As the back-to-school season comes to an end, the stakes are higher than ever for K-12 cybersecurity leaders. The start of a new school year always comes with significant change management — new systems being implemented, new student accounts being created, and new lesson plans being developed leaving staff more overwhelmed and distracted. Attackers know this and take advantage.  

This year, there’s another layer to this heightened risk: on Sept. 30, the Cybersecurity Information Sharing Act of 2015 (CISA 2015) expired, and now, schools have forever lost a valuable information sharing structure that keeps them apprised of the latest threats. Losing CISA 2015 means losing protections that enable schools to safely and legally share data and threat intelligence, so certain structures will have to change. It is in our students’ best interest to prepare education institutions for this reality.  

What Is CISA 2015 and Why Is It Important?

CISA 2015 provided K-12 schools with indemnity through a safe way to share and receive cybersecurity training and insights without legal risk. Given many schools don’t have the resources to have cybersecurity experts on staff, IT teams are often left in charge of cybersecurity protections. These teams relied on the crowdsourced infrastructure afforded by CISA 2015 for guidance on identifying, responding to, and remediating threats effectively. Without it, we’ll likely see schools revert to overly restrictive data sharing practices, like data isolation, network restrictions, or a reduction in vendor partnerships. 

Ultimately, this signals an important shift in governmental cybersecurity frameworks from the top down. In lieu of the re-authorization of the Act, there are pivotal measures that need to be taken across state and local governments to implement new structures of ensuring the safety of our students, teachers, and their data.  

Longer Term: How Can States Take Action? 

Without the protections afforded in CISA 2015, state and local governments will have to take more responsibility in building an effective cybersecurity framework, while voters and local officials will need to advocate for the necessary funding and structures to do so. 

We’re already seeing states like Texas, Arizona, and North Carolina introduce cyber commands and whole-of-state frameworks to cybersecurity. This approach is a collaborative strategy where a state’s various state and local government agencies, educational institutions, and private partners work together to create a unified cybersecurity defense. Instead of operating in silos, this model promotes standardized practices and a collective response to cyber threats across the state. This provides a more equitable structure to ensure every school and district gets the same level of centralized security guidance and incident response.  

Additionally, states can drive cohesive cyber defense efforts on the regional level by reallocating funds to regional service centers. For example, Texas has 20 Education Service Centers and New York has 12 Regional Information Centers that provide IT services like infrastructure hosting and technical support. That model can and should also be applied to also providing shared cybersecurity services, like security monitoring, vulnerability testing, and incident response to school districts across different regions. These centers can more equitably provide funds and services to schools that do not have their own IT and cybersecurity staff, but funding currently only supports basic IT services. It’s important that people advocate for a reexamination and reallocation of funds to these centers to ensure proper protection. 

Shorter Term: How Can Schools Take Action? 

Although it’s imperative that states take action, this is a long-term challenge that will inevitably take time. In the short term, school boards must take it upon themselves to also act. This can generally be done through two avenues: education/training and technology. 

With AI, threat actors are rapidly scaling operations with much greater sophistication, making phishing scams infinitely harder to detect. Cybersecurity training can help, but the reality is that, especially this time of year, teachers are already overwhelmed with new students and developing new lesson plans. Giving them another “training session” won’t resonate.  

One way to shake up these trainings is to ditch the punitive approach, where training is assessed on a pass/fail basis. Instead, take a gamified, rewards-based approach where teachers and staff are incentivized to devote additional attention to cyber preparedness. This type of approach can foster a more positive culture around security and strengthens cyber preparedness at the ground level. 

Outside of training, it’s also important to arm staff with tools that can help them do more with less. While resources are constrained, the criticality of protecting our schools’ systems is high enough to warrant advocating to school boards for funds to be reallocated towards technology implementation. Automated threat detection and remediation technology can help schools protect systems from low-level threats so that limited IT teams or regional service centers can focus on protecting against the more sophisticated threats that often slip through the cracks. 

Advocacy Is Needed 

Given the benefits of a state-driven cybersecurity model for schools, communities should advocate to school board members and district officials to reallocate funds for these efforts. It’s on the entire ecosystem, from parents to decision makers, to drive awareness around the shortcomings in their communities and advocate for solutions. While short term solutions exist, real impact is not possible without long-term change and it’s time we fight for that change.