Cyberattacks on K-12 schools are on the rise, but the White House hopes to change that with a new initiative. Strategic measures recently outlined by the Biden administration are aimed at bolstering the cybersecurity of schools, with action from the Federal Communications Commission (FCC), the Department of Education, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the private sector.
The new measures come after a December 2022 Government Accountability Office (GAO) report which highlighted that 647,000 students were impacted by ransomware attacks in 2021. It noted the prevalence of phishing events, distributed denial-of-service attacks, and video conferencing disruptions as well. According to the report, schools revealed that cyber incidents can cost $50,000 to $1 million in expenses. Likewise, a report from CISA earlier this year called for school officials to prioritize cybersecurity risk management, build relationships with CISA and the FBI, and utilize information sharing forums.
The White House announcement noted that at least eight school districts were impacted by significant cyberattacks during the 2022-2023 academic year, with four resulting in class cancellations or school closures. Other incidents affected education institutions as well. The MOVEit attack in May infiltrated the Minnesota Department of Education, exposing the names of about 95,000 students and other personal information. A similar story played out at the New York City Department of Education: approximately 45,000 students were impacted, in addition to staff and related service providers.
The first of the White House’s measures, originally announced by FCC chairwoman Jessica Rosenworcel in July, proposes a pilot program for cybersecurity investment in schools and libraries. Managed through the Universal Service Fund, the program would provide up to $200 million over three years. This move would require a vote of the commission, and the full details of the proposal would be released upon adoption.
The pilot program marks a second cybersecurity proposal from the FCC in July. A few days later, the commission announced a cybersecurity certification and labeling program in which consumers would see a “U.S. Cyber Trust Mark” shield logo applied to smart products meeting security criteria established by the National Institute of Standards and Technology (NIST).
The announcement also drew attention to a newly released infrastructure brief jointly published by CISA and the Department of Education. The second brief in a series of five, it aids education professionals in building and sustaining core digital learning infrastructure. Key recommendations include enabling multi-factor authentication, using strong and unique passwords, reporting phishing, and updating software. To further the goals detailed in the brief, CISA will be providing individualized assessments, facilitating exercises, and delivering cybersecurity training for 300 new schools over the next academic year.
Indeed, transforming cybersecurity education has been a key goal of the White House. Its National Cyber Workforce and Education Strategy sought to make training less costly and more widely available. Published in late July, the strategy also called for skills-based hiring practices and improved career pathways within the cybersecurity field.
The FBI is taking part in the new effort, too, with plans to release updated resource guides so that state governments and educators are clear on how to report cybersecurity incidents and receive guidance from the federal government. This aligns with the White House’s National Cybersecurity Implementation Plan, released in July. Among the 65 federal agency initiatives in support of the strategy were goals to improve government coordination during cyberattacks.
The Department of Education will create a Government Coordinating Council that will coordinate schools’ cybersecurity policy among leaders. This will be the first step in the Department’s strategy to safeguard schools and districts from cybersecurity threats and support them in dealing with and recovering from such threats.
Finally, several companies are providing free or low-cost resources to school districts. Cloud software provider for schools PowerSchool is offering new free and subsidized training courses, tools, and resources to all U.S. schools and districts. D2L, an educational software suite developer, has made a commitment to expanding availability of cybersecurity courses. Cloudfare, an IT service management company, will offer a selection of free cybersecurity services to public school districts under 2,500 students.
Notably, Amazon Web Services (AWS) unveiled a $20 million cyber grant program in support of the White House measures. The commitment also includes plans to train IT education professionals through its digital learning center, AWS Skill Builder, which contains 40 security-related courses. Other plans include free cyber incident response assistance and security reviews of all relevant educational technologies.
The White House hosted an event, called “Back to School Safely: Cybersecurity Summit for K-12 Schools,” featuring the new agenda. It brought together key stakeholders, including First Lady Dr. Jill Biden, Secretary of Education Miguel Cardona, Secretary of Homeland Security Alejandro Mayorkas, school administrators, educators, and education technology providers from across the U.S.
“Every student deserves the opportunity to see a school counselor when they’re struggling and not worry that these conversations will be shared with the world,” Biden said. Cardona added, “We need to be taking these cyberattacks on schools as seriously as we do the physical attacks on critical infrastructure.”
