Brad Hagg, Director of Educational Technology at the Indiana Department of Education, and Samuel Carter, Systems Architect at the Friday Institute, speak on cybersecurity at CoSN2023.

Mar 22 2023

CoSN2023: Cybersecurity Conversations at the District, State and Federal Levels

Attendees and presenters had a lot to say about cybersecurity needs and initiatives at this year’s Consortium for School Networking conference.

K–12 cybersecurity conversations are happening at the district, state and federal levels. An increase in cyberattacks against schools has leaders re-evaluating security needs, and with that comes concerns about upkeep, funding and legality.

All of these aspects were topics of conversation at the Consortium for School Networking’s 2023 conference. Security-focused sessions drew large crowds, and conversations about cybersecurity sprung up in the event’s expo hall and spotlight presentations.

The buzz around cybersecurity reflects CoSN’s consistent findings that cybersecurity is the No. 1 priority for IT leaders.

Here’s what presenters and attendees had to say about it at every level:

The Push to Fund School Cybersecurity at the Federal Level

While schools had the opportunity to use limited federal funds, such as ESSER monies, to invest in improved cybersecurity solutions and services, many K–12 leaders are growing increasingly concerned about the impending funding cliff. Without continued financial support from the federal government, schools aren’t confident they will be able to sustain the cybersecurity improvements they have made over the past couple of years.

Click the banner to sign up as an Insider so you don't miss the conference coverage.

One outcome of the heightened awareness about cybersecurity is a push for the Federal Communications Commission to expand its E-rate program to include cybersecurity.

Funds For Learning, a firm specializing in E-rate compliance, partnered with CoSN to petition the FCC for this expansion. Funds for Learning surveys its applicants every year, John Harrington, the organization’s CEO, told EdTech at CoSN2023. It then presents that data to the FCC.

“Ninety-eight percent of respondents say cybersecurity should be a part of E-rate,” Harrington said, citing Funds for Learning’s most recent E-rate Trends Report. “One of the strengths of the E-rate program is that it’s based around solutions, not specific technologies. The FCC went out of its way to be technology-neutral.”

The subsequent success of E-rate currently is, in large part, due to that flexibility, Harrington said. It doesn’t dictate which specific technologies schools or libraries must use to improve networking. It also includes services, and schools with managed networks can cover some of their monthly fees with E-rate dollars.

The program would work the same way for cybersecurity, Harrington said. This would be especially crucial because of how fast cybersecurity standards change.

“If you plan it around specific solutions, the regulations will always be chasing the technology. They’re always going to be outdated,” he explained.

DISCOVER: CISA urges schools to prioritize cybersecurity investments.

E-rate’s flexibility would also be key in helping schools shore up their cybersecurity postures because of how different each school system is across the nation. “The schools themselves have different needs. If you make it one-size-fits-all, it will only work for about 10 percent of schools,” Harrington said.

Working to Create Guidelines and Solutions at the State Level

Two leaders shared their experiences working on cybersecurity standards and solutions at the state level in a Tuesday session titled “Developing Statewide Cybersecurity Programs; North Carolina and Indiana.”

Brad Hagg, the Indiana Department of Education’s director of educational technology, referred to himself and co-presenter Samuel Carter as the “chocolate and peanut butter session.” Both he and Carter, a systems architect at the Friday Institute for Educational Innovation, joked about their envy of the other’s successes.

Carter said that North Carolina likes to fund things, while Indiana has the people side of cybersecurity figured out.

To reinforce that point, Hagg listed the many partnerships within Indiana, including Indiana CTO Council, the Hoosier Educational Computer Coordinators and the IDOE School Cybersecurity Community, which has a Moodle community that school technology leaders in the state can join.

Hagg also discussed the ongoing cybersecurity conversations that IDOE initiated in all counties across the state. “We know it’s critical to train all of the end users,” he said. “We have such a diverse community, and at each school, bus drivers have email addresses; cafeteria workers have email addresses; and those folks may not have very good technology skills or capacities, and that makes them extra vulnerable.”

KEEP READING: How can schools train users to recognize social engineering?

His jealousy of North Carolina, in return, lies with the state’s funding and available solutions.

“We’re going to fill in the gaps to provide many common solutions that you’ll see in North Carolina,” Hagg said. “Endpoint detection and response, with a 24/7 security operations center behind it, is one of the big ones. We really want to provide that statewide.”

Carter shared how schools convinced the state government to pay for cybersecurity upgrades and received a nonrecurring allocation of $24 million. This allowed North Carolina schools to work with partners like KnowBe4, Zscaler, Palo Alto Networks, CrowdStrike, Identity Automation and others to improve K–12 cybersecurity practices statewide.

Both states also have cybersecurity laws in place to better protect schools and student data. Indiana has HEA 1169, which was passed in 2021, that requires schools to report any cybersecurity incident within 48 hours. North Carolina passed a law in 2022 that made it illegal for state entities, such as public K–12 school districts, to pay ransomware.

IT Leaders Tackle Data Privacy Challenges at the District Level

Cybersecurity challenges lead to data privacy concerns, as bad actors threaten to delete or expose vulnerable student data in ransomware attacks. As a result, schools and their IT teams are taking a closer look at what can be done to protect data privacy.

Moderator Pete Just, executive director of the Indiana CTO Council, surfaced this ongoing concern in Tuesday’s panel “Education and the AI Conundrum.”

“We should have concerns around personally identifiable information,” Just said. “Every district needs to wrestle with these considerations, not just for that product, but for every product.”

He asked panelists who seemed otherwise optimistic about the use of ChatGPT in classrooms about data privacy concerns surrounding the technology.

MORE ON EDTECH: What should schools know about third-party risk?

Panelists admitted that it was something K–12 schools should be wary of. Keith Bockwoldt, CIO at Hinsdale Township High School District 86 in Illinois, noted that no one has gotten OpenAI, the creator of ChatGPT, to return a data privacy agreement or answer questions about the software’s use of data.

Responding to an audience member’s question about who owns generative AI outputs, Just shared that he asked ChatGPT a question about ownership and was given an answer that he called a hallucination. “That’s what they call it when the AI goes and gives you some crazy answer with a great deal of authority,” he explained.

Join EdTech as we provide written coverage of CoSN2023. Bookmark this page and follow us on Twitter @EdTech_K12.

Photography by Rebecca Torchia

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT