Why federal efforts to protect schools from cybersecurity threats fall short

A dual language program pre-k teacher helps a student with his classwork on Monday, Nov. 27, 2023 at Gregg Elementary School in Houston.

A dual language program pre-k teacher helps a student with his classwork on Monday, Nov. 27, 2023 at Gregg Elementary School in Houston. Houston Chronicle/Hearst Newspapers via Getty Images / Contributor

 

Connecting state and local government leaders

K-12 schools are especially vulnerable to cyberattack because they lack the cybersecurity expertise and funding essential to protecting students' sensitive information.

In August 2023, the White House announced a plan to bolster cybersecurity in K-12 schools – and with good reason. Between 2018 and mid-September 2023, there were 386 recorded cyberattacks in the U.S. education sector and cost those schools $35.1 billion. K-12 schools were the primary target.

The new White House initiative includes a collaboration with federal agencies that have cybersecurity expertise, such as the Cybersecurity and Infrastructure Security Agency, the Federal Communications Commission and the FBI. Technology firms like Amazon, Google, Cloudflare, PowerSchool and D2L have pledged to support the initiative with training and resources.

While the steps taken by the White House are positive, as someone who teaches and conducts research about cybersecurity, I don’t believe the proposed measures are enough to protect schools from cyberthreats. Here are four reasons why:

1. Schools Face More Cyberthreats Than Other Sectors

Cyberattacks on K-12 schools increased more than eightfold in 2022. Educational institutions draw the interest of cybercriminals due to their weak cybersecurity. This weak cybersecurity provides an opportunity to access networks containing highly sensitive information.

Criminals can exploit students’ information to apply for fraudulent government benefits and open unauthorized bank accounts and credit cards. In testimony to the House Ways and Means Subcommittee on Social Security, a Federal Trade Commission official noted that children’s Social Security numbers are uniquely valuable because they have no credit history and can be paired with any name and date of birth. Over 10% of children enrolled in an identity protection service were discovered to have loans.

Cybercriminals can also use such information to launch ransomware attacks against schools. Ransomware attacks involve locking up a computer or its files and demanding payment for their release. The ransomware victimization rate in the education sector surpasses that of all other surveyed industries, including health care, technology, financial services and manufacturing.

Schools are especially vulnerable to cyberthreats because more and more schools are lending electronic devices to students. Criminals have been found to hide malware within online textbooks and essays to dupe students into downloading it. Should students or teachers inadvertently download malware onto school-owned devices, criminals can launch an attack on the entire school network.

When faced with such an attack, schools can be desperate to comply with criminals’ demands to ensure students’ access to learning.

2. Schools Lack Cybersecurity Personnel

K-12 schools’ poor cybersecurity performance can be attributed, in part, to lack of staff. About two-thirds of school districts lack a full-time cybersecurity position. Those with cybersecurity staff often don’t have the budget for a chief information security officer to oversee and manage the district’s strategy. Often, the IT director takes on this role, but they have a broader responsibility for IT operations without a specific emphasis on security.

3. Schools Lack Cybersecurity Skills

The lack of cybersecurity skills among existing staff hinders the development of strong cybersecurity programs.

Only 10% of educators say that they have a deep understanding of cybersecurity. The majority of students say that they have minimal or no knowledge about cybersecurity. Cybersecurity awareness tends to be even lower in higher-poverty districts, where students have less access to cybersecurity education.

The Cybersecurity and Infrastructure Security Agency plans to provide cybersecurity training to an additional 300 K-12 schools, school districts and other organizations involved in K-12 education in the forthcoming school year. With 130,930 K-12 public schools and 13,187 public school districts in the U.S., CISA’s plan serves only a tiny fraction of them.

4. Inadequate Funding

The FCC has proposed a pilot program that would allocate $200 million over three years to boost cyberdefenses. With an annual budget of $66.6 million, this falls short of covering the entirety of cybersecurity costs, given that it will cost an estimated $5 billion to adequately secure the nation’s K-12 schools.

The costs encompass hardware and software procurement, consulting, testing, and hiring data protection experts to combat cyberattacks. Frequent training is also needed to respond to evolving threats. As technology advances, cybercriminals adapt their methods to exploit vulnerabilities in digital systems. Teachers must be ready to address such risks.

Costs Are Sizable

How much should schools and districts be spending on cybersecurity? Other sectors can serve as a model to guide K-12 schools.

One way to determine cybersecurity funding is by the number of employees. In the financial services industry, for example, these costs range from $1,300 to $3,000 per full-time employee. There are over 4 million teachers in the United States. Setting cybersecurity spending at $1,300 per teacher – the low end of what financial firms spend – would require K-12 schools to spend a total of $5 billion.

An alternate approach is to determine cybersecurity funding relative to IT spending. On average, U.S. enterprises are estimated to spend 10% of their IT budgets on cybersecurity. Since K-12 schools were estimated to spend more than $50 billion on IT in the 2020-21 fiscal year, allocating 10% to cybersecurity would also require them to spend $5 billion.

Another approach is to allocate cybersecurity spending as a proportion of the total budget. In 2019, cybersecurity spending represented 0.3% of the federal budget. Federal, state and local governments collectively allocate $810 billion for K-12 education. If schools set cybersecurity spending at 0.3%, following the example of federal agencies, that would require an annual budget of $2.4 billion.

By contrast, a fifth of schools dedicate less than 1% of their IT budgets – not their entire budgets – to cybersecurity. In 12% of school districts, there is no allocation for cybersecurity at all.

The Conversation

Nir Kshetri, Professor of Management, University of North Carolina – Greensboro

This article is republished from The Conversation under a Creative Commons license. Read the original article.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.