Jennifer McLogan reports:
Cyberattacks against school systems are becoming more damaging and aggressive with threats of extortion, unless ransom is paid.
It’s costing taxpayers big bucks to repair school technology.
Now help is on the way from the federal government.
Read more at CBS.
See more at NY State Senator Anna Kaplan’s website, where Frank Rizzo reports, in part:
Published sources indicate that New York State will get about $28 million of that total for cybersecurity, part of the $1.2 trillion bipartisan infrastructure bill. Districts can apply for aid once the details are released. The money will help districts affected by a cyberattack to recover, while also preventing future attacks by providing the funds necessary to implement software and other protective measures.
Hopefully they will have some actual strings on the funds so that districts are required to implement better proactive security to qualify for recovery aid if they are attacked. Media coverage portraying districts as victims often fails to reveal how sloppy some districts have been about storing unencrypted personal and sensitive data that is decades old — and then complaining that criminals dumped it on the dark web.
In the 1970s, the federal government offered school districts federal support/funding that would flow through the state education agencies. The “string” that was put on the funding was that the district would have to adopt and comply with Section 504 of the Rehabilitation Act of 1973. Most schools did.
DataBreaches.net is recommending a similar approach — that districts can qualify for federal funding for cybersecurity assistance and recovery assistance, but only if they comply with certain security standards to be set by the government. And as part of it all, all school districts that experience a data breach involving personal information of employees or students should be required to report the breach to the U.S. Department of Education. A portal that allows districts to report that is similar to what states and HHS use for receiving reports can be established so that there is greater transparency about the extent of breaches in the education sector.
Don’t hold your breath, Dissent… These are ‘optimistic’ reports of how the State and Local Cybersecurity Improvement Act actually will work.
The money will be doled out over 4 years (not at one time) and states must contribute an escalating match (10-40%, goes up 10% a year). State can reserve 20%; 80% of funds are then made available to ALL local govt agencies – depending on a to-be-written state plan. As such, school districts will be competing with other local gov’t agencies for support. Eligible expenditures not yet determined. Some expect states to opt out of the federal support in later years of the program due to the matching requirement.
That’s why I suggested an approach similar to what was used with Section 504. The approach you describe above will not work — and we both understand that. New York is in a somewhat different situation than most other states because there is the intermediate tier — BOCES — which handles a lot of functions for its constituent districts. Those districts pay BOCES a fee each year, but then also additional monies depending on what services BOCES may provide in the way of special education services, etc. If BOCES actually takes over server security or monitoring of a single contractor who provides services for districts, things might improve. But someone has got to get districts to stop storing so much data so haphazardly. There are districts that use third-party vendors to create and store IEPs and all, and that’s fine, if they are properly secured, but then you have employees leaving their computers on and logged in, etc., or there’s an unencrypted list on some admin’s desktop with everyone’s username and password. 🙁