USF & E-rate

'Too Small and Too Slow': FCC Cybersecurity Pilot Proposal Draws Criticism

A week remains for K–12 stakeholders to submit comments on the Federal Communications Commission’s proposed 3-year, $200 million Schools and Libraries Cybersecurity Pilot Program, and so far, most comments submitted have expressed significant concerns that it is too conservative to help public schools defend against emerging cyber threats.

Dozens of stakeholders from IT and cybersecurity associations, public education agencies, and private sector organizations have submitted comments as of Jan. 22, and nearly all of them are pointedly critical of the proposal as “too small and too slow” to be of any real benefit.

The FCC’s proposal, first announced on November 13 and published in the Federal Register on Dec. 29, 2023, calls for the Cybersecurity Pilot to be established within the Universal Service Fund but kept separate from the E-rate program. Comments on the proposal may be submitted at the FCC website through January 29, 2024, with reply comments accepted through February 27, 2024.

According to the FCC, the program “would allow the Commission to obtain valuable data concerning the cybersecurity and advanced firewall services that would best help K–12 schools and libraries address the growing cyber threats and attacks against their broadband networks,” while also providing funding for “eligible schools and libraries to defray the qualifying costs of receiving the cybersecurity and advanced firewall services needed to protect their E-Rate-funded broadband networks and data from the growing number of school and library-focused cyber events.”

The proposed pilot would be structured like the Connected Care Pilot Program, the agency said, wherein K–12 schools and libraries would apply to participate by submitting an application detailing their proposed cybersecurity and advanced firewall projects to be funded by the pilot. If selected, the applicants would apply for funding for pilot-eligible services and equipment, would receive a funding commitment to begin receiving cybersecurity and advanced firewall services and equipment, and would then submit invoices for reimbursement, according to the notice of proposed rulemaking.

The notice of proposed rulemaking asks for input on several big questions, including whether it has legal basis for expanding the list of E-rate eligible services related to cybersecurity; whether applicants must prove they’ve completed a list of “essential cybersecurity protections” such as those recommended by K12SIX and the Cybersecurity and Infrastructure Security Agency; and what types of data should be used to measure the program’s effectiveness.

The nation’s only nonprofit dedicated solely to protecting K–12 schools from emerging cyber threats, K12 Security Information Exchange or K12SIX, filed comments detailing how the proposed pilot “risks missing the proverbial forest for the trees” and falls far short. “While the need for federal cybersecurity resources and support targeted specifically to the K–12 sector is clear, what remains at issue is how to craft a program that can make a meaningful difference in assisting a critical mass of school systems to prevent and quickly respond and recover from common K–12 cyber incidents.”

Summarizing its lengthy comment submission, K12SIX wrote on its website that “The proposed pilot program is too small and too slow to make a difference given the scope of challenges facing the K–12 sector.”

In the 9-page filing, K12SIX delved into the “the necessary preconditions for a successful pilot program; the most appropriate goals for the pilot program; and the proposed scope of the pilot program” — explaining why the nonprofit finds the Cybersecurity Pilot lacking in every area.

For starters: No program of any kind will be able to collect meaningful data on national K–12 cyber threats and needs without mandated incident disclosure, K12SIX said.

The report filed by K12SIX made a number of pointed criticisms not only of the pilot proposal but also of governance and leadership in the K–12 cybersecurity space, summarized below:

  • Vendors and suppliers must embrace secure-by-design practices and be mandated to better protect schools’ and students’ data.

  • Cybersecurity threat intelligence, guidance, and best practices must be tailored specifically for the K–12 sector, including ensuring it is timely, actionable, and cost-effective.

  • School districts should put a premium on sharing threat intelligence, sharing best practices, developing model policies, pursuing mutually beneficial risk mitigation solutions that can be deployed at scale, and to educating state and federal policymakers about K–12 cybersecurity challenges and potential solutions.

  • Cybersecurity in K–12 education needs better governance as much as it needs more resources. “As a critical infrastructure subsector, K–12 facilities have been hampered by the lack of strategic leadership exhibited by their designated Sector Risk Management Agency, the U.S. Department of Education.”

  • The pilot “artificially limits support for improved cyber risk management practices to only a certain set of static threats, K–12 entities, or equipment/services,” and therefore “may pervert the implementation of sector wide K–12 risk management practices and needs.”

  • The pilot is too narrowly tailored to make much difference and should be expanded significantly. “The scope of the proposed program is orders of magnitude out of step with the documented cybersecurity threats facing the K–12 sector,” K12SIX said. “It is imperative that the federal government not shirk its responsibilities for defending critical infrastructure, including the K–12 sector. What is needed is decisive action that helps provide more certainty, more resources, and a comprehensive roadmap for more resilient school systems.”

Doug Levin, K12SIX national director, told THE Journal that this proposed program — which has been years in the making — is a disappointment to many stakeholders, as many see the pilot as more of the same slow, piecemeal approach to a problem that is fast-moving and not addressable district-by-district.

“The Department of Education needs to step up,” Levin said. “The GAO has been very clear — pretty much every federal agency except ED has been very clear that they have obligation under the law to support their sector on cybersecurity and provide resources and communication.

“ED could hardly do less and still claim they’re doing something,” he said. “If ED is not taking this problem seriously, it becomes impossible for states to take it seriously or for superintendents or school boards to take it seriously.”

Levin said he and other K–12 cyber-threat researchers believe that any impactful solution will require some type of centralized support and managed services, provided regionally or by state education agencies.

“The notion that every district can hire a chief information security officer who can understand and have time to keep up with all the emerging threats — it is simply not possible.”

About half of those who submitted comments said they agreed with K12SIX’s input and pleaded with the FCC to do more and to do it more quickly than a three-year, data-focused pilot program would.

Comments submitted jointly by representatives from SEDTA; Consortium for School Networking; the Schools, Health & Libraries Broadband Coalition; American Library Association and six others called for next-generation firewall services to be removed from the pilot and immediately added to the list of eligible E-rate services. The dozen-plus signatories also called for the pilot to be shortened to one year to “better address the urgency of the needs” and for the funding to be increased significantly; they also said the proposal places too heavy a burden on districts’ application requirements and called for the process to be simplified so smaller and rural districts would not be discouraged from participating.

Apptegy, a content management and website vendor for school districts, submitted comments similarly calling for the agency to take a broader approach to cyber risk management. “Apptegy believes that it is in the best interest of K–12 schools and public libraries, as well as both a legally authorized and fiscally prudent use of the Universal Service Funding, that the eligible services and equipment/security measures within the Schools and Libraries Cybersecurity Program be as flexible as possible, to encourage a more holistic, not piecemeal approach to cybersecurity.”

The hosts of K12 Tech Talk Podcast, Josh Bauman of Missouri, Chris Warden of Missouri, and Mark Racine of Massachusetts, also submitted comments in support of K12SIX’s arguments. The three men, all of whom are IT leaders at K–12 organizations, wrote: “We share the concern that the proposed pilot program might be insufficient in scale and speed. It's crucial that the program's scope and pace align with the urgency of enhancing cybersecurity measures in K–12.”

Comments submitted by K12TechPro, a community of over 500 K–12 tech professionals from 40 states, likewise echoed K12SIX’s concerns, citing a recent poll of its members.

Additional comments submitted by current and former tech leaders at school districts and state agencies expressed frustration with the amount of funding in the proposed pilot, the narrow scope of eligible solutions in the pilot, and the length of the program.

“To truly protect schools/libraries, more products and services are needed,” wrote Tim Roemer, chief security officer at GMI and former director of the Arizona Department of Homeland Security. “For example, most schools/libraries will not have the staff to administer the security controls, and therefore, managed security services should be allowable costs (under USF). There is no way the FCC or even CISA can take on this much additional work, and they are not localized enough to do so. Allowing schools/libraries to contract with local managed security service companies in order to effectively manage the implementation and monitoring is a necessity.”

“I have been working in K–12 IT for over 16 years, and I want to be very clear: The E-rate program is over 10 years behind in supporting the most basic modern security needs of most school districts and many libraries,” said a comment submission from Clear Creek Amana Community School District, Iowa.

Find the complete comments filed thus far, or submit a new comment, for proceeding “23-234” at the FCC website.