Fixing the K-12 cybersecurity problem

CISA’s Secure by Design pledge commits manufacturers to improving K-12 cybersecurity

Key points:

In early September, the Cybersecurity and Infrastructure Security Agency (CISA) announced a voluntary pledge for K-12 education technology software manufacturers to commit to designing products with a greater focus on security. In the announcement, CISA mentioned that six leaders in the education software industry had already committed to the pledge: PowerSchool, ClassLink, Clever, GG4L, Instructure, and D2L.

“We need to address K-12 cybersecurity issues at its foundation by ensuring schools and administrators have access to technology and software that is safe and secure right out of the box,” said CISA director Jen Easterly. “I want to thank ClassLink, Clever, D2L, GG4L, Instructure, and PowerSchool, who have already signed this pledge and for their leadership in this area. We need all K-12 software manufacturers to help us improve cybersecurity for the education sector by committing to prioritize security as a critical element of product development.”

CISA’s principles for K-12 cybersecurity

This action brings a spotlight to the ongoing issue of K-12 cybersecurity. CISA’s goal is to persuade more K-12 software and hardware manufacturers to commit to its pledge. Signing the pledge demonstrates that the manufacturer is committing to three principles:

  • Taking ownership of customer security outcomes: Includes offering Single Sign On (SSO) and security audit logs and no extra charge
  • Embracing radical transparency and accountability: Includes publishing a secure by design roadmap, a vulnerability disclosure policy and security-relevant statistics and trends
  • Leading from the top by making secure technology a key priority for company leadership: Includes naming a C-level leader at the company who is charged with overseeing security

Secure by design explained

What does secure by design mean? In typical software design and manufacturing, the focus is on the product’s reason for being. For example, the developers of reading improvement software are focused on building a product that delivers measurable improvements to student reading speed and comprehension. The security of the software and its user data are an afterthought. Any security considerations are made late in the development process or bolted on afterward.

In contrast, a secure by design approach means that developers bake security into the design of the product from the beginning. This has proven to be a much more effective approach to protecting software than trying to patch security holes after the fact. Secure by design was popularized by the European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018. Today, this is a more common approach to software design, but it is relatively new to K-12 education.

Ongoing K-12 cybersecurity threats

While the K-12 education industry strives for improved protection in its schools, fresh examples of security holes continue to appear on a regular basis. Most recently, Prince George’s County Public Schools was the victim of a ransomware attack on August 14 that impacted about 4,500 user accounts, mostly staff, according to the district. Cybersecurity breaches such as this can have a detrimental impact on K-12 schools, threatening both reputation and financial well-being.

Unfortunately, successful ransomware attacks can hinge on exploiting a single vulnerability hidden among the dozens of software applications running in most school districts. By following CISA’s guidance and committing to a secure by design approach to software development, developers can further reduce potential vulnerabilities and keep staff and student data more secure.

Related: Education suffers the highest rate of ransomware attacks

eSchool Media Contributors