FCC’s E-Rate program needs to cover cybersecurity, senators told

E-Rate, the Federal Communications Commission program that gives school districts discounts on network devices, needs to be revised to cover purchases of cybersecurity products, U.S. senators were told Wednesday by a leading K-12 cybersecurity expert.

During a hearing on cybersecurity in the education and health sectors, members of the Health, Education, Labor and Pensions Committee asked what additional resources organizations in those industries need to better protect themselves from ransomware, phishing schemes, denial-of-service attacks and other breaches, especially as both education and health services have became more tech-dependent than ever during the COVID-19 pandemic.

“We can’t just call it a day after we make technology easy to use and access,” the committee’s chair, Sen. Patty Murray, D-Wash., said in her opening remarks. “We need to make sure it is safe and secure. Even when a hospital or school is doing everything right, there are always new threats they may not be able to be prepared for.”

Murray noted attacks in her home state, including incidents that affected local health departments and a 2021 breach that swept up the data on more than 1 million people who’d applied for unemployment benefits. The panel’s top Republican, Bill Cassidy of Tennessee, said he was concerned about attacks targeting K-12 schools, “because it can take years to discover that a child’s identity has been stolen.”

Amy McLaughlin, the cybersecurity program director for the Consortium for School Networking, which represents IT professionals in the K-12 sector, said one of the best steps the federal government could take is if the FCC updated what it allows schools to purchase using E-Rate discounts beyond the 20-year-old menu of internet subscriptions and internal networking devices.

“The E-rate program does not fund cybersecurity or network defenses,” she said.

That’s become a growing issue, McLaughlin said, as cyberattacks take an ever-growing toll on school districts, their students and their teachers.

“The impacts on K-12 school districts, teachers and students include lost instruction time, damage to schools’ reputation, high financial costs, rising cyber insurance costs, financial and credit hardship for students and teachers from the loss of personal data and rising mental health impacts, including increases in anxiety and depression,” she said, listing incidents that’ve affected educators and students in Fairfax County, Virginia; Hartford, Connecticut; and Miami-Dade County, Florida.

She mentioned the E-Rate program after noting that protective technologies like next-generation firewalls, endpoint-detection software and multi-factor authentication protocols can be prohibitively expensive for schools already lacking the resources to hire cybersecurity professionals, let alone the tools needed to put up an adequate defense.

“It’s like funding a racecar without seatbelts and airbags,” McLaughlin told StateScoop after the hearing.

Meanwhile, the attacks keep coming: Josh Corman of I Am the Cavalry, a cybersecurity volunteer organization that worked with the Cybersecurity and Infrastructure Security Agency to protect the health sector in 2020, said there’s been a ransomware “revolution” that’s given malicious actors a working business model in freezing up organizations’ networks and data.

“Why do you rob banks?” he said, quoting the early 20th-century gangster John Dillinger. “Because that’s where the money is. The unavailability of what’s important to you can be monetized. When you’re rewarded with financial payment, you keep doing it.”

Ransomware, he continued, has reached a point where it’s become “nearly unstoppable,” saying that years of successful attacks “funded their R&D.” Schools in particular are “target rich, cyber poor,” he said.

But short of an E-Rate overhaul, McLaughlin and the other witnesses said the federal government can do more to promote the services that CISA and other agencies offer, including providing greater support to the information-sharing and analysis centers operated by various sectors. Denise Anderson, president and CEO of the Health ISAC, said that she frequently pushes products from CISA and the Department of Health and Human Services to her members. She also said that during her previous experience running the Financial Services ISAC, the Treasury Department’s support resulted in a “tsunami” of banks joining.

“If we can educate, that would be a great thing,” she in response to Sen. Maggie Hassan, D-N.H.

Schools face a steep hurdle, too. McLaughlin told the senators that 65% of CoSN’s member districts have fewer than 2,500 students, with staff sizes to match.

“Having someone who knows there’s a resource becomes a challenge,” she said.