The Federal Communications Commission has wrapped up its initial public comment period on a proposal to allow school districts to use federal E-rate money for advanced cybersecurity tools.
Most in the K-12 community are hoping the FCC takes action sometime this summer or fall to expand E-rate eligibility to include modern firewalls and other cybersecurity products. That would allow school districts to start using those federal funds to defend their networks beginning in 2024.
But it’s no guarantee the FCC will ultimately move in that direction.
The question of whether cybersecurity tools should be funded under E-rate — ranging from advanced firewalls to anti-virus and anti-spam software to intrusion prevention and protection devices — has come before the commission before.
And the FCC has declined to expand eligibility for those items in the past to “to ensure that limited E-rate funds” are directed to the program’s “primary purpose of providing connectivity,” according to the commission’s public notice.
The current landscape, however, is hard to ignore: Cyberattacks targeting districts have ramped up in recent years, and they are not only more frequent but more complex, costly, and disruptive. Add to that: school districts in a post-pandemic setting are reliant on their networks for everyday learning more than ever before.
To help education companies understand the implications of the change under consideration by the FCC, EdWeek Market Brief recently spoke with John Windhausen Jr., executive director of the Schools, Health and Libraries Broadband Coalition, a group that supports the policy shift.
“They need to figure out what those advanced features and functions are that should or should not be included,” said Windhausen. “That means we’ve all gotta do our homework to define more specifically what E-rate is going to cover. But it really needs to cover something because the schools and libraries don’t have enough funding right now in order to protect their networks.”
What’s at issue?
Schools and libraries use the $4 billion annual E-rate program to improve internet connectivity, paying for service and hardware used to support broadband and Wi-Fi on campus.
When it comes to cybersecurity, the program currently funds basic firewalls, but district officials and organizations that represent K-12 tech leaders have said that equipment is antiquated and leaves networks vulnerable.
Districts and ed-tech groups are asking the FCC to update its definition in the E-rate program of a firewall to include next-generation equipment.
Los Angeles Unified schools superintendent Alberto Carvalho summed it up in a letter earlier this month to the FCC: Basic firewalls — as currently defined by the E-Rate program — “do not include industry standard features, and fall short of what the marketplace considers a basic firewall necessary to counter the most common cyberattacks,” he wrote.
Another key issue: Funding.
It would cost the E-rate program almost $2.4 billion annually to fund advanced network security services for all K-12 schools across the country, according to an estimate from CoSN and Funds For Learning. The FCC has described E-rate funds as constrained, and as a result the program “is not able to fund every service that potentially serves an educational purpose.”
But in a letter filed with the commission last week, a coalition of more than 10 groups that represent K-12 schools — including CoSN, the State E-rate Coordinators’ Alliance and the Schools, Health and Libraries Broadband Coalition — highlighted annual unspent E-rate dollars.
Over the past four years of the program, more than $7 billion of undisbursed E-rate funds could have been made available for advanced or next-generation firewalls, the groups estimate.
“The Bureau should not allow E-rate funds to continue going unused when schools and libraries desperately need assistance to acquire advanced and next generation firewalls to protect the integrity of their broadband connections, networks, and data,” they wrote.
One other issue to consider: If added to the eligible items list, next-generation firewalls are expected to be covered under Category Two of the E-rate program, which pays for on-campus hardware or networking equipment (basic firewalls are currently covered under Category Two).
School districts receive a budget for Category Two funds set on a five-year cycle, and have the discretion to spend all of that budget in one year or spread it out however they see fit. Funding is calculated based on enrollment.
[S]chools and libraries don’t have enough funding right now in order to protect their networks.John Windhausen, Schools, Health and Libraries Coalition
Ed-tech groups and district officials want the FCC to increase the cap for Category Two funding to make sure schools don’t have to choose between making network upgrades to boost campus connectivity or buying tools to defend their networks under current budget limits.
In its letter to the FCC, the coalition of ed-tech groups proposed a “modest” increase to Category Two budgets. Meanwhile Carvalho, the LAUSD superintendent, highlighted a proposal put forth by computer networking giant Cisco Systems in 2020 calling for a 10 percent increase to Category Two budgets.
How any of this will work out is yet to be determined, as the FCC is still in the early phase of a proposed rulemaking process that started in mid-December when it asked for public comments on its proposal.
That first public comment period ended last week, and ed-tech leaders, tech firms, school districts, and other interested parties submitted dozens of letters to the FCC in the days leading up to the deadline.
As part of its inquiry, the FCC asked the public to weigh in on whether E-rate should cover advanced cybersecurity tools, and if so what specific equipment and services should be funded, along with how funding should be prioritized.
Here’s how Windhausen, of the Schools, Health and Libraries Broadband Coalition, sees the issues at stake.
Do you believe the FCC will move forward with expanding E-rate eligibility? Or this is more of a fact-finding mission on their part?
It’s hard to say. It was a very positive step that the FCC moved forward to ask for comment on a petition that we filed almost two years ago. So we view that as finally the FCC is opening the door to take a look at this question. This is a positive development. At the same time, the tone of the public notice was very careful, and it didn’t make any promises. [The agency] didn’t tip their hand as to what they were going to do. If anything, some portions of the public notice suggested that there may be other ways of funding cybersecurity other than through the E-rate program, so we’re not quite sure whether the FCC is inclined to support the end goal that we’re seeking.
What type of issues are the FCC going to have to consider as part of this inquiry?
There are some tricky questions that come up when you start to ask what should E-rate cover. For instance, should cybersecurity costs be included in Category One, or Category Two, or both? Should there be a budget cap on the amount of funds made available for cybersecurity expenses? What kind of advanced features and functions should be eligible for E-rate support? These are not yes-or-no, black-or- white questions.
The technology keeps changing, and you can do some cybersecurity through network equipment, and then other forms of cybersecurity can be administered through the cloud. So the FCC has to be careful that it doesn’t skew the market in favor of equipment or cloud-based cybersecurity options.
You mentioned that the FCC has raised the idea of new cybersecurity funding for schools coming from outside of the E-rate program. What could that look like?
Perhaps CISA (the Cybersecurity & Infrastructure Security Agency) could provide some funding, or maybe the Department of Education. Those are options, but I guess those other options don’t fit as neatly as the E-rate program does because the E-rate program is all about connectivity, and if your network goes down during a cyber attack, you don’t have any connectivity. So it makes total sense that cybersecurity should be included in the E-rate program to promote that connectivity objective.
The technology keeps changing, and you can do some cybersecurity through network equipment, and then other forms of cybersecurity can be administered through the cloud.
How would having to navigate multiple federal agencies complicate things for school districts?
The E-rate program is supposed to provide support to make sure that all schools and libraries have adequate broadband connections, and it would be awkward for schools and libraries to go to the FCC for one component of that funding and then have to go to some other agency for a different component of that funding all to serve the same objective, which is connectivity. Getting two or three different government programs involved they could all operate under different rules. It sets up the possibility that there could be quite a bit of inconsistency among the federal agencies about what they require, and you don’t want that.
Is the FCC going to increase Category Two budgets?
There’s certainly a very strong need for it, but the budgets that were created for E-rate did not include cybersecurity expenses. So if you add cybersecurity as an eligible expense, they should provide additional funds for it. But the FCC has to balance its bang for the buck.
One group that represents K-12 schools proposed a three-year pilot program to fund advanced cyber tools under E-rate. Is a pilot program is the best way forward?
I can’t say at the moment which way is the right way to go. [My coalition] is hoping for a permanent addition to the eligible services list. But we’re not opposed to a trial period, or a pilot program if that’s the way that the FCC feels more comfortable going. We think there’s a strong case for permanent funding because you’ve seen a huge number of cyber attacks against schools and libraries, so the demand is certainly very real and immediate.
Image by Getty