Findings and Updates from CISA’s Ongoing Collaboration with Education Technology Vendors to Address K-12 Cybersecurity Challenges
This September, my first child entered kindergarten, which, of course, was fraught with both trepidation and excitement. Along with normal questions about peer relationships, physical safety, health, and after-school care, came an added layer of digital safety. Obviously my 5-year-old doesn’t have a credit card or a 401K, but the K-12 sector has grown to be increasingly vulnerable to cyberattacks, including data breaches and ransomware. While we aren’t dealing with a child’s retirement plan, these attacks have led to compromises of students’ personal information, exposure of school security information, class disruptions, school closures, and loss of already-strained financial resources – all of which harm our children and families.
In recognition of the K-12 cybersecurity challenge, the White House’s Back to School Safely: Cybersecurity for K-12 Schools Summit in August brought together school administrators and educators and a coalition of industry and government partners that committed to strengthening K-12 cybersecurity. CISA and Department of Education jointly released the K-12 Digital Infrastructure Brief: Defensible and Resilient—highlighting the leadership imperative to treat education infrastructure as core to our nation’s security. The brief urges school vendors and suppliers to build their systems, used by thousands of school districts across the country, with robust security settings by default at no additional charge and align with Secure by Design principles. Prior to the summit, CISA held a workshop with the education technology vendors scheduled to attend the White House summit to discuss challenges for the K-12 community and present Secure by Design, a CISA initiative co-sealed by 17 U.S. and international partners.
In support of the National Cybersecurity Strategy, Secure by Design is a movement aiming to shift the responsibility of digital security from the most vulnerable and least equipped (cash-strapped school districts, for example) to the most capable (software manufacturers). When we hear about cyberattacks, we often hear about what the villains did right and what the victims did wrong, but we do not hear about the vendors who use materials and methods that result in software with well-known defects.
Malicious and nation-state cyber adversaries have demonstrated countless times that they can easily find software defects and use them to steal money and data and lock up critical systems. As software weaknesses and mitigation studies over the past decade have found, it’s not so much a technical issue as it is one of political will and economics. As David Rice notes in Geekonomics: The Real Costs of Insecure Software, until we address the economics of software insecurity, we will not fix the problem.
What does this mean? In the political sense, it’s the set of decisions that a governing body, (i.e., federal government, state legislatures, and local school boards) makes that prioritize cybersecurity as an outcome. From an economic sense, it’s understanding the value decisions made by each market player to create interventions that meaningfully shift the decisions and behavior of those players to value digital security. In this case, we are seeking to move the responsibility upstream to the software vendors, so we must take an ecosystem approach that factors in the challenges and opportunities faced by all the players.
The K-12 community is a unique ecosystem unto itself, and our workshop was aimed at identifying the challenges and opportunities specific to the community. Schools must address a dizzying array of social and academic issues on exceedingly tight budgets. Allocating funds for recommended cybersecurity protections, such as Single Sign-On and Multifactor Authentication (MFA), is necessarily weighed against other investments that provide for the needs of children and educators.
In our workshop, we heard that credential-based attacks, for instance, are a huge issue for the sector. Yet, participants said enabling MFA, one of the best tools for preventing unauthorized access to systems, too often remains a challenge in K-12. Since technical support provided by school systems to end users is often limited—and not every school can count on reliable cell phone coverage—administrators and educators may be reluctant to deploy MFA to vulnerable users. Moreover, in the education context, one’s phone can be considered a distraction in the classroom or a luxury that not all can afford. So, our goal is to identify what technological and policy innovations the government, private sector, and civil society can develop and deploy to address these challenges.
Because thousands of school districts in this country (in which staff, teachers, students, and their families are all players) are responsible for their own digital security, we will always be at an asymmetric disadvantage. And whereas schools are run at the local level, the expertise and resources available to safeguard critical systems and sensitive data are in short supply. There is simply no way we can expect school districts, whose primary objective is to ensure the learning and safety of schoolchildren, to bear the cybersecurity burden alone.
What if we shifted more of the responsibility of digital security from schools onto a relatively small number of K-12 vendors? Security could scale to those thousands of school districts, and each party could capitalize on its respective comparative advantages. Studies have shown that cyber innovations that scale are the ones with the greatest impact.
Certainly, education technology software developers face key challenges too, but cybersecurity issues facing K-12 could be much more effectively and cheaply dealt with earlier in the supply chain, by focusing on a relatively smaller number of linchpin companies serving very large numbers of students and educators instead of school district by school district, school by school. K-12 vendors need to hear about the security demand from school customers and school procurement processes must include security practices as a critical factor in their decision-making.
In turn, vendor security teams need further investment in tooling, training personnel, user experience, and secure software methodologies, all of which stem from executive-level business decisions. A company-wide plan for following Secure by Design practices to bolster commitment to customer safety should be the ultimate outcome. Given that most companies are in their initial stages of the journey, sharing success stories, best practices, and aggregate data can lead to the widespread adoption of Secure by Design principles and demonstrate the return on investment.
CISA is proud to count eleven education technology vendors that have committed to Secure by Design, designing products with greater security built in, an increase of five since we started this voluntary initiative. We are excited to work with them and take this journey together toward safer software. I’m personally and professionally invested in this movement to strengthen cybersecurity for our schools. If you are too, and want to take the pledge or have questions about how to ask your school’s education technology vendors for security by design and default, please join us at K-12 Education Technology Secure by Design Pledge.