FCC Cybersecurity Pilot Proposal Draws Criticism — THE Journal | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

USF & E-rate

‘Too Small and Too Slow’: FCC Cybersecurity Pilot Proposal Draws Criticism

A week remains for K–12 stakeholders to submit comments on the Federal Communications Commission’s proposed 3-year, $200 million Schools and Libraries Cybersecurity Pilot Program, and so far, most comments submitted have expressed significant concerns that it is too conservative to help public schools defend against emerging cyber threats.

Dozens of stakeholders from IT and cybersecurity associations, public education agencies, and private sector organizations have submitted comments as of Jan. 22, and nearly all of them are pointedly critical of the proposal as “too small and too slow” to be of any real benefit.

The FCC’s proposal, first announced on November 13 and published in the Federal Register on Dec. 29, 2023, calls for the Cybersecurity Pilot to be established within the Universal Service Fund but kept separate from the E-rate program. Comments on the proposal may be submitted at the FCC website through January 29, 2024, with reply comments accepted through February 27, 2024.

According to the FCC, the program “would allow the Commission to obtain valuable data concerning the cybersecurity and advanced firewall services that would best help K–12 schools and libraries address the growing cyber threats and attacks against their broadband networks,” while also providing funding for “eligible schools and libraries to defray the qualifying costs of receiving the cybersecurity and advanced firewall services needed to protect their E-Rate-funded broadband networks and data from the growing number of school and library-focused cyber events.”

The proposed pilot would be structured like the Connected Care Pilot Program, the agency said, wherein K–12 schools and libraries would apply to participate by submitting an application detailing their proposed cybersecurity and advanced firewall projects to be funded by the pilot. If selected, the applicants would apply for funding for pilot-eligible services and equipment, would receive a funding commitment to begin receiving cybersecurity and advanced firewall services and equipment, and would then submit invoices for reimbursement, according to the notice of proposed rulemaking.

The notice of proposed rulemaking asks for input on several big questions, including whether it has legal basis for expanding the list of E-rate eligible services related to cybersecurity; whether applicants must prove they’ve completed a list of “essential cybersecurity protections” such as those recommended by K12SIX and the Cybersecurity and Infrastructure Security Agency; and what types of data should be used to measure the program’s effectiveness.

The nation’s only nonprofit dedicated solely to protecting K–12 schools from emerging cyber threats, K12 Security Information Exchange or K12SIX, filed comments detailing how the proposed pilot “risks missing the proverbial forest for the trees” and falls far short. “While the need for federal cybersecurity resources and support targeted specifically to the K–12 sector is clear, what remains at issue is how to craft a program that can make a meaningful difference in assisting a critical mass of school systems to prevent and quickly respond and recover from common K–12 cyber incidents.”

Summarizing its lengthy comment submission, K12SIX wrote on its website that “The proposed pilot program is too small and too slow to make a difference given the scope of challenges facing the K–12 sector.”

In the 9-page filing, K12SIX delved into the “the necessary preconditions for a successful pilot program; the most appropriate goals for the pilot program; and the proposed scope of the pilot program” — explaining why the nonprofit finds the Cybersecurity Pilot lacking in every area.

For starters: No program of any kind will be able to collect meaningful data on national K–12 cyber threats and needs without mandated incident disclosure, K12SIX said.

The report filed by K12SIX made a number of pointed criticisms not only of the pilot proposal but also of governance and leadership in the K–12 cybersecurity space, summarized below:

  • Vendors and suppliers must embrace secure-by-design practices and be mandated to better protect schools’ and students’ data.

  • Cybersecurity threat intelligence, guidance, and best practices must be tailored specifically for the K–12 sector, including ensuring it is timely, actionable, and cost-effective.

  • School districts should put a premium on sharing threat intelligence, sharing best practices, developing model policies, pursuing mutually beneficial risk mitigation solutions that can be deployed at scale, and to educating state and federal policymakers about K–12 cybersecurity challenges and potential solutions.

  • Cybersecurity in K–12 education needs better governance as much as it needs more resources. “As a critical infrastructure subsector, K–12 facilities have been hampered by the lack of strategic leadership exhibited by their designated Sector Risk Management Agency, the U.S. Department of Education.”

  • The pilot “artificially limits support for improved cyber risk management practices to only a certain set of static threats, K–12 entities, or equipment/services,” and therefore “may pervert the implementation of sector wide K–12 risk management practices and needs.”

  • The pilot is too narrowly tailored to make much difference and should be expanded significantly. “The scope of the proposed program is orders of magnitude out of step with the documented cybersecurity threats facing the K–12 sector,” K12SIX said. “It is imperative that the federal government not shirk its responsibilities for defending critical infrastructure, including the K–12 sector. What is needed is decisive action that helps provide more certainty, more resources, and a comprehensive roadmap for more resilient school systems.”

Doug Levin, K12SIX national director, told THE Journal that this proposed program — which has been years in the making — is a disappointment to many stakeholders, as many see the pilot as more of the same slow, piecemeal approach to a problem that is fast-moving and not addressable district-by-district.


Click Here For The Original Source.

National Cyber Security