Network Security

FCC E-rate Change Would Be Huge Boost to Districts' Cybersecurity Funding, Efforts

All K-12 Stakeholders Should Be Supporting the E-rate Change – and Telling the FCC Before Comments Close on Feb. 13

• By Brian Stephens
• 02/02/23

K–12 school systems are trying to fend off an increasing number of cyber threats with limited IT resources, and they need all the help they can get. Allowing schools to use federal E-rate funding for cybersecurity services such as next-generation firewalls, distributed denial of service protection, and intrusion detection and prevention would go a long way toward solving this challenge — and K–12 leaders should make their voices heard on this critical issue, immediately.

Right now, the Federal Communications Commission is considering whether to expand the E-rate’s Eligible Services List to include “advanced or next-generation firewalls and services, as well as other network security services.” The agency is asking for public comments until Feb. 13, with reply comments due March 30.

This is a key opportunity for K–12 leaders to influence public policy and request additional support for solving a growing challenge.

According to the nonprofit K12 Security Information Exchange and its 2022 State of K–12 Cybersecurity: Year in Review report, there have been more than 1,300 publicly disclosed cyberattacks on U.S. school districts since 2016. These attacks have disrupted education, jeopardized the privacy and security of both students and staff, and cost communities millions of dollars to remediate.

The total number of attacks equates to a rate of more than one K–12 cyber incident per school day, the report notes. However, even this assessment undersells the extent of the problem. “The true picture is surely bleaker,” K12SIX said. “Anecdotal evidence suggests perhaps 10 to 20 times more K–12 cyber incidents go undisclosed every year.”

School systems clearly need more robust network defenses, and that’s especially true for districts in rural and low-income communities. Changing the E-rate’s eligibility rules can help.

The E-rate provides discounts of up to 90% off the cost of Internet access (or Category 1 services) and up to 85% off the cost of network equipment and services (or Category 2 services) for eligible schools and libraries.

Currently, only “basic” firewall functions are supported by the program. Advanced network security functions like intrusion prevention, distributed denial of service mitigation, network access control, DNS filtering, and other common security technologies are denied E-rate funding.

In practice, this means that only a portion of a fully functional next-generation firewall system is eligible for E-rate discounts — typically 40% to 75%, depending on configuration. It also increases the administrative burden on E-rate coordinators, as they must determine how to cost-allocate funding requests accordingly.

The FCC is asking K–12 stakeholders what they think about various proposals the agency has received over the years. These proposals include:

• Raising applicants’ Category 2 budgets by 10% and allowing Category 2 funding to be used for network security services;
• Modifying the definition of “firewall” to include advanced security features such as endpoint protection; and
• A proposal from my company, Funds For Learning, to create a three-year cybersecurity pilot program within the E-rate that would fund advanced firewalls as a Category 2 service, with a funding cap of $60 million to $120 million each year — to be prioritized among applicants with the highest-discount rates first.

We picked this $120 million figure because it represents the difference between the FCC’s current average annual budget cap for Category 2 services through FY2025 — $1.477 billion — and the average amount that schools and libraries actually request for Category 2 services each year, which is $1.357 billion.

E-rate stakeholders might wonder how these proposed rule changes would affect the Universal Service Fund, the source of funding for E-rate discounts. Would extending E-rate eligibility to include advanced firewall services dramatically increase the USF contribution factor, or the percentage of their revenues that telecommunications companies must pay into the fund?

Based on our analysis, the answer is no. Increasing the demand for Category 2 support by $120 million to cover advanced firewalls would raise the USF contribution factor by less than half apercentage point. In other words, it would make a big impact on K–12 cybersecurity, with relatively little impact to the fund itself.

In its request for comments, the FCC listed several questions it plans to consider. For instance: Should the E-rate cover advanced firewalls and other network security services? If so, which ones? Should these be considered Category 2 services — and if so, should the agency raise the funding cap for Category 2 services? Should the FCC set aside any E-rate funding specifically for cybersecurity?

Whatever opinions K–12 leaders might have about the mechanisms involved, making firewalls and related security services eligible for E-rate support would give schools a huge boost in securing their network infrastructure.

But the FCC will only adopt this change if it hears this message from a critical mass of applicants. Stakeholders can submit their comments online at www.fcc.gov/ecfs, referring to WC Docket No. 13-184.

Digital learning won’t be truly equitable or effective until all schools — including those serving low-income and rural communities — have broadband service that is both reliable and secure. Cybersecurity and broadband access go hand in hand, and they should no longer be treated as separate services when it comes to E-rate funding.