Cyber attacks on education institutions have impacted all 50 states and Washington, D.C., costing students downtime and draining school budgets.  According to one study, the costs associated with ransomware attacks on the education sector in 2021 alone topped$3.5 billion. Some reported ransomware demands have sought tens of millions of dollars.  Impacts are broad from system outages to lost class time, and even impacts to a school's physical security resulting in security cameras going offline. While the frequency of these cyberattacks could lead one to envision the desensitizing of the issue, fortunately the opposite has happened and there is a spike in demand for stronger federal leadership on network security of U.S. education institutions. 

Why are schools such an attractive target for cybercriminals? 

In response to the COVID-19 pandemic, recent funding infusions have accelerated the digital transformation for schools across the country, significantly increasing students' connectivity in the classroom and at home. However, the proliferation of devices and ability to connect to a school's network from virtually anywhere has also increased the vulnerability of school networks and the students and teachers who rely on them.  

Overburdened IT teams and under-resourced IT budgets have limited the education sector's ability to ensure adequate network security measures are in place to protect the networks and related sensitive data. Health data, banking data, social security numbers, psychological assessment data, and other PII of students, teachers, and staff is valuable data stored on school networks. The result is a dangerous combination of weak network defenses and highly sought after sensitive personal data.

To best safeguard these systems and data, two matters must be addressed: broad adoption of information security training and the strengthening of network defenses. The former can be resolved through efforts leveraging public-private partnerships with minimal cost to the education community. Take for example Fortinet's announcement earlier this year of free information security training to all U.S. K-12 faculty and staff -an offering for over 8 million eligible personnel. Additionally, stronger protection for the education sector can be further addressed with minor regulatory clarification of a key federal funding program. 

Ongoing Federal Efforts to Protect the Education Sector

Federal agencies that support schools, such as the Federal Communications Commission (FCC) and the Cybersecurity & Infrastructure Security Agency (CISA) are well aware of the challenges schools face. CISA is working towards publishing security guides and playbooks called for in the K-12 Cybersecurity Act of 2021. CISA also recently hosted the National School Safety Summit, which included key stakeholders from the U.S Government, private sector, and education community in robust discussions of cybersecurity and online safety. 

The FCC oversees the Universal Service Fund (USF) which supports the E-Rate program that provides funds connectivity to schools and libraries across the United States. The E-Rate program is a critical resource for eligible schools and libraries to keep pace with the rising digital demand by their users -students, faculty, staff, and library patrons. The FCC annually reviews the products and services that are eligible for funding under the Eligible Services List (ESL) -an important process given the ever-evolving nature of our communications networks and user demand. The FCC is currently reviewing public comments regarding the ESL for the FY2023 E-Rate year. 

The E-Rate Program's Eligible Services List does not currently permit use of funds for "next-generation firewalls", a modernization of the network security allowable expense for "basic firewalls" that has been permissible since the program was established in the late 1990s. As cyber threats have evolved, the need for more robust cybersecurity has advanced well beyond what a basic (or legacy) firewall can offer.

A legacy firewall relies on simple protocols that focus on a stateful inspection of network traffic entering or leaving the network with the security parameters based on state, port, and protocol. Meanwhile, next-generation firewalls move beyond the limitations of this connection-based traffic inspection by inspecting the behavior of the applications themselves. This technology enables combining many security services like web filtering or intrusion prevention while inspecting traffic by application and behavior. Additionally, recent advances in technology provide for automation that lessens the time needed to discover and stop cyberattacks resulting in more time for technical staff to address other important security controls. 

Path Forward: Updating E-Rate

One of the largest school districts in the nation, the Los Angeles Unified School District (Los Angeles Unified), suffered a crippling attack early in the 2022-2023 school year. In a recent letter to the FCC, the Superintendent of Los Angeles Unified wrote that "supporting cybersecurity tools through the E-Rate program is not only appropriate under the FCC's existing goals for Universal Service, but also has reached a critical point as illustrated by the scope of the attack on Los Angeles Unified." Los Angeles Unified is not alone in this fight for E-Rate funding flexibility.  Hundreds of schools and school districts share the cyberattack concerns and also support a common solution: simply updating the E-Rate program. 

Fortinet supports the education community's calls for access to stronger network security tools through the modernization of E-Rate eligible services list to accommodate next-generation firewalls. Fortunately, the FCC has a streamlined process currently underway that could address this issue for future use of E-Rate funding. This would help protect these school networks and allow them the means to better secure the sensitive data of students, faculty, and staff.