How Momentum is Building for the US Government to Play a Larger Role in Protecting K12 Schools from Cyberattacks

Ransomware (a type of malicious software designed to block access to a computer system or encrypt files until a sum of money, or ransom, is paid) has emerged as one of the most pervasive and damaging cyber threats in recent years, posing significant risks to businesses and critical infrastructure worldwide. And unfortunately, schools are getting hit hard.

The impact of ransomware attacks on schools can be devastating. Victims may experience data loss, operational disruptions, financial losses, reputational damage, and legal liabilities. In the last few years, we’ve seen complex ransomware attacks expose sensitive personal information from students and even completely shut down schools. 

In the United States, schools need to do a lot with a little when it comes to budgets and resources; becoming full time defenders of cyber attacks can feel like a lot to ask from organizations that can barely afford operational supplies. 

While things like applying for grants, tapping the local community, and security awareness training can help, some recent initiatives from the US Department of Education (ED), Federal Communications Commission (FCC), and Cybersecurity and Infrastructure Security Agency (CISA) are determined to improve cybersecurity for K12 schools across the nation.

In this post, we’ll take a look at some of the ways the federal government is attempting to assist schools dealing with waves of cyber attacks. And whatever your political leanings, one thing most Americans can agree upon is that schools (and our children) need help with this issue, and fast.

2023 Protecting Our Future report

In January 2023, the ED and CISA released a report designed to improve systems and protect schools from cyber threats.

The report, “Protecting Our Future,” centered around three key findings:

• Finding #1: “With finite resources, K–12 institutions can take a small number of steps to significantly reduce cybersecurity risk.”
• Finding #2: “Many school districts struggle with insufficient IT resources and cybersecurity capacity.“
• Finding #3: “No K–12 entity can single-handedly identify and prioritize emerging threats, vulnerabilities, and risks.“

Maybe none of these findings seem groundbreaking, but they do recognize the problem schools are facing today, which hopefully can build momentum for greater protection. 

Among the report’s recommendations for schools:

• Invest in Security Measures for a Mature Cybersecurity Plan: Start by implementing key security controls to protect against common cyber threats. Prioritize short-term investments in line with CISA’s Cybersecurity Performance Goals (CPGs). Develop a tailored cybersecurity plan based on the NIST Cybersecurity Framework (CSF) to manage risk effectively.
• Recognising Resource Constraints: Work with the state planning committee to access the State and Local Cybersecurity Grant Program (SLCGP) for funding and resources. Utilize no-cost or low-cost services (cybersecurity clinics and local teams of first responders could be examples, in this case) for immediate improvements in resource-limited environments. Encourage technology providers to include robust security features as standard without extra costs. Transition IT services to secure cloud-based platforms to reduce manual security management and ease resource constraints.
• Collaborating and Sharing Information: Join relevant cybersecurity groups like MS-ISAC and K12 SIX. Build partnerships with information-sharing entities like fusion centers, state school safety centers, and relevant associations. Develop strong relationships with key federal agencies like CISA and the FBI responsible for cybersecurity.

Some of these recommendations are easier said than done. For instance, of course you want to encourage technology providers to include security features as standard without extra costs sounds good, but what incentives do those providers have to do that? Perhaps the government could come up with such incentives, and maybe they will soon. 

In the meantime, schools should consider security solutions that they can customize for themselves, instead of getting stuck with a bunch of bloated, confusing, expensive tools.  

2023 Summits on Cyber Safety in Schools

Right around back-to-school time in 2023, the White House hosted a group of school superintendents, educators and education technology vendors, and announced some new strategies to combat cyber attacks on schools. 

Among measures announced at the summit: CISA would step up security assessments for the K12 schools while tech providers like Amazon Web Services, Google, and Cloudflare, offer grants and other support.

Additionally, a pilot proposed by the Federal Communications Commission pledged to make $200 million available over three years to strengthen cyber defense in schools and libraries. 

Due to the limited amount of funding available through the FCC’s pilot program, only a small number of schools will be accepted, and a window to apply has not yet been announced, but is expected this summer. 

A second cybersecurity summit, 2023 National Summit on K12 School Safety and Security, was held in November. At that summit, leaders again focused on resources that are available to schools, and educational materials that can help bolster their defenses. 

The 2024 New Government Coordinating Council 

The momentum from the 2023 efforts continued into the new year. That’s because, in March 2024, the ED and CISA once again teamed up to establish a council focused on enhancing cybersecurity in K12 schools. The council aims to address the growing threats and challenges faced by schools in protecting their digital infrastructure and sensitive data.

The new council underscores the recognition of cybersecurity as a critical priority in education and highlights the importance of collaboration between government agencies and educational institutions (including federal, state, tribal, and local governments) to address this pressing issue.

CISA’s Director, Jen Easterly, shared in a public statement: “The importance of protecting our schools, students, and educators from cyber threats cannot be overstated. I’m very proud of the work the Department of Education and CISA are doing in this critical area, working collaboratively with the K12 community.”

This initiative emphasizes the need for collaborative efforts and strategic partnerships to bolster cybersecurity measures in K12 schools across the country. Additionally, the council will seek to address cybersecurity challenges, promote information sharing, and provide resources and support to ensure the safety and security of school systems.

We’ll have to stay tuned to see what sort of new work comes from this council, but it’s definitely a step in the right direction and is demonstrating the government understands the importance of these issues. Hopefully, at least by the new school year, we’ll have some more updates.