Why federal efforts to protect schools from cybersecurity threats fall short

In August 2023, the White House announced^[1] a plan to bolster cybersecurity in K-12 schools – and with good reason. Between 2018 and mid-September 2023, there were 386 recorded cyberattacks^[2] in the U.S. education sector and cost those schools $35.1 billion. K-12 schools were the primary target.

The new White House initiative includes a collaboration with federal agencies that have cybersecurity expertise, such as the Cybersecurity and Infrastructure Security Agency, the Federal Communications Commission^[3] and the FBI^[4]. Technology firms like Amazon, Google, Cloudflare, PowerSchool and D2L have pledged to support the initiative^[5] with training and resources.

While the steps taken by the White House are positive, as someone who teaches^[6] and conducts research^[7] about cybersecurity, I don’t believe the proposed measures are enough to protect schools from cyberthreats. Here are four reasons why:

1. Schools face more cyberthreats than other sectors

Cyberattacks on K-12 schools increased more than eightfold^[8] in 2022. Educational institutions draw the interest of cybercriminals^[9] due to their weak cybersecurity^[10]. This weak cybersecurity provides an opportunity to access networks containing highly sensitive information.

Criminals can exploit students’ information^[11] to apply for fraudulent government benefits and open unauthorized bank accounts and credit cards^[12]. In testimony to the House Ways and Means Subcommittee on Social Security, a Federal Trade Commission official noted that children’s Social Security numbers are uniquely valuable because they have no credit history and can be paired with any name and date of birth. Over 10% of children enrolled in an identity protection service were discovered to have loans^[13].

Cybercriminals can also use such information to launch ransomware attacks against schools. Ransomware attacks involve locking up a computer or its files and demanding payment for their release. The ransomware victimization rate in the education sector surpasses that of all other surveyed industries^[14], including health care, technology, financial services and manufacturing.

Schools are especially vulnerable to cyberthreats because more and more schools are lending electronic devices^[15] to students. Criminals have been found to hide malware^[16] within online textbooks and essays to dupe students into downloading it. Should students or teachers inadvertently download malware onto school-owned devices, criminals can launch an attack on the entire school network.

When faced with such an attack, schools can be desperate to comply^[17] with criminals’ demands to ensure students’ access to learning^[18].

2. Schools lack cybersecurity personnel

K-12 schools’ poor cybersecurity performance can be attributed, in part, to lack of staff. About two-thirds of school districts^[19] lack a full-time cybersecurity position. Those with cybersecurity staff often don’t have the budget^[20] for a chief information security officer to oversee and manage the district’s strategy. Often, the IT director takes on this role^[21], but they have a broader responsibility for IT operations without a specific emphasis on security.

3. Schools lack cybersecurity skills

The lack of cybersecurity skills^[22] among existing staff hinders the development of strong cybersecurity programs.

Only 10% of educators^[23] say that they have a deep understanding of cybersecurity. The majority of students say that they have minimal or no knowledge^[24] about cybersecurity. Cybersecurity awareness tends to be even lower in higher-poverty districts^[25], where students have less access^[26] to cybersecurity education.

The Cybersecurity and Infrastructure Security Agency plans to provide cybersecurity training to an additional 300 K-12 schools, school districts and other organizations involved in K-12 education^[27] in the forthcoming school year. With 130,930 K-12 public schools^[28] and 13,187 public school districts^[29] in the U.S., CISA’s plan serves only a tiny fraction of them.

4. Inadequate funding

The FCC^[30] has proposed a pilot program that would allocate $200 million^[31] over three years to boost cyberdefenses. With an annual budget of $66.6 million, this falls short of covering the entirety of cybersecurity costs, given that it will cost an estimated $5 billion to adequately secure the nation’s K-12 schools.

The costs encompass^[32] hardware and software procurement, consulting, testing, and hiring data protection experts to combat cyberattacks. Frequent training^[33] is also needed to respond to evolving threats. As technology advances, cybercriminals adapt their methods to exploit vulnerabilities in digital systems. Teachers must be ready to address such risks.

Costs are sizable

How much should schools and districts be spending on cybersecurity? Other sectors can serve as a model to guide K-12 schools.

One way to determine cybersecurity funding is by the number of employees. In the financial services industry, for example, these costs range from $1,300 to $3,000^[34] per full-time employee. There are over 4 million teachers^[35] in the United States. Setting cybersecurity spending at $1,300 per teacher – the low end of what financial firms spend – would require K-12 schools to spend a total of $5 billion.

An alternate approach is to determine cybersecurity funding relative to IT spending. On average, U.S. enterprises are estimated to spend 10%^[36] of their IT budgets on cybersecurity. Since K-12 schools were estimated to spend more than $50 billion^[37] on IT in the 2020-21 fiscal year, allocating 10% to cybersecurity would also require them to spend $5 billion.

Another approach is to allocate cybersecurity spending as a proportion of the total budget. In 2019, cybersecurity spending represented 0.3%^[38] of the federal budget. Federal, state and local governments collectively allocate $810 billion^[39] for K-12 education. If schools set cybersecurity spending at 0.3%, following the example of federal agencies, that would require an annual budget of $2.4 billion.

By contrast, a fifth of schools dedicate less than 1% of their IT budgets^[40] – not their entire budgets – to cybersecurity. In 12% of school districts^[41], there is no allocation for cybersecurity at all.

References

1. ^{^} announced (www.whitehouse.gov)
2. ^{^} 386 recorded cyberattacks (www.k12dive.com)
3. ^{^} the Cybersecurity and Infrastructure Security Agency, the Federal Communications Commission (www.whitehouse.gov)
4. ^{^} the FBI (www.the74million.org)
5. ^{^} pledged to support the initiative (www.cnbc.com)
6. ^{^} teaches (www.uncg.edu)
7. ^{^} research (scholar.google.com)
8. ^{^} increased more than eightfold (blog.sonicwall.com)
9. ^{^} draw the interest of cybercriminals (theconversation.com)
10. ^{^} weak cybersecurity (resources.securityscorecard.com)
11. ^{^} exploit students’ information (www.ftc.gov)
12. ^{^} unauthorized bank accounts and credit cards (www.computer.org)
13. ^{^} discovered to have loans (www.ftc.gov)
14. ^{^} surpasses that of all other surveyed industries (assets.sophos.com)
15. ^{^} lending electronic devices (chicago.chalkbeat.org)
16. ^{^} hide malware (www.kaspersky.com)
17. ^{^} desperate to comply (buffalonews.com)
18. ^{^} ensure students’ access to learning (www.nytimes.com)
19. ^{^} two-thirds of school districts (www.edweek.org)
20. ^{^} don’t have the budget (edtechmagazine.com)
21. ^{^} the IT director takes on this role (edtechmagazine.com)
22. ^{^} lack of cybersecurity skills (www.plantemoran.com)
23. ^{^} 10% of educators (cyber.org)
24. ^{^} minimal or no knowledge (cyber.org)
25. ^{^} lower in higher-poverty districts (cyber.org)
26. ^{^} less access (www.darkreading.com)
27. ^{^} 300 K-12 schools, school districts and other organizations involved in K-12 education (www.whitehouse.gov)
28. ^{^} 130,930 K-12 public schools (research.com)
29. ^{^} 13,187 public school districts (ballotpedia.org)
30. ^{^} The FCC (www.fcc.gov)
31. ^{^} $200 million (docs.fcc.gov)
32. ^{^} The costs encompass (nordlayer.com)
33. ^{^} Frequent training (www.govpilot.com)
34. ^{^} $1,300 to $3,000 (cybersecurity.att.com)
35. ^{^} over 4 million teachers (www.weareteachers.com)
36. ^{^} U.S. enterprises are estimated to spend 10% (venturebeat.com)
37. ^{^} more than $50 billion (edtechevidence.org)
38. ^{^} 0.3% (cybersecurity.att.com)
39. ^{^} $810 billion (educationdata.org)
40. ^{^} dedicate less than 1% of their IT budgets (www.securitymagazine.com)
41. ^{^} 12% of school districts (www.edweek.org)