An excerpt from COSN’s K12 Cybersecurity cost report, released in September, argues that E-rate funds should not only make the Internet accessible to all students, but also make it safe.
Since the E-Rate program was created as part of the Telecommunications Act of 1996 it has helped ensure that eligible schools and libraries have affordable access to the Internet. The 2014 E-Rate modernization orders (July & December 2014) continued this commitment.
However, network access and Internet connectivity are no longer enough. While E-Rate funds help level the playing field by defraying school system costs for Internet access and network infrastructure, the very nature of the Internet has changed since the program’s inception.
The Internet is now an essential communications and data transmission conduit for education, government, business, and personal activity. In addition, it is also host to a wide range of nefarious hackers, identity thieves, and criminal and nation-state sponsored organizations utilizing networks to steal data, disrupt network activities, and destroy data systems.
The risks to school systems are only increasing as the number of data breaches and cyberattacks increase every year. According to USA Today, billions of people were affected by data breaches and cyberattacks in 2018 — 765 million in the months of April, May and June alone. In addition to data theft, ransomware attacks continue to pose a very real threat to school systems. This was recently demonstrated by the rash of ransomware attacks in Louisiana school systems in July 2019 which caused Louisiana Governor Edwards to declare a state of emergency. Louisiana’s experience is not an isolated incident; in 2018 there were over 204 million ransomware attacks worldwide.
While E-Rate should not be expected to cover all aspects of school cybersecurity, several simple changes to the E-Rate program would have a very profound impact on the ability of school systems to protect and defend their networks and systems from cyberattacks.
1. Expanding the range of firewall services that can be reimbursed through E-Rate would significantly increase perimeter and data transit security for school system networks and Internet access. This would include expanding the definition of covered firewall equipment and services in Category 2 beyond the current basic firewall functionality of ingress/egress traffic management to encompass advanced protections such as intrusion detection/prevention systems (IDS/IPS), advanced threat protection (ATP), anti-virus/anti-malware filtering, SSL encryption, encrypted traffic inspection, data loss prevention(DLP), and spam filtering. These are examples of additional functionality available on next generation firewalls that are not currently funded by E-Rate.
2. Expanding E-Rate to cover advanced security services provided by a school system’s Internet Service Provider, including DDoS mitigation and the same advanced firewall features recommended to be added under Category 1, would both enhance school system cybersecurity and remove the burden of finding staffing to support these systems. Currently, ERate will discount basic ingress/egress firewalls provided by the Internet Service Provider, if that is part of the ISPs basic service package. However, this is limited to the most basic of firewall functionality. Expanding the definition of covered firewall services that an ISP could provide would allow school systems to contract with their ISP for advanced firewall features to protect their networks, and have the ISP be responsible for operating and managing these systems, reducing the burden on school systems to find positions and qualified staff to do this work in house. Many school systems use the same ISP provider, being able to purchase advanced firewall functionality through the ISP could be more cost-effective and leverage economies of scale driving down the price as more school systems purchase additional cybersecurity services. E-Rate does not currently offer discounts for distributed denial of service (DDoS) mitigation services that help school systems maintain connectivity and availability when faced with a DDoS attack. Where school systems have been able to find funding for DDoS mitigation provided by their ISP, this has been an effective method to mitigate the impact of DDoS attacks on teaching and learning and deter future attacks. Those districts have found the rates of attempted DDoS attacks decrease once attackers discover DDoS mitigation has rendered this attack vector ineffective.
3. Clarifying or updating the definition of “basic firewall” to align with technology industry standards would enable school systems to align their cybersecurity defenses with recognized industry standards and provide improved protection of their networks. E-Rate currently funds “basic firewall” services in both Category 1 and Category 2, and “basic” has been interpreted to be limited to ingress/egress traffic management. As noted earlier, this leaves school systems with inadequate firewall defenses. This definition of “basic firewall” no longer aligns with technology industry standards.
A “standard” firewall across the technology industry is typically a next generation firewall (NGFW) or unified threat management (UTM) appliance or service that offers, but is not limited to, the following protections:
■ Advanced threat protection (ATP)
■ Anti-virus & anti-malware protection
■ Data loss prevention (DLP)
■ DDoS mitigation » Intrusion detection/protection (IDS/IPS)
■ SSL inspection
■ Virtual private network (VPN)
■ Web filtering
As new cybersecurity defense technologies become available, the definition of discounted firewall services should expand to encompass current protections.
4. Making managed security services and/or security operations center (SOC) services for the purposes of monitoring and responding to cybersecurity attacks and incursions eligible for E-Rate funding would significantly improve the ability of school systems to monitor and defend their networks. Managed security services and SOCs leverage economies of scale to monitor and respond to security incidents across multiple organizations’ networks. The ability to fund participation in these services through E-Rate would expand school system access to cybersecurity tools and trained resources, removing staffing and technology funding challenges from the cybersecurity equation.
5. Adding web content filtering to the list of discounted services would remove a significant financial burden from school systems. The implementation of web content filtering is required for participation in the E-Rate program but is not a covered expense. The FCC’s 2014 E-rate Modernization Order reiterates, citing to the 2001 Children’s Internet Protection Act Order, the agency’s position that the Children’s Internet Protection Act prohibits the use of Universal Service Fund resources for filtering. We believe Congress’s intent was for that prohibition to apply to other appropriated funding, and not E-rate funds, and we urge the FCC to work with Congress to address this issue.
The E-Rate program has the opportunity to significantly improve the cybersecurity stance of currently funded networks and Internet access. An E-Rate program that does not address the lack of adequate funding for school cybersecurity equipment, services and personnel is putting schools and their communities at risk. The recommendations above do not include expansion of E-Rate funding to include user and end point protection technologies such as anti-virus/anti-malware endpoint protection, multi-factor authentication, mobile device management, and identity and access management. Those technologies are targeted toward end user devices and access, and as such, are less directly correlated to E-Rate’s goal of providing network and Internet connectivity and access to schools. The recommended changes focus on providing responsible and secure network and Internet connectivity and access to schools.
For the full report, go to: tinyurl.com/y5tg7xa2 (opens in new tab)