Meeting the Cybersecurity Needs of the K-12 Education Sector: The Federal Role

The national policy and cybersecurity community writ large have all but ignored the evolving needs of the K-12 education sector save to view it solely as the vehicle to train the workforce of the future. There are several reasons why this view is particularly short-sighted.

First, through the E-rate program, other federal education technology programs and initiatives (past and present), and regulations, the White House, Congress, the FCC, NSF, and the U.S. Department of Education have all encouraged school systems to embrace digital transformation, including through the transfer of billions of dollars a year for this express purpose. To the extent that some school districts may have lagged behind, the need to embrace remote learning during the COVID-19 pandemic has helped to close that gap. Yet, there are precious few federal resources for – or requirements concerning – the cybersecurity risk management practices of school districts. In fact, cybersecurity-related equipment and services are often expressly disqualified from purchase under federal educational technology programs.

Second, school district IT systems are not an island; they regularly communicate with other private and municipal, state, and federal IT systems. During 2018, one-third of all North Dakota schools were reportedly hacked by foreign entities, compromising their link to state IT systems interconnected with more confidential state departments like the Treasury and Department of Agriculture. Two months before the 2016 U.S. presidential election, international hackers compromised  the networks of at least four Florida school district networks searching for ways to slip into other sensitive government systems, including state voting systems. Supporting in some cases tens of thousands of end users, school district computers and IT equipment has also been subject to takeover by malicious botnets whose targets include both private and public entities far beyond the confines of school district property. The risks created by insecure school IT systems (well documented by the K-12 Cyber Incident Map) are not limited to school districts themselves.

Third – and without devolving too deep into the politics of the day – the national response to COVID-19 has served to demonstrate that school districts are in fact ‘critical infrastructure,’ deserving of both the benefits and responsibilities of such a designation.

The Report of the Cyberspace Solarium Commission

It was therefore disappointing, but unsurprising to read the comprehensive recommendations of the final report of the U.S. Cyberspace Solarium Commission through the lens of the needs of – and possible roles for – the K-12 education sector. According to its website, the Cyberspace Solarium Commission (CSC) was established in the John S. McCain National Defense Authorization Act for Fiscal Year 2019 to:

“develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.”

Not only did the report and its 80 recommendations (organized into 6 thematic pillars) offer little in the way of insight into how the evolving cybersecurity risks of the sector could be better addressed, it offered a relatively unsophisticated diagnosis of how schools could more effectively address workforce preparation issues. That is not to say that some recommendations – if implemented – wouldn’t benefit the sector. For instance, many of the recommendations under Pillar 4 (‘Reshape the Cyber Ecosystem Toward Greater Security’) would surely benefit schools, so long as they were not excluded or exempted from participating. Indeed, given recent findings about the state of cybersecurity education from CYBER.ORG, I also have no doubt the report’s recommendations were very well received in some K-12-focused quarters and would do some good.

Nonetheless, the report overlooks two foundational structural challenges facing K-12 schools (and their partners and vendors) in shoring up their cybersecurity risk management practices: (1) there exists for all intents and purposes no baseline cybersecurity expectations for school districts nationwide, and (2) there currently exists no K-12-sector specific organization that can be said to represent the interests of local and state educational agencies in interfacing with the national policy and cybersecurity community on these issues and/or that can serve to coordinate responses to evolving threat intelligence across U.S. schools and districts nationwide in a timely fashion.** Any proposal – no matter how well-intentioned – that does not recognize these facts is bound to face significant implementation challenges.

Strategies to Boost Student Cyber Hygiene and Cybersecurity Awareness

In turning attention to the question of the need for cybersecurity education to be taught in K-12 schools, the most promising responses will have considered the reasons for its current status as a curricular stepchild. Are current approaches high-quality, engaging, affordable, and easily accessible by schools (i.e., is the issue primarily with the supply-side equation of cybersecurity curricula uptake)? Or, could the larger issue be one of demand? If schools are not currently ‘enlightened enough’ to seek out cybersecurity education curricula of their own accord, what might be viable policy levers to generate that demand and to do so at scale?

Given the persistent demands placed on school districts to teach traditional topics in new ways, while also always introducing new topics, I’d assert that of all the challenges facing school leaders, a lack of content to teach (and serviceable curricula) is not one. In fact, the curricular choices facing school district leaders – and demands for them to teach new content – are overwhelming. This matters because schools remain the best way to reach students at scale. Even the most successful supplemental, after-school, or summer camp programs, for instance, will reach only a minuscule fraction of the nation’s students. (That is not to say that improving existing cybersecurity education curricula and increasing its accessibility is not valuable, just that those efforts alone are unlikely to move the needle on a national scale.)

Instead – if Congress, e.g., – was interested in moving the needle on the cybersecurity awareness/cyber hygiene practices of today’s students, I’d focus squarely on the issue of demand and focus on answering this question: What could the federal government do to stoke demand for cybersecurity awareness programs in schools? While on its surface this is a straightforward question, many answers – such as those involving academic standards and mandatory student testing – will veer dangerously into political morass (see, e.g., the federal government’s involvement in advocating for ‘college and career ready standards’ for a recent history lesson on the state of K-12 public policymaking). Indeed, even with a pre-existing, large, organized, and savvy community  committed to expanding the teaching of cybersecurity concepts and career awareness within the education profession, any process to influence state standards and assessment could take a decade or more to implement.

Congress Should Amend CIPA to Boost Cybersecurity Education

Thankfully, there exists a simple and elegant step Congress could take that would go a long way to meeting the goals set forth by the Cyberspace Solarium Commission with respect to workforce preparation issues: amending the Children’s Internet Protection Act (CIPA) to require the teaching of cybersecurity hygiene and career awareness to all students in schools that benefit from the E-rate program.

CIPA was originally enacted by Congress in 2000 to address concerns about children’s access to obscene or harmful content over the Internet, In 2008, it was amended by the Protecting Children in the 21st Century Act to require that “schools’ Internet safety policies…provide for educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, and cyberbullying awareness and response.”

As concerns over children’s access to and use of the internet in and out of school are evolving, so too must the mandates on schools’ technology-related educational programs evolve to keep pace. Amending CIPA offers perhaps the most straightforward, time-tested approach to introducing cybersecurity instruction into the school experiences of students at scale. It would empower cybersecurity champions already working in and with schools and stoke demand for more and better cybersecurity education curricula. Moreover, by introducing this curricular mandate, educators and parents could also benefit as secondary audiences.

It is not a perfect solution. Surely some will raise issues of unfunded mandates, and it may take time for schools to learn how to differentiate between better and worse approaches to teaching this material. Others will raise concerns about enforcement mechanisms to ensure school district compliance with an amended CIPA.

In response, I would simply note that none of these issues are insurmountable and that – like many things in life – there exists the possibility of progress if we ensure that our pursuit of perfection doesn’t get in the way.

Many of the recommendations of the U.S. Cyberspace Solarium Commission are currently being considered in Congress. My hope is that this modest proposal be advanced as part of that package. While there is more that the national policy and cybersecurity community can and needs to do in partnership with the K-12 education sector, this is a common sense first step.

 


** It is for this very reason that I have partnered with the Global Resilience Federation and other allies to gain support for and launch the K-12 Security Information Exchange (K12 SIX). K12 SIX is a new non-profit member community and cyber threat intelligence sharing hub for school districts, dedicated to scaling the prevention and mitigation of cyber threats facing schools nationwide. It benefits school districts by crowdsourcing real-time security information among a vetted, trusted group of professionals with a common interest, using common technology and with supporting, independent analysis from expert K12 SIX security staff.