A three-year pilot program aims to support districts as ransomware gangs hack into their systems and steal highly sensitive records.
As ransomware and other cyber attacks become an increasingly potent threat to schools nationwide, a proposal by Federal Communications Commission Chairwoman Jessica Rosenworcel seeks to create the first federal funding stream to help districts fight back.
A three-year pilot program announced by Rosenworcel earlier this month could invest up to $200 million to enhance cybersecurity in schools and libraries, yet the full proposal hasn’t been released publicly and education experts said far more would be needed to make a meaningful difference. And it could be months — if not more than a year — before the help makes its way to schools as education groups demand a more urgent federal response.
As districts become “a prime target for cyberattacks,” the proposed pilot “will give us valuable insight about whether and how the FCC can leverage its resources to help address the cybersecurity threats that schools and libraries face,” Rosenworcel said in a July 12 speech before AASA, The School Superintendents Association and the Association of School Business Officers International.
Education groups and school leaders have been calling for several years on the federal government to help schools bolster their cyber defenses and the pilot deviates from what many had suggested. The FCC had previously considered allowing districts to spend federal E-Rate funding on cybersecurity, a move that more than 1,100 school districts endorsed in a joint letter last year.
Yet officials at the national superintendents’ association worried that using E-Rate funds was a diversion from the program’s mission of helping schools and libraries connect to the internet, said Noelle Ellerson Ng, the group’s associate executive director of advocacy and governance. She said the group supports the pilot because it remains separate from E-rate while still giving districts more money to protect their data.
“All signs point towards we’re going to need a federal response so hopefully we can get some congressional acknowledgement of that during the same three-year timespan to start thinking about what something more sustainable might look like,” Ellerson Ng said. “That way when this three-year pilot is up and we can get some of the evaluated data, we can move forward.”
A recent report by cybersecurity provider Sophos found that K-12 education was the most popular target for ransomware gangs last year, with 8 in 10 districts reporting getting hit with attacks — a marked 43% increase from 2021. The average recovery cost for victim districts, which agreed to pay ransoms in nearly half of incidents, exceeded $1.5 million, excluding financial demands from cyber gangs.
Recent high-profile ransomware incidents include an attack last year on the Los Angeles Unified School District, the country’s second-largest school system, that resulted in the public release of students’ highly sensitive psychological records. An attack on Minneapolis Public Schools this spring led to the public release of a trove of sensitive district documents, including files that outline campus rape cases, child abuse inquiries, student mental health crises and suspension reports.
Last month, New York City Public Schools, the country’s largest district, acknowledged that some 45,000 students’ information had been stolen in a massive cyber attack on the file-sharing software MOVEit. The MOVEit attack has resulted in data breaches at least 375 companies and organizations, including universities in at least a dozen states. The National School Clearinghouse has acknowledged it was caught up in the breach, a development that school cybersecurity experts said could affect many — if not most — students nationally.
“Cybersecurity is definitely something that has just stormed into the forefront” as districts nationwide grow increasingly alarmed by attacks, Rosenworcel said. The federal government hasn’t previously provided money to schools for cybersecurity but the pilot program, she said, offers a first step.
The five-member FCC commission must vote on the proposal before its full details are made public, the agency said, and it must go through a formal public comment and rulemaking process. Education experts predict it could be a year or more before the money is available to districts.
“I’ve told our superintendents that it’s realistic that it could take 10 months — best case scenario — before they’re able to apply,” Ellerson Ng said.
School cybersecurity expert Doug Levin said the communications commission “has been slow-pedaling” on the issue for years and that the $200 million proposal is just “a drop in the bucket” of what districts nationwide would need to counter this online enemy. The pilot could be used to generate lessons learned and to set the stage for more robust federal investments, he said, but only a small number of districts are likely to receive grants under it.
But the threat that districts face from cyber attacks is so great, Levin said, that even a much more significant investment in digital safeguards is unlikely to thwart the problem.
“It’s hard for me to imagine that, even if they were wildly successful and every school district was able to put in place a next-generation firewall, that that’s going to make a meaningful difference in the number of successful attacks against school districts,” he said. “You know, maybe they shouldn’t be collecting all this data that’s so sensitive in the first place.”
We want our stories to be shared as widely as possible — for free.