Why federal efforts to protect schools from cybersecurity threats fall short

p
Professor of Management University of North Carolina Greensboro
ppNir Kshetri does not work for consult own shares in or receive funding from any company or organisation that would benefit from this article and has disclosed no relevant affiliations beyond their academic appointmentppThe Conversation UK receives funding from these organisationsppView the full listppIn August 2023 the White House announced a plan to bolster cybersecurity in K12 schools and with good reason Between 2018 and midSeptember 2023 there were 386 recorded cyberattacks in the US education sector and cost those schools 351 billion K12 schools were the primary targetppThe new White House initiative includes a collaboration with federal agencies that have cybersecurity expertise such as the Cybersecurity and Infrastructure Security Agency the Federal Communications Commission and the FBI Technology firms like Amazon Google Cloudflare PowerSchool and D2L have pledged to support the initiative with training and resources ppWhile the steps taken by the White House are positive as someone who teaches and conducts research about cybersecurity I dont believe the proposed measures are enough to protect schools from cyberthreats Here are four reasons whyppCyberattacks on K12 schools increased more than eightfold in 2022 Educational institutions draw the interest of cybercriminals due to their weak cybersecurity This weak cybersecurity provides an opportunity to access networks containing highly sensitive informationppCriminals can exploit students information to apply for fraudulent government benefits and open unauthorized bank accounts and credit cards In testimony to the House Ways and Means Subcommittee on Social Security a Federal Trade Commission official noted that childrens Social Security numbers are uniquely valuable because they have no credit history and can be paired with any name and date of birth Over 10 of children enrolled in an identity protection service were discovered to have loansppCybercriminals can also use such information to launch ransomware attacks against schools Ransomware attacks involve locking up a computer or its files and demanding payment for their release The ransomware victimization rate in the education sector surpasses that of all other surveyed industries including health care technology financial services and manufacturingppSchools are especially vulnerable to cyberthreats because more and more schools are lending electronic devices to students Criminals have been found to hide malware within online textbooks and essays to dupe students into downloading it Should students or teachers inadvertently download malware onto schoolowned devices criminals can launch an attack on the entire school networkppWhen faced with such an attack schools can be desperate to comply with criminals demands to ensure students access to learningppK12 schools poor cybersecurity performance can be attributed in part to lack of staff About twothirds of school districts lack a fulltime cybersecurity position Those with cybersecurity staff often dont have the budget for a chief information security officer to oversee and manage the districts strategy Often the IT director takes on this role but they have a broader responsibility for IT operations without a specific emphasis on securityppThe lack of cybersecurity skills among existing staff hinders the development of strong cybersecurity programsppOnly 10 of educators say that they have a deep understanding of cybersecurity The majority of students say that they have minimal or no knowledge about cybersecurity Cybersecurity awareness tends to be even lower in higherpoverty districts where students have less access to cybersecurity educationppThe Cybersecurity and Infrastructure Security Agency plans to provide cybersecurity training to an additional 300 K12 schools school districts and other organizations involved in K12 education in the forthcoming school year With 130930 K12 public schools and 13187 public school districts in the US CISAs plan serves only a tiny fraction of themppThe FCC has proposed a pilot program that would allocate 200 million over three years to boost cyberdefenses With an annual budget of 666 million this falls short of covering the entirety of cybersecurity costs given that it will cost an estimated 5 billion to adequately secure the nations K12 schoolsppThe costs encompass hardware and software procurement consulting testing and hiring data protection experts to combat cyberattacks Frequent training is also needed to respond to evolving threats As technology advances cybercriminals adapt their methods to exploit vulnerabilities in digital systems Teachers must be ready to address such risksppHow much should schools and districts be spending on cybersecurity Other sectors can serve as a model to guide K12 schoolsppOne way to determine cybersecurity funding is by the number of employees In the financial services industry for example these costs range from 1300 to 3000 per fulltime employee There are over 4 million teachers in the United States Setting cybersecurity spending at 1300 per teacher the low end of what financial firms spend would require K12 schools to spend a total of 5 billionppAn alternate approach is to determine cybersecurity funding relative to IT spending On average US enterprises are estimated to spend 10 of their IT budgets on cybersecurity Since K12 schools were estimated to spend more than 50 billion on IT in the 202021 fiscal year allocating 10 to cybersecurity would also require them to spend 5 billionppAnother approach is to allocate cybersecurity spending as a proportion of the total budget In 2019 cybersecurity spending represented 03 of the federal budget Federal state and local governments collectively allocate 810 billion for K12 education If schools set cybersecurity spending at 03 following the example of federal agencies that would require an annual budget of 24 billionppBy contrast a fifth of schools dedicate less than 1 of their IT budgets not their entire budgets to cybersecurity In 12 of school districts there is no allocation for cybersecurity at allpp

Thinking Differently in Hydrogen webinar series

Uxbridge Hillingdon
pp

In the Company of Monsters New Visions Ancient Myths

Reading Reading
pp

Shakespeares First Folios a 400year journey

London Camden
pp

Charles Holdens Master Plan Building the Bloomsbury Campus

London Camden
pp

Pupil absence Questions for policy for research and in practice


pp
Copyright 20102024 The Conversation Trust UK Limited
p