Fortifying K-12 Cybersecurity in the U.S.

Parents faced the usual mixed emotions as the school year commenced and their children embarked on new educational journeys, which is entering the digital era. The K-12 sector has become increasingly susceptible to cyber threats, including data breaches and ransomware attacks, posing risks to students’ personal information, school security, and overall educational stability.

K-12 in the U.S. refers to the education system that includes primary education starting in kindergarten (usually at age five or six) and secondary education ending in grade 12. The term “K-12” is a shorthand for the years of publicly supported primary and secondary education in the U.S.

Cybersecurity threats to K-12 schools in the U.S. are a growing concern, with various types of attacks posing risks to students, teachers, and staff, as well as the integrity of educational operations. In addressing these threats, K-12 schools and school districts are advised to invest in impactful security measures, conduct training and exercises to test their ability to respond to cyber threats and stay informed about the evolving cybersecurity landscape.

Adopting advanced networking technologies in educational settings has introduced heightened risks, making it essential for K-12 organisations to prioritise cybersecurity measures to safeguard their systems and data.

Recognising the pressing need for action, the White House hosted the Back to School Safely: Cybersecurity for K-12 Schools Summit. This summit united school administrators, educators, and a coalition of industry and government partners, all committed to fortifying K-12 cybersecurity. The joint release of the K-12 Digital Infrastructure Brief by CISA and the Department of Education underscored the importance of treating educational infrastructure as vital to the nation’s security.

A pivotal initiative arising from this collaboration is Secure by Design, a movement aiming to shift the responsibility of digital security from financially strained school districts to software manufacturers. The strategy involves urging school vendors to prioritise robust security settings in their systems by default, aligning with Secure by Design principles. A workshop organised by CISA with education technology vendors preceded the summit, focusing on challenges specific to the K-12 community.

The cybersecurity landscape often focuses on the actions of attackers and victims, but the critical role of software vendors in creating secure systems remains overlooked. Secured by Design aligns with the National Cybersecurity Strategy to address software insecurity’s economic and political aspects. The initiative seeks to move the responsibility upstream to vendors, fostering a collective approach that considers the challenges faced by all stakeholders in the ecosystem.

The unique challenges within the K-12 ecosystem were spotlighted during the workshop. Schools operating on tight budgets must prioritise cybersecurity measures against other crucial investments for children and educators. Issues such as credential-based attacks persist, with the adoption of essential tools like Multifactor Authentication (MFA) proving challenging due to limited technical support and concerns about distractions in the classroom. Implementing MFA in K-12 schools can enhance cybersecurity and ensure uninterrupted access to digital resources while keeping students’ data safe.

To address these challenges, a proposal suggests shifting responsibility onto several K-12 vendors, allowing security to scale across thousands of school districts. While acknowledging vendors’ challenges, proponents argue that tackling cybersecurity earlier in the supply chain, focusing on crucial companies serving large numbers of students and educators would be more effective and cost-efficient.

Education technology software developers are encouraged to face this responsibility by investing in tools, personnel training, user experience, and secure software methodologies. CISA notes the commitment of eleven education technology vendors to the Secure by Design initiative, a commendable increase since its inception. The agency emphasises the need for continued collaboration, sharing success stories and best practices, and aggregating data to drive widespread adoption of Secure by Design principles.

CISA invites schools, parents, and stakeholders to join the K-12 Education Technology Secure by Design Pledge as part of the ongoing effort. This movement aims to strengthen cybersecurity for schools collectively, fostering a safer digital environment for our children’s education.

Whether taking the pledge or seeking guidance on advocating for Secure by Design practices from education technology vendors, individuals are encouraged to participate actively in this crucial initiative. In the digital age, securing our schools is a shared responsibility that demands a united front against cyber threats.