On March 6, the Trump administration announced a $10 million cut in funding, part of a broader budget and staff cut across CISA. The negotiations ended up reaching $8.3 million, but the service still lost more than half of the remaining $15.7 budget for the year. The nonprofit that runs it is the Internet Service Center, which is currently digging its reserves to keep it running. But the funds are expected to run out in the coming weeks, and it is unclear how the service will continue to operate without charging the school for user fees.
“Many areas do not have the budget or resources to do this on their own, so it’s a big problem to not have access to the fee-free services we offer,” said Kelly Lynch Wyland, spokeswoman for the Internet Services Center.
Share threat information
Another issue is the effective dissolution of the Government Coordination Committee, which helps schools address ransomware attacks and other threats through policy recommendations, including how to respond to ransomware requests, when attacks occur, and good practices to prevent attacks. The Coordination Council was composed only one year ago by the Ministry of Education and CISA. It brings together 13 nonprofit school organizations, representing deans, state education leaders, technical officials, and more. The Council often meets after Powerschool data breached to share information.
Now, in the second round of blackmail, school leaders are unable to meet due to changes in rules governing open meetings. The organization initially met openly because it was discussing critical infrastructure threats. However, under the Trump administration, the Department of Homeland Security has resumed rules for open meetings including the advisory committee, including the committee. This makes it difficult to talk frankly about efforts to thwart criminal activities.
NGOs are working to revive the Council, but without government involvement, its form will be reduced.
“The FBI does show up when an incident occurs and they have advice on whether you should pay the ransom.”
Federal Roles
The third issue is the phase-out of the Ministry of Education’s Education Technology Office in March. The seven-person office involves educational technology policies, including cybersecurity. It issued cybersecurity guidance to schools and held webinars and meetings to explain how schools can improve and avoid their defense capabilities. This also holds biweekly meetings to discuss K-12 cybersecurity across the education sector, including offices serving students with disabilities and English learners.
Elimination of the office has hindered the decision on which security controls, such as encryption or multifactor authentication, should be in educational software and student information systems.
Many educators worry that without such federal coordination, student privacy is risky. “What I care most about is all the data in the cloud,” said Steve Smith, founder of the Student Data Privacy Alliance and former chief information officer of Cambridge Public Schools, Massachusetts. “About 80% to 90% of student data are not on school area controlled services. It is shared with ED technology providers and hosted on their information systems.”
Safety control
“How do we ensure that those third-party providers provide adequate security for violations and cyber attacks?” Smith said. “Ed Tech’s office is trying to bring people together to move towards a consistent national standard. They won’t authorize data standards, but there are some efforts to bring people together and start a conversation about the expected minimum controls.”
Smith said the federal effort ended the new administration. But his consortium is still working hard.
In an age where policymakers are trying to reduce federal participation in education, a federal role that advocates centralized federal roles may not be popular. However, for a long time, the role of student data privacy has included ensuring that school staff does not fail accidentally expose students’ personal information. The Family Education Rights and Privacy Act (commonly known as FERPA) protects student data. The education department continues to provide technical assistance to schools in order to comply with the law. Advocates of school cybersecurity say the same assistance is needed to help schools prevent and defend against cybercrime.
“We don’t want every town to stand up to protect itself from China or Russia,” said Michael Klein, senior director of preparation and response at the Institute for Security and Technology, a nonpartisan think tank. Klein was a senior consultant for cybersecurity in the education sector during the last administration. “In the same way, I don’t think we should expect every school district to stand up to protect ourselves from ransomware attacks from major criminal groups.”
And this is financially unrealistic. According to the school network consortium, only one-third of school districts have full-time employees or equivalent employees dedicated to cybersecurity.
The budget storm is coming
Some federal programs help cybersecurity schools still run. The Federal Communications Commission launched a $200 million pilot program to support cybersecurity efforts in schools and libraries. FEMA provides cybersecurity funding to state and local governments, including public schools. Through these funds, schools can get phishing training and malware detection. But as the budget struggle advances, many educators fear that these plans will be cut.
Perhaps the biggest risk is the end of the entire e-rate program, which can help schools pay for internet access. The Supreme Court plans to decide whether the funding structure for this period is unconstitutional tax.
“If that money goes away, they will have to pay somewhere,” Smith told the Student Data Privacy Alliance. “They will try to keep teaching and learning in ways that they are. The cybersecurity budget may be more likely to be cut.”
“It took a long time to get to the point where we see privacy and cybersecurity as key works,” Smith said. “I hate that we go back for a few years and don’t give them the attention they deserve.”
