The past two years have seen unprecedented cyberattacks on K-12 networks, jeopardizing network security and the privacy of students, families, and school employees. Earlier this year, New York City schools saw the largest K-12 data breach in history, when one of their vendors was attacked; other large scale attacks have affected back-end digital infrastructure or resulted in the leak of more than a decade’s worth of data. Cyberattacks on K-12 institutions were increasing prior to the pandemic, but the proliferation of remote learning and devices being used off campus increased schools’ vulnerability, putting student privacy, including sensitive data, at risk. Although federal policymakers have made strides to support K-12 cybersecurity, the need for long-term funding and robust coordination among stakeholders merits further steps to protect K-12 networks.
Federal leaders have approved funds for K-12 schools, including funding for cybersecurity under the pandemic-related Elementary and Secondary School Emergency Relief fund and for secure, private devices and connections, as well as digital literacy, under the Infrastructure Investment and Jobs Act.
Those strides at the federal level also included some requirements for coordination among K-12 stakeholders. For example:
- The State and Local Cybersecurity Improvement Act, which CDT discussed in a recent podcast episode, requires states to consult with local entities, including schools, in drafting cybersecurity plans.
- The K-12 Cybersecurity Act similarly requires the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate with schools and other education stakeholders in developing recommendations and tools to better secure school networks.
- And finally, the recently passed State and Local Government Cybersecurity Act of 2021 also requires the Department of Homeland Security to provide resources to local governments “in coordination as appropriate with Federal and non-Federal entities,” although it does not require that coordination to include the U.S. Department of Education (ED) or other educational institutions.
Despite those strides, there is still substantial work to do to bolster K-12 cybersecurity, with a particular need to establish a long-term, sustained solution for K-12 schools’ cybersecurity funding needs and to improve coordination among federal stakeholders.
Sustained, Flexible Funding
Cybersecurity risks to student privacy and K-12 networks are not going away. Yet current funding efforts are structured as one-time appropriations of funds, and some are designed to decrease support over time. Ending or diminishing funds may force schools to make a trade-off between providing services to students or ensuring those services are adequately secured — at a time when cyberattacks continue to increase. Further, many of those funding programs are focused on limited purposes and may not cover expenses that are essential to protecting K-12 networks, including training school staff or developing the digital literacy of students and parents.
Sustained, flexible funding for K-12 cybersecurity might be addressed by several pending proposals before the executive agencies and Congress:
- CDT has proposed changes to one Federal Communications Commission (FCC) program to help ensure long-term funding for K-12 cybersecurity. CDT proposed that the FCC’s E-Rate program be expanded to include additional uses for cybersecurity funding. Appropriately structured, including cybersecurity funding within E-Rate can provide schools flexibility to meet their needs for technical infrastructure, human capital, and resources for mitigating the costs of attacks without overtaxing the program.
- Other proposals would help support essential aspects of cybersecurity that are currently underfunded. For example, the Enhancing K–12 Cybersecurity Act would provide additional funding for training and sharing best practices.
Current coordination efforts focus on coordinating between states and local entities, and have largely not addressed the opportunity — and need — to encourage coordination among federal agencies tasked with cybersecurity. As the Government Accountability Office (GAO) recently observed, K-12 cybersecurity involves expertise across multiple federal agencies, and the two leading agencies — CISA and ED — have not adequately coordinated their efforts. A lack of coordination at the federal level creates risks for schools such as duplicative efforts (and wasted funds!), conflicting, outdated, or omitted guidance, and schools not knowing which agency to turn to for support.
At least one pending legislative proposal could support better coordination at the federal level on K-12 cybersecurity. The Improving Cybersecurity of Small Businesses, Nonprofits, and Local Governments Act would provide annual reports on cybersecurity for small entities, including small school districts. Although this information will be useful, the bill stands to benefit by requiring coordination between CISA, ED, and other federal agencies. K-12 data governance cuts across levels of government and spans across federal agencies, and K-12 cybersecurity policy should reflect that reality.
Developments in cybersecurity and increased device usage and remote learning have made it more vital than ever for schools to receive support from state and federal policymakers to protect their networks and their students. The complexity of these attacks has also increased the need for coordination at the federal level. Our unprecedented efforts to close the homework gap must be accompanied by commensurate efforts to protect student privacy and schools’ cybersecurity.