As schools have become a top target for cyberattacks, the Cybersecurity and Infrastructure Security Agency has developed multiple tools and resources in recent years to help schools protect themselves and their vulnerable information, said Trent Frazier, acting assistant director for stakeholder engagement at CISA.
For instance, school districts are qualified to use CISA’s free Cyber Hygiene Services, in which the federal agency scans and tests local governments’ vulnerabilities within their external networks or public web applications. So far, about 1,500 schools have signed up for this vulnerability scanning service, Frazier said. Other resources schools can tap into include guidance released last year detailing the cybersecurity risks schools face and best practices for handling them.
In a recent discussion with K-12 Dive, Frazier noted how CISA views its role in K-12 cybersecurity, the Biden administration’s push to hold technology companies accountable for cybersecurity, and CISA's budding partnership with the U.S. Department of Education.
Editor’s Note: The following interview has been edited for brevity and clarity.
K-12 DIVE: Tell me more about CISA joining forces with the Education Department to improve schools’ cyberdefense.
TRENT FRAZIER: There's a number of areas I think that really cemented that closer partnership. One is just the increasing recognition that schools are being actively targeted.
In the past, cybersecurity adversaries were very focused on either corporate or military espionage or extraction of financial returns. But what we see now is that increasingly, schools are being targeted because they house our most sensitive populations. And our adversaries see them as a vehicle not only to carry out ransomware attacks where they can extract some of those financial returns, but also as a means to just sow disarray and really create disruption within society.
Because of that, we want to make sure that schools are really prepared and equipped to not only protect themselves, but ultimately to restore capability and operations when they are attacked.
The Department of Education is an incredible partner with us. And the recent implementation of the new government coordinating council for the K-12 sector, I think is a great first step. That GCC is going to be a real opportunity, because it helps to bring together work that's underway across federal, state and local partners, and it helps us to coordinate effectively in ways that we can more efficiently marshal our resources in a combined passion to help address school needs where they're needed most.
Given that the Biden administration is aiming to hold technology companies more accountable for improving cybersecurity, do you think CISA’s voluntary ed tech pledge has helped accomplish that goal?
FRAZIER: I do. I think it's helpful, really, in a number of ways. But the premise behind that pledge is really restructuring the entire orientation of the marketplace towards radical transparency. What we really are thinking through in this context is: What are the key incentives that help shape and drive actions within the marketplace for software products that support schools?
That pledge is a real integral step to helping to shape that marketplace. One, by establishing parameters that product developers themselves can sign onto that really reflect best practices and how they're delivering on the products that they're ultimately providing to schools. And two, giving our educational community a real foundation for the discussions that they need to be having when they're thinking about products that they want to acquire.
Because it creates that transparency, it automatically creates a valuable feedback loop within the marketplace itself. If you're a company and you've signed onto that pledge, you've made a commitment to the customers that you support to provide products that meet the conditions of that pledge.
What are you hearing from the K-12 districts that are working with these ed tech companies that have signed CISA’s pledge?
FRAZIER: Well, I think what we're seeing right now is a lot of companies really doing some self-examination on the products that they're delivering. And we're seeing a lot of schools asking tougher questions on the products that they're acquiring. I think because we're in the early stages of the implementation of that pledge, we will start to see a real clear evolution in the types of products and services being delivered.
And I think we'll start to see a much more educated customer base, which we're very excited about, because that really is a reflection of the larger, secure-by-design concept — that customers should have higher expectations for security for the products that they're acquiring, and that product providers should deliver on those expectations.
Are there other ways CISA plans to hold schools and ed tech companies accountable for securing these sensitive K-12 networks?
FRAZIER: We're not thinking through ways to hold schools accountable. We're actually thinking through ways to really fundamentally support them.
I think that our schools have a Herculean task in educating the students in this country, and we want to be supportive of that. So what we're thinking through are ways that we can help schools more readily access the resources that we provide them and implement those resources.
One of our more recent efforts, thanks to the bipartisan infrastructure law, was to enact the first State and Local Cybersecurity Grant Program, which provides resources directly to states to help them actually implement a number of the kinds of measures that we've talked about, and schools are specifically identified as an eligible entity within that grant program.
What do you think is the most important takeaway for schools amid all these initiatives from CISA?
FRAZIER: The takeaway message, the one that I often want to make sure folks understand really, is that cybersecurity is candidly a team effort. A lot of times in this discussion, when we talk about cybersecurity, we sort of orient toward either the school, for example, or the individual or the federal government or the state government. But really all of us have a part to play. And it's really critical that each of us take advantage of the resources that are being provided.
