11/04/2021 | News release | Distributed by Public on 11/04/2021 06:04
Key Points:
Will 2022 be the tipping point for cybersecurity in America's public schools?
In the past two years, remote learning drove K-12 schools' use of technology to new highs - without addressing their chronic shortcomings in protecting devices, systems and data. No wonder local news channels were filled with reports of classes canceled, student IDs stolen, ransomware demanded and other disturbing incidents.
With digital learning here to stay, forces are aligning to better protect K-12 schools and students from ongoing cyberattacks. Recent developments include:
Legislating Change in K-12 Cybersecurity
By April, the K-12 Cybersecurity Act calls for the Cybersecurity and Infrastructure Security Agency to issue new guidelines for schools, followed by the development of tools to implement them. While the law stops short of requiring schools to act, some Washington observers suggest they prepare for the eventual imposition of minimum K-12 cybersecurity standards.
The Biden administration, which has been gradually imposing minimum cyber standards across sectors such as energy and transportation, called the new K-12 law part of its "whole-of-nation effort to confront cyber threats."[3]Meanwhile, schools must comply with the 40-year-old Family Educational Rights and Privacy Act (FERPA), last updated in 2002. Though the law does not specify security controls, the Department of Education states that a cyber breach could lead to a FERPA violation and loss of federal funding.[4]In addition, some states have also been advancing K-12 privacy and cybersecurity standards.[5]
Advocacy groups and legislators say more is needed - calling for government cybersecurity to allocate funds to K-12. A letter signed by six members of Congress emphasized that "While studies and best practices can help inform our national response … Congress must act by putting real resources on the table."[6]In a study commissioned by Mimecast, Osterman Research also concurred that "With the education sector being chronically under-resourced for cybersecurity, the high-level change required is greater funding."
A petition before the Federal Communications Commission proposes adding cybersecurity provisions to the agency's e-rate program, which helps pay for broadband access at most K-12 schools.[7]
The Cyber Assault on Public Schools
Public schools reported more than two cyber incidents per school day last year, resulting in school closures, millions in stolen taxpayer dollars, student identity theft and related credit fraud, according to The State of K-12 Cybersecurity: Year in Review.[8]The K-12 Cyber Incident Map below illustrates the extent of the problem.
Source: Visit K-12 Cybersecurity Resource Center for interactive map.
K-12 schools fall prey for several reasons:
Tools for Schools
K12 SIX - which is part of the larger Global Resilience Federation of some 7,000 organizations across the world - recently released a significant new addition to school cybersecurity toolkits: The K12 SIX Essential Cybersecurity Protections describes a dozen basic measures. The new framework distills best practices and state and federal guidance, such as the National Institute for Standards and Technology's cybersecurity framework.[13]The measures are divided into four categories:
"There are many quite elaborate cybersecurity risk management frameworks that already exist, but they are overcooked for school districts' capacity, for their needs, for the amount of money and resources they have available to them," said K12 SIX National Director Doug Levin.[14]
And according to Kit Huynh, senior sales engineering manager at Mimecast, "IT directors at schools are in over their heads, but we're seeing groups like K12 SIX outline a simple way for them to get more of a handle on the situation." Companies including Mimecast are also tailoring solutions that cover K-12 cybersecurity basics,such as email security, web security, data archiving, teacher training and integration across the range of IT and security tools.
The Bottom Line
Everyone from local parents to President Biden is calling for solutions to the ongoing wave of cyberattacks against America's public schools. The K-12 Cybersecurity Act, recently signed into law, is putting the spotlight on schools' most urgent needs and how to fill them.
[1]"K-12 Cybersecurity Act of 2021," U.S. Government Publishing Office
[2]"K12 SIX Essential Cybersecurity Protections: 2021-2022 School Year," K12 SIX
[3]"Statement of President Joe Biden on Signing the K-12 Cybersecurity Act Into Law," White House
[4]"Data Security: K-12 and Higher Education," U.S. Department of Education
[5]"Student Data Privacy Council Report," Maryland State Department of Education
[6]Congressional letter of September 27, 2021, U.S. Congress
[7]"Modernizing the E-rate Program for Schools and Libraries," Consortium for School Networking et al
[8]"The State of K-12 Cybersecurity: 2020 Year in Review," K-12 Cybersecurity Resource Center
[9]"EdTech Leadership Survey Report 2021," COSN
[10]"Teen Hacks School Computer System, Rickrolls Entire School District," The Byte
[11]"Recent K-12 Data Breaches Show that Students Are Vulnerable to Harm," U.S. Government Accounting Office
[12]"Officials Tell Schools Not to Pay Ransomware Demands. Parents Disagree, Survey Finds," EdScoop
[13]"Guide to the NIST Cybersecurity Framework: A K-12 Perspective," K-12 Cybersecurity Resource Center
[14]"Government Working on Recommendations," K12 SIX
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly