United States: The Cybersecurity And Infrastructure Security Agency Tells K-12 Institutions To Start Small, Build Up, And Collaborate To Fight Cyberattacks

Key Takeaways:

• In the face of increased cybersecurity attacks and threats, Congress asked CISA to report on risks and develop a guide for K-12 institutions.
• Stakeholders expressed concerns regarding lack of resources and guidance to reduce cybersecurity risks.
• CISA recommends that institutions take small impactful steps to build cybersecurity;plan with budget constraints in mind;utilize partnerships;and collaborate with others.
• CISA has offered a variety of resources and tools to K-12 communities to support efforts to increase cybersecurity.

BACKGROUND

With the adoption of new technology, including the quick and unexpected shift to virtual learning because of the COVID-19 pandemic, K-12 institutions are at an increased risk of cyberattacks and threats thereof. The rise in cyberattacks has interfered with instruction while also putting at-risk students' and families' personal information and school data.

In 2021, Congress passed the K-12 Cybersecurity Act which required the Cybersecurity and Infrastructure Security Agency (CISA) to report on cybersecurity risks to elementary and secondary schools and develop recommendations that include cybersecurity guidelines to help schools develop policies and procedures to mitigate against risk. CISA published its final report ("Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats"), along with an online toolkit, in January 2023.

HEARING FROM STAKEHOLDERS

In its assessment of security risks and development of recommendations, CISA engaged numerous stakeholders to gather insights into cybersecurity problems and possible solutions. The agency spoke with school administrators, superintendents, and other education leaders. These stakeholders expressed a variety of concerns and communicated a need for:

• increased cybersecurity budgeting and support-noting that funding for cybersecurity must be earmarked as such because cybersecurity resource allocation will always compete with hiring needs and other priorities;
• clear, actionable guidance and cybersecurity plans;
• centralized governance in planning and advising regarding how to allocate cybersecurity resources; and
• more effective oversight and accountability.

In light of this feedback, and after analyzing the various kinds of cybersecurity threats and attacks made against educational organizations, CISA's final report outlined key findings and accompanying recommendations.

KEY FINDINGS AND RECOMMENDATIONS

In its report, CISA issued three key findings along with recommendations for each:

Key Finding 1. With finite resources, K-12 institutions can take a small number of steps to significantly reduce cybersecurity risk.

• Recommendation: Invest in the most impactful security measures and build toward a mature cybersecurity plan. CISA recommends the following action steps:
  • Implement high priority security controls.
    • Utilize Multifactor Authentication (MFA).
    • Fix known security flaws by keeping systems patched.
    • Perform and test backups.
    • Minimize exposure to common attacks.
    • Develop and exercise a cyber incident response plan.
  • Prioritize further near-term investments.
    • Align investments with full list of CISA's Cybersecurity Performance Goals (CPGs).
  • Develop a unique cybersecurity plan.
    • Leverage the National Institute for Standards and Technology's (NIST) Cybersecurity Framework to tailor the plan to the entity's existing technology and risk environment.

Key Finding 2.

Many school districts struggle with insufficient IT resources and cybersecurity capacity.

• Recommendation: Recognize and actively address resource constraints. CISA recommends the following action steps:
  • Work with the state planning committee to leverage the State and Local Cybersecurity Grant Program (SLCGP).
    • Provides grants totaling one billion dollars to U.S. state, local, territorial, and tribal governments over the next four years.
    • Participation requires each state, territory, or district to establish a cybersecurity planning committee that coordinates, develops, and approves a cybersecurity plan.
  • Utilize free or low-cost services to make near-term improvements in resource-constrained environments.
    • CISA has published a Free Cybersecurity Services and Tools catalog which provides a list of all the free public and private sector resources entities may use to reduce their cybersecurity risk.
  • Expect and call for technology providers to enable strong security controls by default for no additional charge.
    • K-12 organizations should expect technology used for core educational functions (i.e., learning management, student administrative systems) to have strong security controls enabled by default.
  • Minimize the burden of security by migrating IT services to more secure cloud versions.
    • Eliminate on-premises systems because most smaller organizations cannot continuously handle the security and time commitments of running on-premises services.

Key Finding 3.

No K-12 entity can singlehandedly identify and prioritize emerging threats, vulnerabilities, and risks.

• Recommendation: Focus on collaboration and information sharing. CISA recommends the following action steps:
  • Join relevant collaboration groups, such as MS-ISAC and K12 SIX. Members receive critical alerts about current threats, risks, and vulnerabilities, as well as free cyber tools, resources, and services and 24/7 access to assistance that includes threat incident analysis.
  • Work with other information-sharing organizations such as fusion centers, state school safety centers, other state and regional agencies, and associations.
  • Build a strong and enduring relationship with CISA and FBI regional cybersecurity personnel.

CISA made clear that its engagement with the K-12 cybersecurity community transcends the issuance of this report. It has committed to working with technology providers to encourage the provision of free or low-cost security tools and products that are secure by default and designed for K-12 institutions. The report is merely a first step in the building of school communities that are increasingly resilient in the face of cybersecurity threats and cyberattacks.

We understand the challenges independent schools face in this complex and competitive market, and we work closely with administrators and key stakeholders to help address legislative or regulatory changes and manage complex, sensitive issues including cyber breach prevention and response strategy. For the latest developments in privacy and data security, you can turn to our blog - Security, Privacy and the Law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.