The IT Nerd

The White House has announced a new effort to secure K-12 schools:

According to a 2022 U.S. Government Accountability Office report, the loss of learning following a cyberattack ranged from three days to three weeks, and recovery time can take anywhere from two to nine months.  Further, the monetary losses to school districts following a cyber incident ranged from $50,000 to $1 million. That is why the Biden-Harris Administration has had a relentless focus on securing our nation’s critical infrastructure since day one, and continues to work tirelessly to provide resources that enable the U.S.’s more than 13,000 school districts to better protect and defend their students and employees against cyberattacks.

Allen Drennan, Co-Founder & Principal, Cordoniq had this to say:

As part of an overall strategy for cyber defense for K-12 schools, districts need to consider taking control over their implementation of both their LMS (learning management systems) and their virtual meeting solution. This is a necessity for controlling available, uptime and scale and handle issues related recovery management and for providing higher security standards and data privacy protection for students and teachers. Solutions that rely solely on cloud-based providers outside of control of the school district are subject to outages, availability concerns and malicious cyber threats.

As I have said previously, the education sector is a prime target for threat actors. Only through scaling the investments in cybersecurity can this sector be fully protected. Thus I applaud the White House for making this move.

UPDATE: Emily Phelps, Director, Cyware submitted this comment:   

“Since adopting digital technologies to adapt to a post-Covid world, securing public schools has become more challenging and more critical. We’re encouraged by the Department of Education’s announcement around strengthening cybersecurity resilience for K-12 entities. Working with CISA to develop practical, actionable guidelines and partnerships with private entities that can bolster K-12 public education’s defenses reinforces the commitment this administration has made to cybersecurity at federal and local levels. Collaboration and collective defense strategies are increasingly important to our public entities and citizenry, and as private-public partnerships garner attention and success, we hope these examples will motivate similar action.”  

Carol Volk, EVP, BullWall follows with this comment:    

“Google and the social media giants should be pumping money into K-12 cyber defenses and education, as they are as much the cause of this firestorm of malicious hacking as they are the benefactors of the younger generations embrace of 24-7 connectivity. With congress tightly focused on the responsibility these companies bear from social media fallout, we can expect these giants to be paying attention to this problem area.” 

UPDATE #2: Ani Chaudhuri, CEO, Dasera adds this:

The recent initiative by the Biden-Harris Administration to bolster cybersecurity in our K-12 schools is a commendable and urgently needed step. The surge in cyberattacks targeting the institutions that shape our future leaders has highlighted an alarming vulnerability. Imagine a nation where school districts are routinely disrupted, and the sensitive data of our children is compromised and auctioned off to the highest bidder.

In the 2022-23 academic year alone, we’ve seen significant cyberattacks on K-12 school districts that have compromised the personal data of students and employees. This isn’t just about data; it’s about our children’s future, their privacy, and the trust they place in the education system.

It’s heartening to see the federal government respond with vigor. The proposed pilot program, the collaboration between different governmental bodies, and the available resources to strengthen cybersecurity infrastructure are steps in the right direction. And while the involvement of education technology giants such as AWS, Google, and others is promising, it’s crucial to ask ourselves if it’s enough.

The real challenge is ensuring these policies and programs aren’t just reactive. We must be proactive, looking ahead to anticipate and thwart future cyber threats. Collaboration between public and private sectors should be constant, not just when disaster strikes. We must understand that the next generation’s education is now intrinsically linked with cybersecurity, and there is no room for complacency.

The increased attention to cybersecurity in our education system is a clear signal of our times. We need to instill a culture of cybersecurity from the classroom to the boardroom. Let’s not wait for another breach to shake us into action. The safety of our nation’s future is at stake.

CISA has released its FY2024-2026 Strategic Plan which sets out a vision to change the US’ national cybersecurity risk environment trajectory and builds on the White House’s strategy published last week.    

“Where the National Cyber Strategy calls for foundational shifts to help America outpace our adversaries and set a national agenda on our terms rather than theirs, and CISA’s Strategic Plan outlines how we’ll work together as a unified agency grounded in common values, our Cyber Strategic Plan focuses on the “how” and – of critical importance – how we’ll know if we’re making progress,” a statement by Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA noted.   

The plan outlines three goals: 

• Goal 1: Address Immediate Threats.   
• Goal 2: Harden the Terrain.   
• Goal 3: Drive Security at Scale.                                                                                                                                                   

The Plan notes that too often threat actors succeed because of insecure environments where enterprises are “too difficult to defend, and our technology products are too vulnerable to protect.” And while the steps to overcome this are known, the design and development of products must adapt to mitigate the impact of exploitable vulnerabilities.  

“We must help organizations, particularly those that are “target rich, resource poor,” take the fewest possible steps to drive the most security impact,” the Plan states. 

Jason Keirstead, Vice President of Collective Threat Defense, Cyware had this comment:   

“CISA is taking a pragmatic and holistic approach to their 2024-2026 strategic plan. Organizations lack the resources to effectively defend against known and emerging threats, and to outpace the adversary, the industry must collaborate more often and more effectively. Even organizations with mature cybersecurity programs often struggle to adequately safeguard every vulnerability. CISA’s focus on collaboration, intelligence sharing, and scalability has potential to measurably strengthen our overall security posture.”

Roy Akerman, Co-Founder & CEO, Rezonate follows up with this:   

“It’s commendable to witness CISA advancing the cybersecurity narrative in such a strategic manner. Drawing from my experiences with cyber defense in Israel, this step accentuates the criticality of prompt detection and response. The recognition that adversaries will always seek and often find vulnerabilities underscores the importance of evolving our SecOps and Identity and Access security programs. In essence, it’s about being several steps ahead, rather than merely reacting.” – Roy Akerman, CEO of Rezonate and former head of cyber defense operations for the Israeli Government.

Having a strategy is great. But it’s all about implementing this strategy and getting people to buy into it. I’m reserving judgement until I see how well that part is done. But on paper, this is a good move by the White House.

UPDATE: Wade Ellery, Field CTO, Radiant Logic had this to say:    

“The recent update to CISA’S comprehensive plan marks a significant stride in the nation’s ongoing efforts to bolster its digital security landscape. An identity-focused strategy stands out as an indispensable and highly effective approach to fortifying systems across the U.S.

Managing identities have become more complicated for organizations, regardless of industry or size. As the government looks to implement a comprehensive plan, it must take into consideration the types of attacks plaguing the U.S. – Identity-related attacks make up the bulk of cyber-attacks, calling into question the way businesses handle their identity data. 

Having clean, unified Identity data has emerged as a central pillar in safeguarding sensitive information, fending off cyber threats and ensuring the integrity of digital environments. This approach centers on verifying and managing the identities of users and allows for full visibility and control over who can access specific resources within a system. This fine-grained access control, integrated into a Zero Trust Architecture, can help minimize the attack surface, limit the risk of unauthorized parties entering the system and detect threats early on.”