According to the legislation, schools and local education agencies must be under the CMD’s jurisdiction and pay for the evaluation to qualify.
As for the evaluation criteria, the Military Department and the individual school or educational agency will set the parameters for the assessment.
Col. Darrin Bender, the CMD’s director of government affairs, said the idea came from the agency’s previous experience of doing security assessments for state agencies.
Based on that prior experience, Assemblyman Ed Chau, D-Monterey Park, sponsored the bill to allow the Military Department to do the same type of work with schools.
“Local education agencies and school districts are starting to see higher threat levels of ransomware and a lot of bad behavior from cyber criminals,” Bender said. As a result, Chau wrote the bill with the input of CMD.
The biggest question regarding the bill, he said, was “Can you do this, and to what extent or scale can you meet the new demand?” The answer Bender said is, “We can definitely do it and design the assessments like we did the state agencies assessments specific to each district.”
To provide a bit more context about this process, Col. Jim Parsons, the CMD’s Cyber Network Defense chief, said, “In reality, we’ve done over 200 independent security assessments for agencies. Some have been done twice for the same agency to see how the results have changed.”
In some cases, Parsons said, vulnerabilities have dropped by 40 or 50 percent after doing the security assessments.
As for using this model in schools, the trick is addressing the assessment’s scope before deciding what the department should work on.
“The scope for a huge school district will, of course, be different than a smaller one," Parsons said. “Remote technology in the classroom has seen a number of attacks and is continuing to grow.”
A second area that should be looked at is the state of schools’ networks.
“I think one of the things is inspecting what you expect,” Parsons said. “Knowing the state of a school or education agencies state of network can lead to huge dividends to see what their network looks like from the outsider perspective.”
One of the challenges moving forward could be adding the necessary staff members to the group overseeing these assessments.
“These types of skills are so finite,” Parsons said. “There are so many cyber experts willing to do this kind of work; scalability will also be an issue in 2021 if the demand surges over the next several years."
“This concept is brand new; we haven’t done educational assessments yet. However, we look forward to working with schools and different educational agencies to help safeguard them from cyber threats,” he said.
