The U.S. Department of Education is teaming up with the University of California at Berkeley’s Center for Long-Term Cybersecurity on an initiative to improve collaboration between schools’ education technology vendors and cybersecurity experts.
The goal: To stem the tidal wave of attacks on districts, which increasingly originate from the platforms, applications, and other technology schools use for teaching, learning, operations, and more.
The initiative—known as the Partnership for Advancing Cybersecurity in Education, or PACE—will hold a summit in October bringing together cybersecurity experts and ed-tech vendors.
“By uniting the expertise of cybersecurity professionals with the innovation of key ed-tech vendors, we can help proactively address cyber vulnerabilities before they lead to ransomware attacks that disrupt students’ learning, school operations, and compromise sensitive student data,” U.S. Deputy Secretary of Education Cindy Marten said in a statement. “This partnership will develop actionable insights to enhance the resilience of the ed-tech sector, ensuring that our educational tools are not only effective but secure.”
Cyberattacks, which can cost districts millions of dollars and days or weeks of missed learning time, are becoming an increasingly severe problem for school districts.
Eighty percent of K-12 schools have been targeted by ransomware in the past year, according to a survey of IT professionals conducted last year by Sophos, a cybersecurity firm. That’s a higher percentage than any other industry surveyed, including health care and financial services.
What’s more, education tech leaders around the country recently named cybersecurity as their top priority for the seventh year in a row, in a survey of 980 K-12 tech officials, conducted by the Consortium for School Networking, or CoSN.
The problem has intensified as districts across the country adopted new ed-tech tools, in part to enable virtual learning during the pandemic. Bringing in new platforms and products made districts increasingly susceptible to attacks.
In fact, 55 percent of K-12 school data breaches between 2016 and 2021 were carried out on ed-tech vendors, according to data provided by the department. That included attacks on large, well-resourced districts, such as New York City public schools.
The PACE initiative’s October event will include discussion of so-called “secure-by-design principles,” which call for products and applications to embrace features such as multi-factor authentication and single sign-on, as a standard practice, and at no additional cost to districts.
The event will also consider other long-term solutions for common product vulnerabilities.
“PACE aims to lift and shift some of the burden for managing cyber risk from school district leaders to the key ed-tech providers whose systems districts rely on every day for teaching, learning, and operations,” said Sarah Powazek, the program director of Public Interest Cybersecurity at the Center for Long-Term Cybersecurity, in a statement. “K-12 leaders will play a critical advisory role by highlighting cybersecurity pain points and vetting recommendations” that emerge from the PACE event.
Multiple efforts to combat cyberattacks against schools
This is not the department’s only recent action to combat cybercrime in schools.
In March, the agency launched a council to help K-12 schools strengthen their cybersecurity practices.
Other federal agencies responsible for internet connectivity in schools also see cybersecurity as a top concern.
Jessica Rosenworcel, the chair of the Federal Communications Commission, has proposed a pilot program that would provide up to $200 million in competitive grants over three years to help schools and libraries guard against cyberthreats, which have become increasingly sophisticated in recent years.
But the federal government hasn’t always been so attentive to this issue. A 2022 report by the Government Accountability Office found that the federal government, including the Education Department, had largely dropped the ball on some key steps to help schools prevent, plan for, and deal with these attacks.
Keith Krueger, the executive director of CoSN, applauded the department’s direction.
“It sounds like a great idea to get technical support to companies” on cybersecurity, he said. “There’s so many new and emerging companies that need help in this area.”
Doug Levin, the co-founder and national director of the K12 Security Information Exchange, agreed.
“There’s no question that for under- resourced school systems focusing on their supply chain, the vendors that they rely on everything in the classroom as well as the back office is smart and important.”
And he liked that ed-tech companies will get to opt in to the conversation. “I think it’s pretty appropriate to start with voluntary efforts like this,” he said.
But he warned that stopping attacks on vendors is no easy feat. “All it takes is the weakest link in the chain” to cause an attack.
Jun Kim, the director of technology for Oklahoma’s Moore Public Schools and an Education Week Leader to Learn From, is optimistic that the initiative can get ed- tech companies on the same page when it comes to cybersecurity.
“I hope that these companies can work past the ‘mine, mine mentality’ to say, ‘we are actually going to do something about it’ and shake hands with that other company and find that meeting place and, say ‘this is the standard.’ I hope they can get there. I think they will.”
