Now that the election is over (sort of), Washington needs to turn its focus back to pressing public policy matters. One such issue – the need to beef up cybersecurity in America’s K-12 schools – was highlighted by Virginia Senator Mark Warner’s recent letter to U.S. Secretary of Education Betsy DeVos. This letter was generated in response to a recent ransomware attack against the largest school district in Virginia, as well as big picture concerns about cyber threats during the COVID-19 pandemic.
While the cybersecurity risks Sen. Warner raises existed prior to the pandemic, they have grown exponentially this year because of the widespread use of distance learning.
Growing vulnerabilities leave students at risk
A just-released GAO report confirmed that, as nearly every school and school district nationwide transitioned to online learning last spring, reports of student data breaches continued and additional cybersecurity challenges emerged. Moreover, the GAO study noted that in the over 17,000 public school districts and approximately 98,000 public schools throughout the U.S., breaches that result in disclosure of student personal information “can lead to physical, emotional, and financial harm.”
Once our nation’s schools are able to fully return to their regular in-person learning environment, educators and students will still be using technology rich with cyber risk, and vulnerabilities will persist unless strong action is taken to better protect IT systems and train school personnel and students on proper cyber hygiene.
The funding dilemma
Unfortunately, local governing bodies and school boards have often viewed cybersecurity as just another aspect of their technology budgets, which are themselves often pared down in the final decision-making because technology is viewed as a “want” rather than a “need.” Until recently at least, technology hasn’t been considered part of the educational mission – it’s not teacher salaries, books, or buses, so it’s viewed as something that makes life easier rather than a crucial concern. That approach is incredibly misguided, as technology, which inherently requires adequate cybersecurity, is vital to educating students in the modern, competitive world. We are at an inflection point where cybersecurity must be accounted for in K-12 budgets, roles, and missions.
Cybersecurity is vital to the well-being of the entire school system. If a textbook is out of date or gets lost or a school bus breaks down, it doesn’t impact the entire school system the way a cyber attack and successful network breach can. The results of an attack – whether it be a denial of service, ransomware, or something else – can be devastating to local school systems and their budgets.
And that’s the real key – budgets. It’s not enough to understand the importance of cybersecurity; school systems have to prioritize cybersecurity in their budget processes. Technology is too often one of the first things on the chopping block when revenues aren’t sufficient to fully fund the proposed budget. In this era, failure to fund technology and its security borders on negligence on the part of school systems.
Action is required at all levels
Sen. Warner’s letter contains a solid checklist of items the U.S. Department of Education should diligently pursue to benefit local school systems:
- Developing baseline cybersecurity standards for K-12 (as well as higher education).
- Developing a risk-based and comprehensive FY 2022 budget request to Congress next year that will help local school districts better meet their cybersecurity needs.
- Providing guidance to local school districts on how to adapt and utilize existing cybersecurity frameworks.
- Providing guidance on cybersecurity hygiene practices, risk management, and threat mitigation.
These initiatives are all worthwhile, but it really comes down to setting priorities and providing funding at all three levels – local, state, and federal. Local school systems generally operate within state guidelines and direction, not federal. But while local districts and state governments can make cybersecurity a priority, most of them are seeing serious financial constraints due to the COVID-19 pandemic’s impact on local finances. With the economy effectively thrown into park this spring and only slowly regaining steam, tax revenues have been down, unanticipated expenses are up, and the prognosis is that recovery for local and state budgets will be erratic, long, and painful.
That’s why it’s even more important for Congress and the White House to step up at the federal level by providing additional emergency funding to help local school systems boost their cybersecurity posture. School systems nationwide need more money immediately. Such funding must be part of any pandemic-related aid package, not just provided for in the upcoming FY 2022 budget and appropriations process. Any funding provided during the FY 2022 budget cycle won’t begin flowing to state and local governments and school systems until at least October of 2021 – nearly a year from now. That’s a long time for cash-starved school districts to be unable to address their cybersecurity vulnerabilities. Congress and the White House should recognize this urgent national need and include cybersecurity funding for schools in a COVID-19 aid package – now, before the current Congress ends.