In August 2023, the White House announced plans to strengthen cybersecurity in K-12 schools, and for good reason. From 2018 to mid-September 2023, 386 cyberattacks were recorded in the U.S. education sector, resulting in $35.1 billion in damages to these schools. K-12 schools were the primary target.
The White House's new efforts include collaboration with federal agencies with cybersecurity expertise, including the Cybersecurity and Infrastructure Security Agency, Federal Communications Commission, and FBI. Technology companies like Amazon, Google, Cloudflare, PowerSchool, and D2L are committed to supporting this effort through training and resources.
While the steps taken by the White House are positive, as someone who teaches and researches cybersecurity, I do not believe the proposed steps are sufficient to protect schools from cyber threats. There are four reasons why.
1. Schools face more cyber threats than any other sector
Cyberattacks against K-12 schools increased more than eight times in 2022. Educational institutions are of interest to cybercriminals due to their weak cybersecurity. This weak cybersecurity creates an opportunity to access networks containing highly sensitive information.
Criminals can use student information to apply for fraudulent government benefits or open fraudulent bank accounts or credit cards. Federal Trade Commission officials said in testimony before the House Ways and Means Subcommittee on Social Security that a child's Social Security number has no credit history and can be combined with any name or date of birth. He said it has its own value. More than 10% of children registered with identity protection services were found to have loans.
Cybercriminals can also use such information to launch ransomware attacks against schools. A ransomware attack locks your computer or its files and demands a payment to free it. Ransomware victimization rates in education exceed those of all other industries surveyed, including healthcare, technology, financial services, and manufacturing.
Schools are becoming especially vulnerable to cyber threats as more schools loan students electronic devices. It turns out that criminals were hiding malware inside online textbooks and essays in an attempt to trick students into downloading them. If a student or teacher accidentally downloads malware onto a school-owned device, criminals can launch attacks across the school network.
In the face of such attacks, schools can become desperate to meet criminal demands to ensure student access to learning.
2. There is a shortage of cybersecurity personnel in schools.
Staff shortages may be a contributing factor to K-12 schools' poor cybersecurity performance. About two-thirds of school districts lack full-time cybersecurity positions. Companies with cybersecurity staff often don't have the budget for a chief information security officer to oversee and manage the district's strategy. An IT director often assumes this role, but has broader responsibility for IT operations without a specific focus on security.
3. Schools lack cybersecurity skills
A lack of cybersecurity skills among existing staff is hindering the development of a strong cybersecurity program.
Only 10% of educators say they have a deep understanding of cybersecurity. The majority of students say they have little or no knowledge of cybersecurity. Cybersecurity awareness tends to be even lower in high-poverty neighborhoods because students have less access to cybersecurity education.
The Cybersecurity and Infrastructure Security Agency plans to provide cybersecurity training to 300 more K-12 schools, school districts, and other organizations involved in K-12 education next school year. CISA plans represent only a small portion of the 130,930 K-12 public schools and 13,187 public school districts in the United States.
4. Lack of funds
The FCC has proposed a pilot program that would allocate $200 million over three years to strengthen cyber defenses. Given that it costs an estimated $5 billion to properly secure K-12 schools across the country, his annual budget of $66.6 million is insufficient to cover the entire cost of cybersecurity.
This cost includes hardware and software procurement, consulting, testing, and hiring data protection experts to combat cyberattacks. Frequent training is also required to keep up with evolving threats. As technology advances, cybercriminals are adopting methods to exploit vulnerabilities in digital systems. Teachers must be prepared to deal with such risks.
It costs a lot
How much should schools and districts spend on cybersecurity? Other sectors can also serve as models to guide K-12 schools.
One way to determine cybersecurity funding is by the number of employees. For example, in the financial services industry, these costs range from $1,300 to $3,000 per full-time employee. There are over 4 million teachers in the United States. If we set cybersecurity spending at $1,300 per teacher (the lower limit for financial companies' spending), K-12 schools would need to spend a total of $5 billion.
Another approach is to determine cybersecurity funding relative to IT spending. It is estimated that on average, US companies spend 10% of their IT budget on cybersecurity. K-12 schools are estimated to spend more than $50 billion on IT in the 2020-21 school year, so to allocate their 10% to cybersecurity, they would also need to spend $5 billion.
Another approach is to allocate cybersecurity spending as a percentage of the total budget. In 2019, cybersecurity spending accounted for 0.3% of the federal budget. Federal, state, and local governments allocate a combined $810 billion for K-12 education. If schools followed the federal agency's example and set cybersecurity spending at 0.3%, they would need an annual budget of $2.4 billion.
In contrast, one-fifth of schools devote less than 1% of their IT budget to cybersecurity (not the entire budget). 12% of school districts have no allocation at all for cybersecurity.
This article is republished from The Conversation, a nonprofit, independent news organization that provides facts and trusted analysis to help you make sense of our complex world.Author: Nil Kshetri University of North Carolina Greensboro
read more:
Nil Kshetri does not work for, consult, own shares in, or receive funding from any company or organization that might benefit from this article, and does not have any relevant affiliations other than an academic appointment. has not been made clear either.
