K-12 Cybersecurity is Struggling to Keep Up – Is Help on the Horizon?

Vince Scheivert
November 10, 2021 • 5 min read

The first step in correcting a problem is admitting that there is a problem. It is no secret that our public schools are suffering at the hands of malicious actors meaning to do them harm. Beyond an ever-increasing volume of attacks, school divisions across the nation also suffer from tight budgets and under-resourced technical staff. Making matters even worse, many within the education industry feel that cybersecurity is just a local issue rather than a national – and even global – concern. 

The good news is we’ve seen bipartisan movement on Capitol Hill from legislators coming together to address what has escalated into an assault on our public schools. Cybersecurity was generally an afterthought for many state and federal policymakers, despite repeated calls from organizations like the Consortium for School Networking (CoSN) that more is needed to be done to support schools. 

However, that has changed in Congress, where several bipartisan bills to address cybersecurity for public education have been introduced.

One of these measures, the K-12 Cybersecurity Act, has been approved by the House and Senate, and was signed into law by the President in early October. This initiative is a monumental step forward in admitting that we have an issue concerning cybersecurity in K-12 and working toward getting a true understanding of the challenge.

Specifically, the K-12 Cybersecurity Act of 2021 authorizes the Cybersecurity and Infrastructure Security Agency (CISA) to study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include cybersecurity guidelines designed to assist schools in facing those risks. Among the obvious risks facing school divisions which the study must investigate are ransomware, distributed denial of service attacks, and general theft of personally identifiable information.

Of even greater potential significance is another bipartisan House bill, the Enhancing K-12 Cybersecurity Act, which would, according to its sponsors, promote access to threat information, better track cyberattacks nationwide, and increase the number of cybersecurity experts in our schools. Specifically, it would:

  1. Require the Director of CISA to establish a Cybersecurity Clearinghouse to disseminate information, best practices, and grant opportunities to improve cybersecurity;
  2. Establish a Cybersecurity Registry within CISA to track incidents of cyberattacks on elementary and secondary schools; and
  3. Direct CISA to establish a K-12 Cybersecurity Technology Improvement Program to deploy cybersecurity capabilities that will help address cybersecurity risks and threats to information systems of K-12 schools, and authorizes $20 million in federal funding over the next two years for this program.

The sponsor and other supporters of this legislation have written to the congressional leadership urging this bill be included in the budget reconciliation legislation now being negotiated in Congress.

The database proposed by this bill could also help drive some funding increases from state and local sources based on the identified risks and gaps in recommended toolsets that should be implemented versus the tools/technologies that are currently in use at a school district. Simply, the study will almost surely highlight the gap between what should be in place but is not in practice. 

This does not mean that opportunities do not exist to begin bridging these gaps now. The federal government has tried to provide some level of support by passing a series of recovery acts, the most recent being the American Rescue Plan Act (ARPA) and, before that, the Elementary and Secondary School Emergency Relief Fund (ESSR). The United States Department of Education (USDOE) revised its original guidance regarding how schools could utilize the ESSR funds that were available to local school districts. While cybersecurity was not officially mentioned in the first iteration, it was subsequently added to the allowable category and can be found in the ESSR FAQ document issued by the USDOE. This announcement more or less flew under most radars since cybersecurity was not initially listed in the first announcement. This has led to some confusion, but the FAQ is clear – these funds can be utilized for cybersecurity needs.

While only one-time grants, this infusion of funding can provide a much-needed boost for districts looking to improve their overall cybersecurity posture. That said, the funding comes with an important caveat – it can only be used for new initiatives that resulted from the pandemic. However, I would argue that the near-instantaneous push to remote learning options for students (and for school staff) introduced cybersecurity vulnerabilities that require new mitigation strategies, which fall well within the guidelines as established by USDOE.

Though this additional funding is welcome in a sector that continues to suffer from increasingly sophisticated attacks, real sustainable support for K-12 cybersecurity will likely need to come from the federal level. Localities just do not have the budgetary bandwidth to address what is now a nationwide crisis.

One potential area where long-term support is possible is by expanding ERATE. ERATE currently provides subsidies to public schools and libraries primarily for broadband and internet connectivity. A coalition of six organizations, on behalf of the nation’s public schools, petitioned the Federal Communication Commission in February of 2021 to expand ERATE to include cybersecurity. This infusion of dedicated sustainable funds would allow our nation’s public schools the ability to begin to build out a cyber practice that has the ability to defend against the bad actors meaning to do our schools harm.    

Without a long-term solution, the nation’s students and public schools remain at risk from cybercriminals. With more devices in the hands of students and with greater connectivity than ever before, it is reasonable to assume this problem is only going to grow bigger. Our public schools are at a tipping point, and while the recovery act funding may slow the bleeding, it does not fix the problem. Additional funding streams will need to be identified and sustained to keep pace with the evolving cyber challenges.

Vince Scheivert
Director of Technical Strategy
Vince Scheivert is the Director of Technical Strategy at Telos Corporation.
Read full bio

Subscribe to Our Newsletter

Although we may use your information for targeted marketing and advertising, as described in the Privacy Policy, we will never sell your information to any third party.