CISA to come to cybersecurity aid of schools
President Biden has signed legislation that requires the Cybersecurity and Infrastructure Security Agency (CISA) to create cybersecurity recommendations and tools for schools to use to defend themselves against cybercriminals.
The bi-partisan K-12 Cybersecurity Act was sponsored by sponsored by Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and Sens. Rick Scott (R-Fla.), Jacky Rosen (D-Nev.) and Bill Cassidy (R-La.) in response to the wave of ransomware attacks that among school systems crippled Miami-Dade County, Fla.; Baltimore County, Md.; and Fairfax County, Va.
Rep. Jim Langevin (D-R.I.) primarily sponsored the bill in the House, with Reps. Doris Matsui (D-Calif.), Andrew Garbarino (R-N.Y.), Andrew Clyde (R-Ga.) and Elissa Slotkin (D-Mich.) also signing on as co-sponsors.
Earlier this year a report published by the K-12 Cybersecurity Resource Center identified 408 cybersecurity incidents that hit K-12 institutions, an 18% increase from 2019. That’s roughly equivalent to two cyberattacks per school day, the report noted.
It’s not clear just yet precisely how CISA will be able to do help schools that typically depend on a small number of IT professionals to manage not just security, but every other aspect of IT. CISA is an arm of the Department of Homeland Security (DHS) created to improve cybersecurity across all levels of government, coordinate cybersecurity programs with U.S. states, and generally improve the U.S. government institutions to defend themselves against cyberattacks. As part of that role, CISA creates cybersecurity tools and provides incident response services and assessment capabilities.
Cybersecurity challenges for schools
Given the challenges IT personnel that manage systems on behalf of school districts face any additional cybersecurity help is, of course, more than welcome, especially when that help is free. Most school districts don’t really have the budget dollars required to mount a meaningful cybersecurity defense in a challenging IT environment where students and teachers alike may not be paying as much attention to cybersecurity as they should.
The nonprofit K12 Security Information Exchange (K12 SIX) is one of several organizations trying to improve the overall cybersecurity posture of school districts. It recently published a set of best cybersecurity practices for K–12 schools that is based on a free self-assessment tool it created. The best practices guide addresses everything from determining whether protections have been implemented properly to impact and overall costs.
Of course, the biggest cybersecurity cost is always labor. Most school districts can’t afford to hire full-time cybersecurity professionals. Of course, there are a lot of cybersecurity experts that live within those school districts. Many of those individuals are, of course, already over worked. However, the owners of the organizations those cybersecurity professionals work for could make a major contribution to their local communities by donating some of their time to help protect local schools.
More than a few cybersecurity professionals already donate their own free time in ways that are largely unheralded. It’s clear that more is needed in the way professional cybersecurity expertise. Organizations that already have a security operations center, for example, could adopt a school district. School districts rank among the most vulnerable targets for a cybersecurity attack there are. At a time when cyberattacks against school districts are now part of a larger crisis, the need for organizations to ask what they can do for their local community during this national emergency has never been greater.