In a recent policy memo, the nonprofit, nonpartisan think tank Institute for Security and Technology (IST) suggests policy changes to make the USF a resource for school cybersecurity as well as broadband, whether through renewing the pilot or redefining the USF's E-rate program, which has historically subsidized school and library broadband expenses.
According to the memo, published by IST’s Senior Vice President for Policy Nicholas Leiserson, cyber attacks are becoming increasingly common for organizations like schools and hospitals, as they aggregate valuable data such as Social Security numbers, patient histories and academic records, yet schools lack cutting-edge digital protections due to cost.
Michael Klein, senior director for preparedness and response at IST, said the recent pace of cyber attacks on schools calls for some urgency.
“We have about five cyber incidents per week impacting schools,” he said. “These are disruptive attacks that stop school districts from being able to access systems that they need, and sometimes can lead to the shutting down of school for one or multiple days. And that can obviously be really disruptive to the whole community.”
Some education advocates view the USF as an ideal resource to help schools address the problem, and an October 2024 Supreme Court ruling gave them reason for optimism: It upheld the FCC’s authority to collect fees for USF and administer the fund, which at least saved E-rate in the short term, if not opened the door to revising it.
Historically, cybersecurity has not been covered by E-rate, but some policy analysts at ISF argue that it should be, because connectivity without adequate security leaves schools vulnerable.
“[E-Rate] has really done incredible work to close the connectivity gap that had existed where only wealthy school districts might have had access to the Internet,” Klein said. “While that may have made sense 10 or 15 years ago, increasingly people are saying, 'We need to find a way to purchase the kinds of security services that all enterprise businesses use.'”
The overarching goal of the FCC's cybersecurity pilot program, according to Klein, was to determine whether USF revenue could expand schools’ telecommunications and digital protections services in line with modern-day needs. Though still in its early stages, Klein said, the program has already revealed valuable insights: high demand for financial support, a range of needs including firewalls, intrusion detection and identity management, and persistent gaps in areas like staff training and dedicated IT personnel.
Given the demonstrated high demand, the IST's recent memo proposed three recommendations for the FCC to consider regarding the pilot program’s next steps:
- Make the pilot permanent, using its existing infrastructure to transition smoothly into a nationwide program.
- Modernize the list of eligible E-rate services so that funds could be used for current and next-generation cybersecurity tools, and able to adapt as technology continues to evolve.
- Carve out a dedicated cybersecurity set-aside within E-rate, reserving a portion of its funding specifically for protecting schools and libraries from digital threats.
These options are not mutually exclusive, though, Klein said.
“Education is critical infrastructure, and then you need to protect it as if it is a right. ... Certain things like cybersecurity are nonpartisan. Nobody wants their school district ransomwared — Republican, Democrat, independent,” he said. “We're getting more to a place now where we understand, it's not a question of if, but when. And how can we reduce the harm when this happens?”
