New FCC Pilot Shores Up Security for K-12, Libraries

One month after the Seattle Public Library's systems went down as part of a ransomware attack, the library is just beginning to restore services to staff and patrons. Some resources are back and running, but the library is far from being fully functional. 

"While staff will be back on the Library's network after Tuesday, June 25, they will still not be able to access patron accounts or our catalog for a bit longer," the library said this week. "This is due to the Library's operational capacity throughout the recovery process — each newly recovered system requires appropriate assessment, testing, communication, documentation, and if necessary, troubleshooting."

After that is complete, the technology team plans to work toward restoring access to patron accounts, the library catalog, and other services, like free in-building Wi-Fi, computers, and printers, that are vital to community members. However, it's still not clear when services will be fully restored, leaving many who rely on the library for access to these resources out in the cold. 

The Seattle Public Library is just one of many public institutions that have fallen victim to cyberattacks. A cyberattack last October has the British Library still scrambling to restore services more than nine months after the infiltration. And according to the Center for Internet Security nearly a third of U.S. K-12 schools in its network have been victims of a cyberattack.

Around the world, schools and libraries face an increasing number of cybersecurity threats and attacks targeted at disrupting and disabling critical networks, leading to the disruption of school and library operations, reduced bandwidth, monetary losses, loss of learning opportunities, and theft and leaks of student, staff, and library patron personal information, according to the Federal Communications Commission (FCC). 

To combat this threat, the FCC recently voted to approve the Schools and Libraries Cybersecurity Pilot Program, a three-year initiative that will provide up to $200 million in Universal Service Fund support to pay for advanced firewalls, endpoint protection, identity authentication, and monitoring systems. (Schools and libraries interested in learning about how to apply for program funding can find information at the FCC website.)

"This is a landmark moment for schools and libraries across the nation," said John Harrington, CEO of Funds for Learning, in a statement. "The cybersecurity threats facing our educational institutions are significant. This pilot program represents a crucial step in providing the resources necessary to safeguard sensitive information and maintain secure, reliable access to digital learning tools." 

Investing in Schools, Libraries Is Key

The federal funding fills a gap in school and library budgets because, with everything on their plates, it's challenging for these organizations to make cybersecurity a priority, says Johnathan Kim, director of technology at the Woodland Hills School District in North Braddock, Penn.

“A big part of it, especially here in western Pennsylvania, is budgeting,” says Kim. "Since I have been in education, since around 2017, the budgets keep getting smaller and smaller or staying flat, while everything else is raising. While we have a million-dollar budget for technology, it's been the same." 

The average school spends less than 8% of its technology budget on cybersecurity, and one in five spends less than 1%, according to the Center for Internet Security. 

Participants in the pilot program will receive funding on a per-student or per-library basis to help cover the costs of enhancing cybersecurity equipment and services, according to an FCC spokesperson. Funding will be split among rural and urban large and small organizations, with an emphasis on funding programs for low-income and tribal applicants.

The FCC encourages consortia of schools and libraries to apply together, as consortia have buying power that can help reduce costs and allow less technically savvy organizations to partner with better-resourced schools and libraries. State and local government entities, including educational service agencies, are not eligible for discounts or funding under the pilot program, but they can serve as a consortium leader for eligible schools and libraries. 

The Woodland Hills district was able to reduce spend on endpoint protection from $300,000 to $20,000 per year by participating in a state consortia, Kim said. 

Don't Have to Have a Big Budget

While increased funding is important, not all cybersecurity success for schools and libraries depends on having a big budget. 

"I think one of the big things is to understand that this is a huge puzzle. You don't start by consuming it all at once," said Curt Godwin, network operations coordinator for the Forsyth County Schools in Georgia, at a June webinar held by Funds for Learning. "You start with the small pieces. Do the things that you can do that cost very little time, effort, money or personnel."

Things to tackle first could include evaluating and establishing cybersecurity policies and training staff and students to handle information security.

"All of these things you do and look at can make a huge impact in reducing your threat surface, while having a very minimal impact on your finances," Godwin said. "Now, that's not to say that there aren't things that you will have to spend money on, and, thankfully, this program may help in going a long way to address that, but there are things you can do to shore up your defenses that cost very little money. Hit those first. Start changing the culture of your organizations to make this an easier thing to protect because if you try to do it all at once, it's going to fail." 

David Vignery, director of technology at Lawrence Public Schools in Kansas, echoed Godwin’s sentiment. 

"There are a lot of things that you can do today that don't cost a whole lot of money," he said, adding that making sure you have a strong firewall and leveraging best practices is a good start. 

Helping the community understand what threats they actually face, and how they could be impacted, is important to getting buy-in. To drum up support and educate the district in Lawrence, Vignery created a security awareness group to work on an incident response playbook that helped different groups understand what kinds of events could occur and how they would be affected. 

"It created some buy-in at all levels across the organization," Vignery said. "And so now, when we talk about [security threats], people really, truly understand why we need to focus some budget dollars to this or that, and to protect tech information and our infrastructure. You're not too small to do this, and you're not too big to do this. So you just get in there and go."