Opinion: State Governments Can Boost K-12 Cybersecurity

As parents, educators and policymakers, we are constantly grappling with the evolving landscape of cybersecurity threats facing our school districts. From data breaches to ransomware attacks, the threats and vulnerabilities that our educational institutions are facing demand a coordinated response.

But where do school districts turn for support in bolstering their cybersecurity defenses when it seems like a losing battle? Let’s delve into the areas of assistance that state governments can offer to fortify our schools against digital threats.

THE FEDERAL SUPPORT LANDSCAPE

As explained in a Dec. 14 column in The Conversation by Nir Kshetri, a professor of management at the University of North Carolina – Greensboro, the White House unveiled a comprehensive strategy in August 2023 to enhance cybersecurity in K-12 schools, brought about by increasing pressure and some alarming statistics. In the five-year period from 2018-2023, the U.S. education sector experienced 386 documented cyber attacks, resulting in a staggering $35.1 billion in losses, with K-12 institutions bearing the brunt of these assaults.

The White House spearheaded the initiative and got other federal agencies with cybersecurity expertise on board, notably the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Communications Commission (FCC) and the FBI. As part of this initiative, the FCC tabled a pilot program proposal earmarking $200 million over three years to fortify cyber defenses. However, given that K-12 schools are underfunded by an estimated $150 billion annually in the U.S., one has to question whether this falls short of comprehensive coverage.

The outlined expenses above encompass hardware and software procurement, consultancy services, rigorous testing protocols, and the recruitment of data protection specialists to thwart cyber threats. Continuous training remains imperative to counter evolving risks, as technological advancements prompt cyber criminals to adapt their tactics to exploit vulnerabilities in digital systems.

EXAMPLES OF DIFFERENT STATES ENACTING CHANGE

In 2023, according to a report from the Consortium for School Networking (CoSN), 33 states implemented 75 new cybersecurity statutes, significantly surpassing previous years' legislative activity. These laws encompassed various cybersecurity policies and strategies, including funding for infrastructure, responses to cyber attacks, policy establishment, workforce expansion, incident reporting mandates, governance strengthening and AI's role in cybersecurity.

Specifically, nine of these laws focus on cybersecurity in elementary and secondary education. For instance, Arkansas now requires annual reviews of schools' cybersecurity policies; California established an information-sharing policy between the state and school districts; Illinois formed task forces; Maryland required schools to communicate their cybersecurity policies to parents; and Texas provided substantial funding and safety standards for K-12 cybersecurity. Meanwhile, other states allocated funds, mandated cybersecurity-inclusive education and required cybersecurity plans for virtual schools. This illustrates that there is a broad and concerted effort to bolster cybersecurity measures in the education sector.

So what resources can schools use to stay vigilant and equipped to address such challenges effectively?

HARNESSING FREE RESOURCES TO STRENGTHEN SCHOOL CYBERSECURITY

There is a degree to which the onus is on schools to ensure they plan correctly. The planning team should comprise school personnel, community partners and a school district representative to address cyber threats.

Schools and districts can also avail themselves of many free resources to formulate strategic goals, objectives and actionable plans. These resources aid in navigating cybersecurity, empowering educational institutions to safeguard their digital assets effectively.

First, the K12 "SIX Essentials Series" sets baseline cybersecurity standards for U.S. school districts and offers guidance and tools to facilitate their implementation. To get full access to this, a staff member just needs to visit this page and enter a few details. Additionally, there are member events and opportunities to learn from those working through similar cybersecurity issues.

Another pivotal resource in the arsenal of cybersecurity preparedness is the Framework for Improving Critical Infrastructure Cybersecurity, crafted by the National Institute of Standards and Technology (NIST). This framework, based on five core functions — identify, protect, detect, respond and recover — offers a comprehensive blueprint for cybersecurity endeavors. By aligning with these core functions, schools can establish a robust foundation for mitigating cyber risks and bolstering resilience against potential threats.

Additionally, the National Cybersecurity Assessments and Technical Services team, a division of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, is ready to offer invaluable support for bolstering cybersecurity capabilities. Through practices such as cyber hygiene, phishing campaign assessments, and risk and vulnerability assessments, schools can fortify their defenses across critical domains.

Cyber hygiene, for example, involves automated vulnerability scans to produce weekly reports and identify and mitigate threats. Similarly, phishing campaign assessments provide insights into the susceptibility of school communities to email phishing scams, so administrators can plan targeted interventions and staff trainings to enhance awareness and resilience. Moreover, risk and vulnerability assessments encompass phishing assessments, wireless security evaluations and web application analyses, empowering schools to identify and address vulnerabilities across their digital ecosystem proactively.

FINAL THOUGHTS

By harnessing the expertise of government resources, fostering public-private partnerships, and prioritizing investments in workforce development and technological infrastructure, we can fortify our schools against digital threats and secure the future of our children's education. We should collectively embark on this journey toward a safer and more resilient learning environment for all.

Charlie Sander is the CEO of ManagedMethods, a K-12 cybersecurity company.