersecurity Summit was held at the White House on August 7, with First Lady and long-time educator Jill Biden playing host. Dr. Biden was joined by U.S. Education Secretary Miguel Cardona, U.S. Homeland Security Secretary Alejandro Mayorkas, academic administrators, cybersecurity experts, and other top government officials. The First Lady said, “If we want to safeguard our children’s futures we must protect their personal data… Every classroom should be enriched by new technologies … and every family should know its information will stay safe and secure.”
The Administration used the summit to announce a number of ways that it is taking action to address cybersecurity in schools. At a related hearing, a CISA cybersecurity adviser acknowledged that the government has had to take a new approach to this issue. Richard Rossi said that CISA “take[s] a look at where a district is [and] work[s] with them where they’re at instead of where they should be.” The programs born out of the Administration’s efforts seem to be aligned with this philosophy.
A number of new government initiatives are aimed at promoting interagency collaboration to progress the cause of improved cybersecurity in schools.
- The Department of Education is establishing a new Government Coordinating Council (GCC) to help coordinate activities, policy, and communications between federal, state, local, tribal, and territorial governments that strengthen the cyber defenses and resilience of K – 12 schools.
- The FCC has announced plans to invest $200 million over three years in a new Universal Service Fund that would boost K-12 cybersecurity. FCC Chair Jessica Rosenworcel says, “With the growing number of sophisticated cyberattacks on schools and especially the rise in malicious ransomware attacks that harm our students, now is the time to take action.”
- CISA has partnered with the Department of Education to offer new guidance documents to “assist educational leaders in building and sustaining core digital infrastructure for learning.” The newest document is the K-12 Digital Infrastructure Brief: Defensible and Resilient. It addresses the key considerations facing educational leaders as they work to build and sustain core digital infrastructure for learning. CISA Director Jen Easterly says, “The product released today from the Department of Education and CISA provides K-12 school districts across our communities a starting place to understand the importance of securing our digital infrastructure, and provides steps schools can take today to keep their systems safe.” Additional guidance documents on “adequate and future-proof” infrastructure and data privacy and interoperability are also available.
- Later this year, the FBI and National Guard Bureau plan to release updated guides for state government and education officials on how to report cyber incidents.
Private Sector Initiatives
Free school resources from the private sector were also announced at the summit.
- AWS has launched a $20 million grant program to help K-12 schools implement cloud-based cybersecurity solutions.
- Cybersecurity company Fortinet is offering no-cost security awareness training to all K-12 school systems in the U.S.
- Cloudflare, an IT service management company, has launched Project Cybersafe Schools, an initiative aimed at small K-12 public school districts. The program supports eligible schools with a free (forever) package of Zero Trust cybersecurity solutions.
- PowerSchool provides cloud-based software for K-12 schools. The company has pledged to offer free and subsidized security-as-a-service resources to all school districts.
Schools Remain in Difficult Position
CISA security adviser Rossi’s advice to “meet schools where they are” is an acknowledgement of how difficult the problem of cybersecurity has been for districts. As a society we generally ask schools to do a lot with very little in the way of resources. That’s hard enough when it’s within their realm of expertise–education. It’s nearly impossible when the societal “ask” extends to outsmarting well-funded cybercriminals. In acknowledging that “where schools are” is very likely at square one or even in a place of not thinking about security at all, it seems that we are finally pointing significant resources at the issue.
Some Say It’s Still Not Enough
While these new government efforts are definitely a step in the right direction, some experts warn that they are still not enough. Stephen Bish, cybersecurity strategist for Schneider Down, says, “These initiatives are focused on much of the right things, but they will likely require significantly more funding and support to adequately defend our schools from a world of constantly evolving threat actors.”
Schools will remain “target rich” even if they are able to become somewhat less “cyber poor.”
Unfortunately, none of the new initiatives comes with a mandate for participation. Schools that are mired in more pressing issues (and there are many) are not likely to take advantage of programs even if they are free. Some school districts cannot pull personnel resources away from the basic task of running their campuses day-to-day. In the future, initiatives aimed at improving cybersecurity in schools should consider funding positions specifically tasked with security.
Parents Can Make a Difference
Cybersecurity education doesn’t just happen at school. Parents are an important part of the equation. As a parent, advocate for your school to participate in the free programs mentioned above. Ask your district superintendent and school board members about cybersecurity in your schools. And be prepared to step in as a volunteer to help get things off the ground.
Parents should also lock their children’s credit, monitor their accounts, and teach them good password security. Children who are aware can help protect their school too!