The K-12 cybersecurity landscape faces numerous challenges — from finding and retaining staff to facing the ongoing threat of ransomware attacks that can shut schools down for days and result in the theft of district funds or sensitive data.
With the White House’s release of its National Cybersecurity Strategy last week, some K-12 technology experts remain cautiously optimistic the plan will lay a foundation for much-needed upgrades to help school districts nationwide. A key focus in the national plan is to shift the burden away from local governments and under-resourced consumers. Instead, the strategy suggests the cyber defense onus should fall more on major technology companies.
District technology leaders “are doing everything they can to protect networks and data, but as the federal government has shown, K-12 is just a top target for things like ransomware,” said Keith Krueger, CEO of the Consortium for School Networking, or CoSN.
While the National Cybersecurity Strategy is a great first step, Krueger said, there needs to be “swift follow-through at all levels of government.”
Holding tech companies accountable
Between 2016 and 2021, school district vendors were “responsible” as the entry point for 55% of K-12 data breaches, according to a 2022 report by the nonprofit K12 Security Information Exchange.
In New York City Public Schools, a January 2022 cyberattack on ed tech company Illuminate Education led to a data breach of 820,000 current and former public school students. That followed a similar mass data breach in Chicago Public Schools in December 2021, when nonprofit ed tech provider Battelle for Kids fell victim to a ransomware attack.
Krueger said it’s notable the White House strategy calls for shifting cybersecurity responsibilities away from individuals, small businesses or local governments — which could include schools.
Vendors “have a moral responsibility to defend secure applications and also protect their infrastructure,” said Keith Bockwoldt, chief information officer at Hinsdale Township High School District 86 in Illinois. Ultimately, both districts and vendors need to do their part to protect staff and students’ personal data, he said.
“If the cost of an application goes up because of it, knowing that I have a secure infrastructure or a secure application that I’m using, I’d be willing to pay for it,” Bockwoldt said. Though, he added, that opportunity to pay more for a guaranteed secure app doesn’t often arise.
The national plan also seeks to provide grant opportunities to encourage companies to secure their apps.
“I think that’s a good olive branch on the government’s side,” Bockwoldt said.
More cybersecurity training
Another goal of the national strategy is to build up and diversify the pipeline for cybersecurity professionals. One way will be to continue funding the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Education and Training Assistance Program.
A current grant recipient in that program is Cyber.org, a virtual cybersecurity education program that began in Louisiana and recently expanded to all 50 states. It’s important to begin educating students on cybersecurity as early as kindergarten, said Laurie Salvail, executive director of Cyber.org, in an emailed statement.
“Ensuring that every K-12 student is exposed to cybersecurity in the classroom is essential [for] growing their confidence to pursue careers in the workforce,” Salvail said. Addressing the shortage in these postions will help both private and public organizations in protecting themselves “from outside threats, advancing U.S. innovation, and diversifying our country's cybersecurity workforce,” Salvail added.
The cybersecurity profession is dealing with significant workforce shortages across the board. In the K-12 sector, it’s even more difficult to find someone and keep them for more than a couple of years, often due to budget constraints.
Both Bockwoldt and Krueger said they’re excited the White House strategy aims to bolster the cybersecurity workforce. But Krueger said schools will have to get more creative in hiring cybersecurity professionals by partnering with community or vocational schools or training students within the district.
The shortage of cybersecurity professionals “is just getting worse,” Bockwoldt said. “We need to continue to focus and get more people engaged in the industry to take on these positions, to learn about technology and also be able to build a workforce.”
Momentum for E-rate update?
For state agencies overseeing cybersecurity, the strategy is a “wake-up call” to include school districts in state plans and funding for network protections, Krueger said.
In December, the Federal Communications Commission sought public comment on using its E-rate program to pay for school and library cybersecurity upgrades, such as advanced firewalls. Firewalls are just one way to protect schools from a bad actor entering their networks, Krueger said, adding that districts have to uphold even more stringent protections just to keep cybersecurity insurance.
“We certainly would not say it’s a once-and-done panacea,” Krueger said. “But for the E-rate program to not even do that [upgrade firewalls], it’s just taking a frustratingly long time to get the FCC’s attention on this.”
Though there are hopeful signs the strategy will encourage the FCC to fund more cybersecurity efforts in schools, Krueger said, ultimately, “the proof is in the pudding.”
Calls to combat ransomware
As districts are often targeted in ransomware attacks, Krueger and Bockwoldt said it’s encouraging the national strategy has placed an emphasis on private and global partners rallying to combat these incidents.
Ransomware is “so prevalent out there,” Bockwoldt said. “There really has to be a concerted effort and focus on this one because it impacts everybody.”
More action will be needed to carry out the strategy, he said, and districts would especially benefit from more cybersecurity training as a part of partnerships. Additionally, districts should start reaching out and building relationships with their local FBI offices even when they aren’t in a cybersecurity crisis, Krueger said, so school leaders know who to contact if a cyberattack occurs.