WASHINGTON, DC: The PACE Forum, a first-of-its-kind convening held on October 8, 2024, brought together dozens of cybersecurity experts, education technology (edtech) vendors, procurement leaders, and other stakeholders to explore approaches to improve the cybersecurity of critical software used in America’s K-12 schools.
The event was organized by CLTC and the U.S. Department of Education (ED) as part of the Partnership for Advancing Cybersecurity in Education (PACE), an initiative to improve the digital defenses of U.S. school districts by fostering collaboration between education technology vendors and cybersecurity experts.
“We are excited to host the PACE Forum with our partners at the U.S. Department of Education,” said Sarah Powazek, Program Director for the Public Interest Cybersecurity Program at UC Berkeley. “These conversations are helping to chart a path forward to improve the security of America’s K-12 schools and safeguard the data of millions of students and educators.”
The day kicked off with keynote addresses by U.S. Deputy Secretary of Education Cindy Marten and Deputy National Cyber Director Harry Wingo, who highlighted the importance of vendors’ role in K-12 cybersecurity.
The morning sessions focused on strengthening the security of edtech products and helping K-12 schools defend against ransomware and other online attacks. A panel entitled “EdTech from the School Perspective” featured a group of technology leaders from the district, regional, and state levels discussing the unique challenges they face in securely using and maintaining edtech products.
The afternoon sessions included presentations by cybersecurity experts on how education technology developers can improve the security of their products. One panel focused on overcoming barriers to implementing multi-factor authentication, while a presentation by Intel showed how to launch a vulnerability disclosure and bug bounty program, through which software makers reward hackers who identify vulnerabilities in their products.
A key goal of the event was to encourage edtech vendors to implement “secure-by-design” and “secure-by-default” products, with the goal of reducing the burden on already overburdened school officials.
EdTech tools are fundamental to managing day-to-day school operations, including maintaining personally identifiable information, education records, confidential student health records, contact information, financial data, and disciplinary records. While essential for schools’ operations, edtech tools are not always designed with cybersecurity considerations in mind, and are notoriously susceptible to cyberattacks. For example, 55 percent of K-12 school data breaches between 2016 and 2021 have been the result of compromised vendors.
Key Takeaways
Throughout the roundtables, several key takeaways emerged:
- Multi-factor Authentication (MFA) for privileged accounts is a top lever for improving school cybersecurity, but faces serious hurdles. Many vendors recognized the importance of MFA in preventing account takeover and discussed ways to encourage or require MFA on privileged accounts. While Vendors who require MFA for privileged accounts acknowledged an initial challenge in the transition, they highlighted that the change was effective in addressing some cyber attacks, and recommended best practices for other vendors looking to transition.
- Vendors are serious about shifting the burden away from schools. Vendors discussed different approaches to helping schools with cybersecurity by implementing secure by design products, including by encouraging and requiring Multi-Factor Authentication (MFA), using memory safe programming languages, and alerting customers of suspicious activity on their accounts.
- Challenges remain to implement some secure-by-design changes. Many vendors highlighted pushback from K-12 customers when requiring security features like MFA for accounts, and noted some technical hurdles to integrating MFA and single-sign-on (SSO) with legacy administrative software. In addition, some vendors reported that less secure forms of MFA such as email or SMS-based messages are sometimes seen as the most viable options in the K-12 context.
CLTC sees the PACE Forum as the first step in convening a community of practice around cybersecurity in edtech. The PACE initiative sets out to mobilize edtech companies to enhance the cybersecurity of their products through active engagement and collaboration with the cybersecurity community. The initiative is aligned with the 2023 National Cybersecurity Strategy, which calls on the “most capable and best-positioned actors” to “rebalance the responsibility to defend cyberspace to better shield under-resourced organizations from cyber threats.”
