School districts and libraries nationwide have increasingly been victims of sophisticated cyberattacks by criminals who find the educational sector more vulnerable than commercial entities. Schools and libraries do not have large IT staff and only have modest budgets to protect their networks. Cybercriminals seek to shut down the IT network and seize sensitive data about the students, faculty, and staff that may find its way to the dark web. Cybercriminals sometimes demand a hefty ransom from the school district or library to return the network to an operational state instead of selling the sensitive data to criminals who would exploit it.

Attacks on schools can disrupt critical educational instruction, transportation between school and home, employee payroll, and school-provided meal access. The Government Accountability Office (GAO) reported that in 2021, 647,000 K-12 students were affected by ransomware attacks, and the resulting costs to the school districts due to these attacks were estimated at$2.38 billion. K-12 Security Information Exchange estimates that more than 1,330 publicly disclosed attacks have occurred since 2016.

At the end of last year, the Cybersecurity and Infrastructure Security Agency (CISA) said, "There is simply no way we can expect school districts, whose primary objective is to ensure the learning and safety of schoolchildren, to bear the cybersecurity burden alone." CISA pointed out that schools tend to be targeted because they are "target rich and cyber poor," and that "K-12 public schools maintain highly sensitive data and typically have more limited financial and resource allocation to data security, including in-house cybersecurity expertise, making them high risk for cybercrime."

For years, the K-12 schools and library community have been asking the Federal Communications Commission (FCC) to allow them to use E-Rate program funds to bolster and maintain their IT security and network infrastructures. The E-Rate program makes telecommunications and information services more affordable for schools and libraries. It is part of the Universal Service Fund, which is funded from a small surcharge added to consumers' interstate telecom bills. The E-Rate program provides discounts for telecommunications, internet access, and internal connections to eligible schools and libraries, but it has had limited focus on the security of these communications.

Some educational entities expressed concerns that putting E-Rate dollars toward cybersecurity could divert resources from the primary focus of connecting schools and libraries to the internet. The E-Rate program has a$4.4 billion spending cap, and it only gave out$2.1-$2.4 billion in recent years, so there is room in the program budget. Others have argued that the dated definition of a firewall should be updated so districts can use E-Rate dollars to upgrade their cybersecurity resources to meet current needs.

After a well-publicized 2022 ransomware attack on the Los Angeles Unified School District (LAUSD), the second largest school district in the nation, and subsequent letter filed by LAUSD and more than 1,100 local and state educational agencies, national organizations, students, and communities served, FCC Chairwoman Jessica Rosenworcel stepped forward in July 2023 with an innovative proposal that tables concerns over impacts to the E-Rate program. Chairwoman Rosenworcel is the originator of the term "homework gap" and has focused on enhancing digital learning during her tenure as the FCC chair. Her leadership on cybersecurity for schools and libraries is consistent with her focus on tele-education and distance learning.

In December 2023, the FCC unanimously voted to issue a Notice of Proposed Rulemaking to use dollars directly from the Universal Service Fund to create a$200 million, three-year cybersecurity pilot program that will allow K-12 schools and libraries to purchase cybersecurity and advanced firewall protection. In the big picture, this pilot program is a welcome and creative solution that will immediately help some at-risk schools and libraries secure their networks and sensitive data from attack, if approved after public comment.

The pilot program proposal has received two rounds of public comments. I'm very encouraged to see the strong engagement in this process by schools, libraries, and other stakeholders on the proposal's details. I urge the full commission to give a final and timely stamp of approval for new funding of cybersecurity protections for schools and libraries. As a member of the Fortinet Strategic Advisory Council (FSAC), I'm proud of the company's unwavering support for the needs of the schools and library communities.

I have reviewed the FCC's proposal, and while it is a significant step forward, I think it could be improved in a few key areas:

• Term: A shorter pilot program (perhaps one year instead of three years) would be more effective because there is no doubt that a serious escalating problem exists. Gathering data for a year should be adequate to craft a permanent program and appropriate budget from the Universal Service Fund.
• Funds: A coalition of school and library groups have stated that "more than$200 million should be allocated to help schools and libraries and to ensure the pilot program enables a comprehensive evaluation of the investment's impact on access to cybersecurity." I agree that the commission should consider expanding this program to meet the need and urgency associated with the problem.
• Equitable participation: The geographic and size diversity of participating school districts should be encouraged for the pilot program so adequate data is gathered that applies to all sizes of schools and libraries.
• Data: What happens after the pilot program is important for these communities. The FCC should compile and analyze data related to the utilization of these funds in real time to ensure there is no gap between this pilot program and a more robust long-term solution. Gathering this data will help ensure that schools and libraries can secure their networks and data to stay ahead of evolving cyberthreats.

All in all, however, it is exciting and encouraging to see FCC action to update its program to meet the urgent demands of these communities to better protect their networks and sensitive data. It is important that all federal agencies join to protect our schools and libraries from cybercriminals, and the FCC is to be applauded for its proposal.

To learn more about the Fortinet Strategic Advisory Council members,visit here.