New cybersecurity law providing support for K12
Distinguished as one of the few pieces of legislation to be signed by the President of the United States in the past decade, Public Law 117-47, known as the K-12 Cybersecurity Act, requires the federal Cybersecurity and Infrastructure Agency (CISA) to study the cybersecurity threat landscape facing U.S K-12 institutions. After studying the K-12 threat landscape, CISA must produce voluntary cybersecurity guidelines for K-12s and provide a “toolkit” ii built to assist schools and districts in strengthening their cybersecurity postures. CISA’s direct and focused assistance will certainly be welcomed by IT practitioners in the space, but based on the timelines specified in the law, the toolkit is roughly a year away from being posted on CISA’s website – may be longer. So, while you’re eagerly awaiting CISA’s analysis of the K-12 cybersecurity threat environment (as we are), or (maybe more likely) are looking forward to having CISA-created tools geared specifically toward your K-12 environment, you can take advantage of our assessment as cybersecurity experts practicing in Indiana’s K-12 environment and take advantage of some existing tools available to you while you wait.
K-12 DISTRICTS FACE UNIQUE CHALLENGES
If you are an IT professional in one of Indiana’s K-12 districts, you can certainly rattle off a list of needs that include those related to cybersecurity. If we’ve provided your district with a cybersecurity assessment, then maybe we’ve been a part of prioritizing these needs. If not, maybe we can do this with little or no cost to you – but more on that later. Chances are, some of the items on your list of needs are on the lists of most K-12 IT practitioners and organizations throughout the state. First among these common needs is money. Whether your district works from history books that discuss the Carter administration in the present tense or you have separate weight training rooms for each sport (lest an athlete be swayed by impure thoughts of another sport), it is not sufficiently funded to counter advanced, persistent cybersecurity threats backed by foreign governments. It doesn’t have enough people to do so, either.
An unfortunate consequence of the shortage of IT personnel in K-12 is a lack of time for continuing education and professional development for existing practitioners. These are critical activities during which practitioners: brush up on existing skills, learn new things, and network with others in their field. They are especially critical in K-12 environments because of the many curious and talented minds among the student body who likely have far more free time than their school’s IT staffers. Even though I work in and learn about cybersecurity every day at Purdue, my 6th-grade son still says to me every so often, “You really don’t know much about computers, do ya?”. We as practitioners approach computing very differently than our K-12 students, so it can be especially challenging to understand the security ramifications of what they’re doing when we don’t even understand what they’re doing or why they’re doing it. Continuing education and professional development may be more important in K-12 than in most other professions because of the diversity of the young minds we seek to protect.
In addition to insufficient resourcing, the K-12 landscape provides some unique challenges that intensify districts’ vulnerabilities to cybersecurity threats. I give user authentication the number one ranking on my K-12 cybersecurity threat list. Your district is likely serving learner users from ages 5 to 18. The authentication challenges here are daunting even without considering the authentication needs of school board members, administrators, teachers, and hawkish parents like myself who want to see if their kids did last night’s homework. Not only is each account a potential vector for compromise, but student accounts may also be at increased risk to act as an insider threat on your network – either by misusing their school-owned equipment or by attaching their personal devices to your WiFi. Finally, the diverse needs within each district tend to be serviced by several, fragmented systems with authentication to match. In my district, this was true before the onset of the COVID pandemic but was made worse by the need to sign and return documents virtually. In my household, that means no less than 12 (I’ve lost count, actually) accounts with the potential to be compromised. In sum, K-12 IT practitioners face one of the most daunting authentication environments in cybersecurity.
These are just a few of the most formidable cybersecurity challenges facing Indiana’s K-12s
WHAT YOU CAN DO TODAY
Insufficient resourcing does not equal no available resources and your district must do something. As Hoosier school districts attempt to resist cybersecurity threats, we recommend the following actions.
- Join MS-ISAC. Doing so has several advantages. It gives your district a cybersecurity community in which to participate. Even if you don’t have time to engage the community regularly, it will be there for you when you need it. You’ll also have free access to several tools that will help you to make more secure your district’s IT resources.
- Join Indiana’s K-12 CTO Council. The CTO Council is not just another IT community. It’s YOUR IT community. Be a part of a group of Indiana K-12 cyber leaders, learn from them, and contribute your knowledge to the group. The CTO Council occasionally has funding that may also help your district with specific IT projects including training partnerships with cyberTAP.
- Download and Explore CISA’s CSET Tool. You have opinions about your district’s cybersecurity posture, but do you know the full story? Choose to assess your district using one of the cybersecurity maturity models or a standard framework such as the NIST Cybersecurity Framework. Here’s the link: https://github.com/cisagov/cset/releases. The tool doesn’t yet include a K-12-specific assessment model, but we’ll remain on the lookout for you.
- Familiarize yourself with the Education section of Indiana’s Cybersecurity Hub. “The Hub” is part of state initiatives to increase cybersecurity in various industry sectors including K-12. This web presence consolidates links to many K-12 cybersecurity initiatives and assessment tools, and provides helpful guidance on several key components of a strong cybersecurity posture including incident response and disaster recovery.
- TALK TO US. In addition to our work in both the academic cybersecurity space and as practitioners in Indiana’s K-12 cybersecurity environment, cyberTAP has also been awarded federal grant funding to assist Indiana’s K-12 school districts to improve their cybersecurity posture. For a limited number of districts, professional cybersecurity assessments and education of district IT personnel are available without cost to selected districts.