As cyberattacks on schools grow increasingly disruptive and complex, the Federal Communications Commission wants to hear what educators think about allowing schools to use federal E-rate funds to pay for more advanced internet security firewalls.
The request for comment on that proposal—often the first step in revising the rules for federal programs—was posted Dec. 14, and comments are due Feb. 13.
The FCC is likely to get an earful from the K-12 community over the next two months, including some voices clamoring in favor of the proposal, and others who caution it may divert resources from the E-rate’s primary focus of connecting schools and libraries to the internet, without doing much to improve cybersecurity.
On the one hand, the FCC’s move follows more than a year of pleading from district superintendents, tech leaders, and even members of Congress, for additional resources for K-12 cybersecurity.
For instance, less than two months ago, more than 1,100 school districts submitted a joint letter asking the FCC to revise the E-rate’s more than a decade old definition of “firewall” so that districts could use the money to upgrade their cybersecurity resources to meet current needs.
“School districts and libraries nationwide are fighting increasingly sophisticated cyberattacks and their aftermath with funding meant to be used for meeting the instructional … needs of our students,” the districts wrote.
And just last week, Rep. Doris Matsui, D-Calif., wrote to FCC Chair Jessica Rosenworcel asking her to explore allowing districts to tap federal E-rate funds for cybersecurity.
Fans of the idea of using E-rate funds, in part, for cybersecurity include the Consortium for School Networking or CoSN, the Council of the Great City Schools, the State Educational Technology Directors Association, and the National School Boards Association.
“Threats to education data and networks have continued to grow,” said Keith Krueger, CoSN’s executive director, in an email. “We hope the agency will work swiftly following the comment period, given the severe cybersecurity risk to our students, educators, and school systems.”
But not everyone is thrilled about the prospect of tapping the E-rate for cybersecurity.
AASA, the School Superintendents Association, understands the need for more resources to protect schools, but isn’t sure that the E-rate is the best way to provide them, said Noelle Ellerson Ng, the organization’s associate director for advocacy and governance.
She worries that expanding the E-rate to include advanced internet firewalls could divert from its primary mission of connecting students and educators to the internet. Her organization plans to submit that perspective to the FCC.
“This is honestly a great step forward for developing a record of what does and doesn’t work, and what is and is not well received in the field by practitioners to help solve and address the very real issue of cyber before making any significant changes to the E-rate program,” Ellerson Ng said.
The E-rate program has been around since the mid-1990s and is financed by fees on certain telecommunications services.
Currently, the program has a spending cap of $4.4 billion, but it has been allocating far less than that. Last year, E-rate doled out about $2.5 billion, and the year before that, it gave out a little less than $2.1 billion. The lower demand for the funds is due, in part, to changes made to the program in 2014.
The K12 Security Information Exchange, a nonprofit focused on helping schools prevent cyberattacks, estimated that there have been more than 1,330 publicly disclosed attacks since 2016, when the organization first began tracking these incidents. Hackers have targeted districts of all sizes, including Los Angeles Unified, the nation’s second largest.
“I think there’s no question that schools need support around cybersecurity,” said Doug Levin, the national director of the K12 Security Information Exchange.
But Levin said it’s not clear the E-rate is the best way to provide those resources, given that the U.S. Department of Education and the Cybersecurity Infrastructure Security Agency (CISA) also have responsibility for helping schools secure their networks.
CISA, for instance, has advised schools to train their staff on cybersecurity, put in place multi-factor authentication, and patch exposed servers, Levin said. They have not recommended advanced firewalls, he said.
“We don’t have full-time IT staff in every school district, much less have cybersecurity expertise in school districts,” Levin said. “These are advanced tools that require configuration, ongoing monitoring, and maintenance.”
What’s more, if money and technology were all it took to solve cybersecurity woes, then big, well-resourced companies would be safe from cyberattacks, Levin said. But they are not.
Cybersecurity “is an issue that plagues organizations with much greater money and much greater technology, technological expertise, and capacity than schools have,” Levin said.