White House plan to secure schools from cyber threats ‘may not go far enough,’ experts say

Newly-announced federal efforts to boost cybersecurity in U.S. schools were a "step in the direction," cybersecurity experts told Nextgov/FCW, but they warned that many school systems were "absolutely not" prepared for the slate of cyberattacks heading their way this coming year. 

The White House held the first federal summit to address cybersecurity in U.S. schools on Tuesday, shortly after the administration announced a series of new initiatives aimed at combating the recent increase in cyberattacks targeting education systems. 

"Considering the moving target that is cybersecurity, these initiatives may not go far enough or fast enough to effectively address the threats our educational institutions will face tomorrow," said Stephen Bish, cybersecurity strategist for the technology consultancy firm Schneider Down. "These initiatives are focused on much of the right things, but they will likely require significantly more funding and support to adequately defend our schools from a world of constantly evolving threat actors."

According to the Cybersecurity and Infrastructure Security Agency, schools are often seen by cybercriminals as "target rich, cyber poor" prospects due to their vast troves of sensitive personal data and limited internal resources — particularly those that face funding challenges in underserved communities.

First Lady Jill Biden, a longtime educator, hosted the summit and convened academic administrators, cybersecurity experts and top government officials to explore ways the public and private sectors can work together to address the expanding cyber threat landscape and respond to cyber incidents impacting schools across the country. 

“If we want to safeguard our children’s futures we must protect their personal data,” Biden said at the summit. "Every classroom should be enriched by new technologies ... and every family should know its information will stay safe and secure."

While some schools and districts have adequate resources to train network users and update their technology, others lack the necessary funding to hire staff and prepare for attacks that can cause critical disruptions in learning and expose sensitive data pertaining to countless children and families.

"There is certainly a big divide that has a lot to do with funding and resources that are needed to be prepared to defend against cyberattacks," said John Just, chief learning officer for the security firm KnowBe4. "Underfunded schools will especially need donations and volunteer efforts to provide the level of resources needed to address this challenge." 

The new White House initiatives include the establishment of the Government Coordinating Council, which will spearhead collaboration across schools, local governments and federal agencies on cyberattacks targeting education systems. 

CISA officials said the agency  would provide new cybersecurity training and K-12 cyber exercises over the coming year to schools nationwide, as private sector partners like Amazon and Google also made new commitments to bolster schools' cyber postures. 

In partnership with the federal government, Amazon Web Services said it was launching a $20 million grant program to provide no-cost cyber incident response assistance and security training resources to schools. Other companies also announced new cyber resources for schools in response to the administration's efforts, including Fortinet, which made a new, free security awareness curriculum available to all K-12 school districts in the U.S. on Wednesday. 

"With the right security solutions, districts can provide their staff and students with knowledge and best practices, but ultimately districts need more funding," said Bob Turner, field chief information security officer for education at Fortinet. "In the meantime, initiatives and education programs, in tandem with recent White House efforts, are a great first step to addressing the cyber skills gap and further emphasizing our nation’s need to train cyber professionals early on."

The Federal Communications Commission announced plans to create a pilot program with the Universal Service Fund that will provide up to $200 million over three years as part of the administration's effort to bolster cyber defenses in K-12 schools, particularly those in underserved communities. 

The Department of Education and CISA also released joint guidance this week that directs education leaders to develop secure digital infrastructures for learning, featuring publicly available digital infrastructure briefs.

Bill Wright, head of global government affairs for Elastic, told Nextgov/FCW that the new measures "are a great start and underscores the urgent need for strengthened security, especially amid limited funding." 

"Most [schools] face a lack of internal processes, procedures and skilled resources when it comes to cybersecurity," he added. 

While the new initiatives may represent the largest federal push to secure school systems from cyberattacks, many experts said their success will depend on cooperation and collaboration with the nation’s school districts. 

“Schools must be cognizant of the emerging threats and be willing to take advantage of this,” said Avishai Avivi, chief information security officer at SafeBreach. “The administration is not regulating these programs at the moment, so participation is largely voluntary."