A December report by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) found that over half of all reported ransomware attacks this fall targeted K-12 school districts. With cyber criminals routinely holding school networks hostage and threatening the sensitive personal data of students, teachers and families, only the federal government has the ability to collect and disseminate interstate data about new cyber threats, provide resources to help school districts acquire technological safeguards and work across international borders to target bad actors.
In Toledo, Ohio, and Fairfax County, Va., attackers threatened to make the personal information of students and educators public. School districts in Baltimore, Md., and Hartford, Conn., were forced to cancel several days of school due to ransomware. On the first day of classes, the Miami-Dade County Public Schools in Florida, the fourth-largest U.S. district, saw their networks overwhelmed by a ransomware attack. And most recently, Buffalo Public Schools in New York discovered that students’ names, birthdays, addresses and more had been exposed, along with bank account details for vendors.
These experiences are traumatizing, dangerous and extremely costly for school districts. Many have already stretched their resources to get students connected for virtual learning and don’t have the funds or expertise to ensure that their connections and devices are secure and safe. And cybersecurity insurance is getting harder to get and more expensive. School budgets certainly cannot afford to pay millions of dollars in ransom to threatening data thieves, especially knowing they could return again and again.
While students are leaving their classrooms for summer vacation, technology for learning is here to stay in the next school year — and with that, so are cyber attacks. Targeted cybersecurity funding from the Federal Communications Commission (FCC) is urgently needed and would allow at-risk schools to protect their students, educators and networks. Federal leaders should not only seek to connect schools and students to broadband, but also protect them and their data from predators.
The FCC should modernize its existing E-rate program, the largest funding source for school connectivity, by updating its definition of “basic” firewall protections to reflect what schools’ basic needs really are; increasing budget caps for cybersecurity investments; and changing the meaning of “broadband” to be inclusive of cybersecurity measures. Other federal agencies, such as CISA and the Department of Education, should step up as well to be partners with school systems in addressing cybersecurity, including by providing additional real-time information about emergency threats. All told, the federal government will need to step up in several ways, including strengthening the E-rate program, if we are to be prepared for the year ahead.
Getting students and teachers online to increase learning equity is a noble and important cause, but doing so without proper network and personal protections in place is foolish. The FCC must bring the E-rate program into this day and age, or it risks leaving critical institutions and sensitive student and personnel data vulnerable to ongoing attacks.
Keith Krueger is the CEO of the Consortium for School Networking. Michael Casserly is executive director of the Council of the Great City Schools.