One outcome of the heightened awareness about cybersecurity is a push for the Federal Communications Commission to expand its E-rate program to include cybersecurity.
Funds For Learning, a firm specializing in E-rate compliance, partnered with CoSN to petition the FCC for this expansion. Funds for Learning surveys its applicants every year, John Harrington, the organization’s CEO, told EdTech at CoSN2023. It then presents that data to the FCC.
“Ninety-eight percent of respondents say cybersecurity should be a part of E-rate,” Harrington said, citing Funds for Learning’s most recent E-rate Trends Report. “One of the strengths of the E-rate program is that it’s based around solutions, not specific technologies. The FCC went out of its way to be technology-neutral.”
The subsequent success of E-rate currently is, in large part, due to that flexibility, Harrington said. It doesn’t dictate which specific technologies schools or libraries must use to improve networking. It also includes services, and schools with managed networks can cover some of their monthly fees with E-rate dollars.
The program would work the same way for cybersecurity, Harrington said. This would be especially crucial because of how fast cybersecurity standards change.
“If you plan it around specific solutions, the regulations will always be chasing the technology. They’re always going to be outdated,” he explained.
E-rate’s flexibility would also be key in helping schools shore up their cybersecurity postures because of how different each school system is across the nation. “The schools themselves have different needs. If you make it one-size-fits-all, it will only work for about 10 percent of schools,” Harrington said.
Working to Create Guidelines and Solutions at the State Level
Two leaders shared their experiences working on cybersecurity standards and solutions at the state level in a Tuesday session titled “Developing Statewide Cybersecurity Programs; North Carolina and Indiana.”
Brad Hagg, the Indiana Department of Education’s director of educational technology, referred to himself and co-presenter Samuel Carter as the “chocolate and peanut butter session.” Both he and Carter, a systems architect at the Friday Institute for Educational Innovation, joked about their envy of the other’s successes.
Carter said that North Carolina likes to fund things, while Indiana has the people side of cybersecurity figured out.
To reinforce that point, Hagg listed the many partnerships within Indiana, including Indiana CTO Council, the Hoosier Educational Computer Coordinators and the IDOE School Cybersecurity Community, which has a Moodle community that school technology leaders in the state can join.
Hagg also discussed the ongoing cybersecurity conversations that IDOE initiated in all counties across the state. “We know it’s critical to train all of the end users,” he said. “We have such a diverse community, and at each school, bus drivers have email addresses; cafeteria workers have email addresses; and those folks may not have very good technology skills or capacities, and that makes them extra vulnerable.”
His jealousy of North Carolina, in return, lies with the state’s funding and available solutions.
“We’re going to fill in the gaps to provide many common solutions that you’ll see in North Carolina,” Hagg said. “Endpoint detection and response, with a 24/7 security operations center behind it, is one of the big ones. We really want to provide that statewide.”
Carter shared how schools convinced the state government to pay for cybersecurity upgrades and received a nonrecurring allocation of $24 million. This allowed North Carolina schools to work with partners like KnowBe4, Zscaler, Palo Alto Networks, CrowdStrike, Identity Automation and others to improve K–12 cybersecurity practices statewide.
Both states also have cybersecurity laws in place to better protect schools and student data. Indiana has HEA 1169, which was passed in 2021, that requires schools to report any cybersecurity incident within 48 hours. North Carolina passed a law in 2022 that made it illegal for state entities, such as public K–12 school districts, to pay ransomware.
IT Leaders Tackle Data Privacy Challenges at the District Level
Cybersecurity challenges lead to data privacy concerns, as bad actors threaten to delete or expose vulnerable student data in ransomware attacks. As a result, schools and their IT teams are taking a closer look at what can be done to protect data privacy.
Moderator Pete Just, executive director of the Indiana CTO Council, surfaced this ongoing concern in Tuesday’s panel “Education and the AI Conundrum.”
“We should have concerns around personally identifiable information,” Just said. “Every district needs to wrestle with these considerations, not just for that product, but for every product.”
He asked panelists who seemed otherwise optimistic about the use of ChatGPT in classrooms about data privacy concerns surrounding the technology.
Panelists admitted that it was something K–12 schools should be wary of. Keith Bockwoldt, CIO at Hinsdale Township High School District 86 in Illinois, noted that no one has gotten OpenAI, the creator of ChatGPT, to return a data privacy agreement or answer questions about the software’s use of data.
Responding to an audience member’s question about who owns generative AI outputs, Just shared that he asked ChatGPT a question about ownership and was given an answer that he called a hallucination. “That’s what they call it when the AI goes and gives you some crazy answer with a great deal of authority,” he explained.