K–12 Landscape

SETDA Report Calls for State Education Agencies to Take Lead on Cybersecurity, More Sustained Funding

• By Kristal Kuykendall
• 03/16/22

SETDA, a national association of U.S. ed tech and IT leaders, on Wednesday released its first Cybersecurity and Privacy Collaborative “landscape scan” calling on federal policymakers and state and local education leaders to work together to increase information sharing and to commit significant, sustained resources and training to improving cybersecurity across the nation’s K–12 schools.

The Cybersecurity and Privacy Collaborative, funded by the Bill & Melinda Gates Foundation, is a professional learning community focused on K–12 cybersecurity advocacy at the state level and policy recommendations. It is part of the nonprofit SETDA, established as the State Educational Technology Directors Association in 2001 to support emerging school tech needs.

The collaborative meets bi-weekly year-round to develop resources so states and local school districts better coordinate their cybersecurity prevention efforts and more effectively leverage their limited funding, according to a SETDA news release.

The report on the current landscape of K–12 cybersecurity details critical, persistent challenges for local school districts and state education agencies; legislative needs and recommendations; and vital resources available to K–12 leaders now.

The report emphasizes the importance of state education agencies taking a bigger role in cybersecurity efforts and said the collaborative’s members are actively “working with states to further their thinking about the role of cybersecurity in the K–12 sector,” it stated. “States have a responsibility to establish cybersecurity as a priority, and ensure that schools and districts are good stewards of the student data entrusted to them.”

Members of the collaborative are calling for all state education agencies to do the following in order to ease the burden of cybersecurity on local education agencies, as stated verbatim in the report:

• Sharing Learning and Resources: States explore their ability to share more than just guidelines and documentation. They are partnering with cybersecurity experts to create a common roadmap for LEAs.
• Educating District and School Leaders: States can help put cybersecurity on the radar for local leaders. State leaders who prioritize communicating threats and opportunities help make cybersecurity a priority for local leaders.
• Promoting Response and Recovery Strategies: Knowing that cyberattacks are a matter of “when” rather than “if,” states must insist that LEAs discuss and plan for how they will react when the inevitable happens and provide the resources to support recovery strategies
• Sharing Incident Data: States would significantly increase their insight into threats and patterns if they could lessen the stigma of reporting details of a cybersecurity breach. Creative solutions are needed to allow this data to get to state leaders without greatly increasing the sphere of people who need to know about a particular system’s breach.
• Developing Mitigation Strategies: States are working to identify a tiered list of mitigation strategies that might support districts entering the conversation at differing stages of implementation.
• Building Collaboratives: States are making progress by sharing resources and best practices. Districts are banding together through service centers or cooperatives to supplement LEA cybersecurity expertise and help train their staff.
• Engaging Expert Partners: States have increased K–12 expertise by partnering with state police and other public entities and organizations and companies who can provide their schools with affordable cybersecurity services.
• Group Purchasing: There are vast economies of scale in state-wide purchasing or LEAs collaborating on cybersecurity-related services such as risk assessments, vulnerability scanning, penetration testing, and security awareness training.

In calling for greater commitment of sustained funding to cybersecurity planning, the collaborative noted that the complexity of school funding as well as a “fundamental misunderstanding” of the difference between the cost to buy ed tech and the cost to support it and keep it secure ongoing has resulted in the creation of new vulnerabilities as school districts received pandemic relief funds and purchased new devices and equipment.

“While legislation shows some movement toward investing in cybersecurity, more designated funding is necessary,” the report stated. “If investments in security measures are seen in competition with classroom instruction or student productivity, security posture is likely to be compromised.”

The collaborative noted an increase in attention to cybersecurity by state legislative bodies in 2021, citing the Consortium on School Networking’s 2021 State and Federal Cybersecurity Policy Trends report. But it is not enough, the report said: Incidents are still going unreported and secure cyber-incident information sharing is sorely needed.

It also said more training is needed, noting that many school data breaches are caused by human error, and it called for policymakers to encourage inter-agency coordination and statewide solutions.

Key Resources Available Now That Address K–12 Needs

The report noted that while many organizations and tech providers offer guidance on improving cybersecurity, most of it is not appropriate or helpful for K–12 IT environments. The report listed the following guides and nonprofits whose expertise is particularly suited to public school challenges and needs:

• Cybersecurity & Infrastructure Security Agency and its free cybersecurity services and tools.
• Center for Internet Security, a nonprofit known for its best practices for securing IT systems and data. CIS manages the Multi-State Information Sharing and Analysis Center or MS-ISAC, trusted for cyber threat prevention, protection, response, and recovery. Public K–12 schools can join the MS-ISAC at no cost; all MS-ISAC members receive the following free benefits: full-time security monitoring by a 24/7/365  security operations center focused on detecting and responding to K-12 cybersecurity incidents; Malicious Domain Blocking and Reporting; tailored K-12 threat intelligence; automated tools to assist in implementing security best practices and the ability to connect with a K–12 working group where MS-ISAC members can communicate directly with each other about what’s working and what isn’t, ask questions and share resources and advice.
• K12 Security Information Exchange, a nonprofit dedicated solely to cybersecurity needs of U.S. K–12 schools; it manages the K12 Cyber Incident Map and offers a free detailed cybsercurity guide to districts, called the Essential Cybersecurity Protections for School Districts.
• CoSN Cybersecurity Committee, an organization supporting a membership of K–12 IT leaders with cybersecurity guidance and other resources.

Download the full K–12 cybersecurity landcape report at the SETDA website or visit SETDA.org to learn more about the organization’s advocacy efforts.