The issue of K-12 cybersecurity has been getting a lot of attention from the federal government recently — and the policies resulting from those efforts could have big implications for education companies.
Earlier this month, the White House hosted its first-ever cybersecurity summit — a gathering of companies, ed-tech advocacy groups, school administrators, and teachers to launch efforts to enhance cybersecurity K-12.
And last month, Federal Communications Commission Chair Chair Jessica Rosenworcel rolled out a $200 million, three-year pilot program to strengthen cyber defense in K-12.
In a statement, Rosenworcel said the program’s aim is to “harden the cyberdefenses and determine the most effective methods to protect our schools and libraries.”
“Now is the time to take action,” she said.
The cyber plan has yet to be voted on by the FCC.
And that might not happen until the FCC has a full array of five commissioners, said Brian Stephens, the director of stakeholder engagement at Funds For Learning, an organization that consults with districts about the federal E-Rate program.
The U.S Senate is currently considering three of President Biden’s FCC nominees. Two are reappointments: Republican Brendan Carr and Democrat Geoffrey Starks.
If approved, the third — Anna Gomez, a Democratic telecommunications attorney who currently serves as a senior adviser for the State Department’s Bureau of Cyberspace and Digital Policy — would give Biden his first majority on the FCC since being elected more than two years ago.
For now, the K-12 community that has been pushing for more federal funding to help schools deal with an onslaught of cyberattacks will have to wait for the FCC to release its draft of the $200 million cyber pilot to see how the commission is planning to tailor the program.
To help education companies understand the implications of the FCC’s proposed cyber pilot, EdWeek Market Brief recently spoke with Stephens from Funds For Learning about the implications of the federal cybersecurity activity on schools — and on ed-tech vendors.
When do you think the public will see a draft proposal for the pilot?
That’s the big question, and what everybody wants to know. They may already have a working draft of a notice of proposed rulemaking related to this cybersecurity pilot. I don’t know that for certain, and have not not seen anything or heard anything official, but my sneaking suspicion is they may have that. So hopefully, it would not be too much longer after the FCC is full that we would be able to have a vote on a draft proposal and then have a comment period start.
As far as starting up the pilot program, the FCC managed to stand up the Emergency Connectivity Fund program in relatively short order, so we know that they get programs like that up and running pretty quickly.
Do you think the FCC has to have a full commission to move forward with the cyber pilot?
I don’t necessarily think so, but it’s a tough call because it’s a fairly significant step for them. It’s my sense that they want to make sure they have a full commission in place before they kind of stick their neck out there and move forward. There’s arguments back and forth about the FCC’s place in K-12 cybersecurity. I don’t necessarily think we would just automatically expect a deadlock if they were to have a vote on it today, but it probably feels a little bit more official, a little bit more complete, if they have the full commission.
What does your organization want to see in the pilot program?
Certainly we would like to see a fair amount of data. The E-rate program has a fairly large amount of data that we can actually go in and see what’s being purchased and what the costs are and that sort of thing. I would hope this pilot program has a mechanism for collecting information to gauge its efficacy and potentially inform the creation of a permanent program. One of the things that we would hope for to not be part of the pilot are really specific eligibility requirements in terms of the types of cybersecurity products and services that may qualify.
I would hope this [cybersecurity] pilot program has a mechanism for collecting information to gauge its efficacy and potentially inform the creation of a permanent program.
You do expect that there will some to limits on what type of equipment can be purchased?
Obviously there’s gonna have to be some fences around it in some form or fashion. But you know, there’s so many different approaches, so many different technologies, and the risk that the program would run if they get too specific about these eligibility requirements is that it just becomes dated in short order because that industry moves so quickly. In terms of what we want to see in the NPRM [noticed of proposed rulemaking] would be some flexibility in terms of what potentially would be able to be funded with this pilot program money.
What cyberprotections would districts actually be buying with this money?
Most likely I would think that the eligibility is going to stay fairly closely related to network security. In general, certainly next generation firewalls are one of the things that have been discussed, so I would fully expect that a part of the pilot would be, you know, fully funding firewalls. But I don’t necessarily think that it would be limited to just that. They could also look at other types of network security solutions that they could fund through the pilot program.
The more we drift into things like data privacy, content security, that kind of thing, that’s where it gets a little bit fuzzier for me. I don’t necessarily know entirely what the FCC’s role in that would be. But a large part of this pilot and the discussion surrounding it is going to be helping them determine here’s what is really appropriate for the FCC to fund.
Some education groups have pushed the FCC to expand E-rate eligibility to cover these type cyber protections. In the end, the FCC decided to do this $200 million pilot outside of the E-rate program. What are your thoughts on that?
I wouldn’t rule out the possibility that it kind of comes back around to the E-rate program at a certain point. A lot of that may depend on the outcome of the eligibility discussion. If what we get is a program where the focus is reasonably limited, network security and next generation firewalls, then it becomes a stronger argument to fold that into the E-rate program primarily just because the E-rate program already exists. It has an application process. It has rules and regulations. It’s already funding equipment that is going to be sitting in the same rack as the network security equipment. So it makes a lot of sense that E-rate could fund this with relatively few changes made to its structure or its rules.
Will that be dependent to some extent on the outcome of the pilot program?
The FCC over time has been pretty careful to keep E-rate’s mission fairly tightly focused. And over time, they’ve pulled things out of E-rate. So if the outcome of the pilot program is we really want to cast a wider net and provide funding for a broader range of security solutions then it may lend itself to an independent program, a program in addition to E-rate. If it swings the other way and we stay pretty tightly focused on just the network itself then I think there’s a very legitimate argument to be made that they can fit this into the E-rate program, especially since it’s already got an application process, an auditing process, checks and balances, all those sorts of things.
What role do you think ed-tech companies play in the K-12 cybersecurity discussion?
It’s important that they’re involved in the whole process. I expect that when we have a notice of proposed rulemaking, we’re going to see comments by a wide variety of companies in the industry, and certain equipment manufacturers. You’ve got this situation with school districts where many don’t have the resources to hire a dedicated cybersecurity officer or personnel.
In so many of the school districts across the country, the person who’s in charge of cybersecurity is also keeping the Wi Fi on and any number of other technology-related tasks. So I think the schools rely on their vendors as strategic partners for a lot of this stuff just because they lack resources.
Image by Getty.