The Tsunami Threat of K-12 Cybersecurity

EdTech Policy Roundtables Blog
Co-convened by CoSN, Digital Promise & SETDA

This is one of three blogs.  You can read others at SETDA on connectivity and Digital Promise on adapting learning to meet students.


Everyone in the room agreed: cyberattacks pose a serious and growing threat to school districts’ networks, the continuity of classroom instruction and administrative operations, testing, sensitive student and employee data, and budgets. These ever-increasing risks are not only affecting those with technology in their job title but also teachers, students, parents, administrators, and school board members. The new reality is that cybersecurity is a risk to virtually everyone in K-12.

In December 2020 the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an alarming joint alert that K-12 is the most attacked public sector for ransomware.  District and state leaders, school board members, and policymakers are waking up to this new reality.  

Simply clicking on a phishing email can cause major harm to students (unrecognized until years later when their credit record is ruined), educators (whose SSNs/identities are stolen), and the school system (who are held ransom to pay thousands of dollars to thieves).  School district technology leaders know that DDOS attacks on school networks are happening relentlessly to find the one weak point in your network.  Even those technology leaders from large school districts indicated they don’t have a CISO position and lack the internal expertise to match the many challenges of cybersecurity today.

The current pandemic brought the risk of cybersecurity to the forefront as students and teachers learned remotely from home on unsecured devices, WiFi, and home networks.  Meanwhile, school districts, which generally lack technical expertise, are being expected to fight back these cyber-criminals and educate all staff and students about being cyber-safe... and do it all on a shoestring budget.  As one state leader said, remote learning would have gone much smoother if we had done more training on cybersecurity prior to the pandemic.  And when you do training, it has to be easy to understand and made available to all students, faculty and parents.

Several participants in the roundtable indicated that their state legislatures are placing new, unfunded mandates on their districts to beef up privacy and cybersecurity.  

When asked what the federal government could do, several participants pointed out that the E-Rate program, the main funding source for K-12 infrastructure, generally does not cover cybersecurity expenses. That needs to change immediately if we want to keep student data private, implored the technology leaders.  Cybersecurity is a serious problem that is likely to only get worse without a national focus and sustainable, targeted funding.

Others suggested that more technical expertise and coordination could be provided by the US Department of Education, perhaps working in partnership with other federal agencies like Homeland Security, NIST and the National Science Foundation.  Some suggested funding that builds cybersecurity human capacity for local governments could also be directed to schools.  And others felt that some of the cybersecurity frameworks, such as NIST’s, are so complicated and expensive they would be impossible for K-12 to ever implement.  They want practical and actionable advice designed for schools.

Not all of the conversation was bleak.  Some participants indicated that education is becoming much more aware of the cybersecurity challenge and are in a better position than even a year or two ago.  Some states are developing standard privacy contracts to use with all their vendors that handle district data.  Some indicated they use best practices developed by nonprofits, like CoSN.  One participant hoped that communities will become more engaged around cyber safety education, as students did on gun safety following the Parkland and Columbine tragedies. 

When asked if cybersecurity is a technical, educational or human capacity challenge, the answer was “yes”. It is all of the above.  One participant said it also is a huge communications challenge, as well as a leadership imperative.  Another said that school board members assume everything is “fine” until they face a nightmare situation - which is too late.

It will take a strong partnership of local, state, and national education leaders and policymakers working together to address this tsunami of challenges.

Participants:

  • Robert Hackworth, Division of School Technology Planning and Project Management, KY Department of Education
  • Frank Henderson, NSBA President-Elect & School Board Member, Seaman School District 345, KA
  • Eric Hileman, Oklahoma City Public Schools, OK
  • Sean McDonough, NYSCATE
  • Christine Osadciw -- Executive Director of Technology, East Irondequoit CSD, NY 
  • Mark Racine CIO, Boston Public Schools
  • Derek Root, CTO, Charlotte Mecklenburg Schools, NC 
  • Chris Rush, Sr. Advisor, Innovation & Educational Technology, U.S. Department of Education
  • Rod Russeau, CSD 99, IL 
  • Hector Sandoval Chavarria Manager, Data Center and Security, San Antonio Public Schools, TX 

This blog reflects the summary by the author and may not represent the official positions of the organizations.


Read blogs on other roundtables hosted by Digital Promise, SETDA, and CoSN:

SETDA: Equity of Access

Digital Promise: Today’s Innovations are Tomorrow’s Practices: Adapting Learning to Meet Students