Panelists painted a picture of a world of cybersecurity changing rapidly with technological advancements. On the positive side, Ford said, cybersecurity teams can now leverage artificial intelligence to identify and prioritize system vulnerabilities, detect cyber threats in real time and automate incident responses. Additionally, schools can use AI to better keep track of user compliance with safety protocols, which is important as compromised passwords are the biggest threat to security at Irvine Unified, she said. AI can also be used to train users, especially for incident simulations.
Ford cited figures from Acumen Research and Consulting estimating that the global market for AI-based cybersecurity products was at $15 billion in 2021 and will grow to $135 billion by 2030, and she said that is probably an underestimation.
However, attackers are leveraging the latest tech as well, and Ford said advancements in threats outpace advancements in protections.
“We’re finding that the number of investigations that we're being asked to do by administrators, due to student bad behavior or content that is out there about our administrators and our teachers — that number is increasing,” she said. “Our ability to give them a confident and definitive answer about who did it and whether or not it’s real is declining, and that's pretty heartbreaking.”
In addition to the quantity of threats, Ford said her district has seen some surprising uses of AI in the last few years.
For example, one student used AI to create a website that looked much like Canvas, a learning management system, then launched a phishing scam aimed at school faculty to gather their login information. Once the student had login credentials, they only accessed Canvas to change one grade, but Ford’s team had to go through 8 million student gradebook records to ensure no other grades had been changed. They were able to go through that many records so quickly thanks to AI tools, Ford said, but the incident speaks to how easy it is for attackers to create realistic and personalized attacks with new technologies, and that threats can come from within an organization.
Another internal threat, Ford said, comes from some parent organizations, like Moms for Liberty, who are using AI to create differentiated survey responses and influence policy. They flood the survey with responses that are different, but uphold the organization’s beliefs, which can make it hard to decipher what the majority of the community actually wants, Ford said.
Regarding external threats, she said ransomware attacks now often include more than one party: One attacker infiltrates the school's network and compromises data, and another attacker installs ransomware, making it harder to identify and extinguish the threat.
With all of these changes, the need for effective cybersecurity tools with demonstrated benefits and robust training is greater than ever, Ford said. Procuring new tools, updating hardware, and implementing training and professional development can be costly, but Barrett Snider and Nick Romley, representing the education lobbying organization Capitol Advisors Group, said California schools may soon have the funding and opportunity to make it happen.
In California, Proposition 98 guarantees a minimum amount of education funding each year based on revenue and attendance. When California legislators suspend Prop 98 and opt to fund schools under the calculated minimum, as they did last year, they essentially owe schools the difference, Snider said.
For the 2023-24 state budget, the Prop 98 guarantee would have required $106.8 billion for schools and community colleges, but they were only given $98.5 billion as the state determined it could not afford the full amount. As stipulated in the proposition, the $8.3 billion difference must be paid in the form of one-time payments at a time when revenue is growing quickly relative to per-capita personal income. The state's obligation to do this is called the maintenance factor.
According to Snider, the state has been collecting more tax revenue than anticipated this year due to an improving economy and stock market growth after the presidential election. All signs point to schools receiving one-time funding from the state in the next year, which could be put toward cybersecurity advancements.
Additionally, recent state laws have given schools more control over technology usage. Assembly Bill 3216, for example, requires K-12 schools to limit or prohibit use of devices like smartphones at school, and Senate Bill 1283 allows schools to adopt a policy limiting or prohibiting the use of social media at school.
According to Snider and Romley, cybersecurity is a good candidate for one-time funding. It can be used to purchase new devices and contracts with tech vendors for a multiyear period, which can help get schools through this period of rapid advancement.
As schools consider using maintenance factor funding to support cybersecurity, Ford and Jeff Pelzel, a former superintendent and current director of executive leadership and education strategy at PowerSchool, said schools should include the whole organization in conversations about cybersecurity and develop expectations for vendors they partner with.
Ford said cybersecurity vendors should have demonstrated effectiveness and a successful pilot implementation, be transparent about what data they gather and how it is used, share how their product is sustainable for schools with limited budget and personnel, and have knowledgeable and responsive support staff.
“It just isn't urgent until it happens to you,” Pelzel said.
