Scan your favorite news sources and you will see frequently repeated words such as “breach,” “compromise,” “exposure,” “identity theft” and “hacker.” Headlines routinely highlight the impact (or potential impact) to critical infrastructure, economic prosperity, financial markets, etc. Since the EU General Data Protection Regulation (GDPR) took effect, failures to protect data have resulted in some sizeable financial penalties, but when allocating the penalty to each individual compromised, the penalties are extremely small. Credit monitoring is the common remedy for data breaches. This remedy may be acceptable for an entity’s first breach, but certainly not for subsequent ones. And this remedy does not address public confidence in utilities, banking services, medical records or financial investments.
Fear is a great motivator and sparks action resulting in large security investments. Estimates vary by source, but a conservative estimate for global cybersecurity spending in 2019 will exceed US$100B.1 As I considered the magnitude of this value, I sought to compare it to the world population. Again, this value varies, but at the time of this writing, the global population was estimated at 7,510,138,326 and incrementing by 2-3 every second. Wow! Using these values, global security spending per person is just over US$13. By year end, this value will drop below US$12. So, although the aggregate number is quite large, per person spending is nominal for the number of personal data records available on each of us.2 Perspective and context matter.
In the United States, October is National Cybersecurity Awareness Month (NCSAM), aimed at raising awareness about its importance. NCSAM 2019 emphasizes personal accountability and stresses the importance of cybersecurity at home and in the workplace. This year’s overarching message, Own IT. Secure IT. Protect IT., focuses on key areas including citizen privacy, consumer devices and ecommerce security.3 It is a fact that the US calendar is saturated with countless awareness days, weeks and months.4 Awareness is synonymous with consciousness, recognition and understanding—none of which is a call to action. Despite being well intentioned, it is insufficient to combat many problems and issues.
Cybersecurity is a widely recognized threat to national security, but it has also become a public safety issue. Consumer devices are often not designed with security or privacy in mind and, sadly, US laws are lagging or nonexistent. Where laws do exist, they are routinely sidestepped and, even if someone is found guilty or negligent, the penalties are minimal.
GuardChild5 researched and compiled statistics that paint a disturbing threat landscape for youth. What will this do for the long-term health and safety of tomorrow’s leaders? Consider that 21% of kindergarten to second grade (K-2) kids (ages 4-7) in the United States have access to cell phones,6 yet only 1/3 of households with Internet access are protecting their children with filtering or blocking software.7 To paraphrase my long-time friend Chase Cunningham, Ph.D.,8 we require age of consent and drivers licenses to drive, yet routinely give kids keys to a Lamborghini without instruction.
Public education continues to employ technology in classrooms with varying degrees of success. But a one-size-fits-all mentality requiring access to digital courseware both in and out of classrooms disrupts learning and family time. Such is the case in rural areas. Living in the rural United States opened my eyes to challenges facing many US citizens, let alone countless others across the globe. It provides an often-overlooked perspective and context to the magnitude of the challenges before us.
To me, US kindergarten to 12th grade (K-12) school districts most closely resemble small businesses with inadequate technology budgets, skeleton IT staffs, and a strong propensity to restrict spending on generating activities or, in the case of K-12, stated missions. It is worth noting that states that offer school choice programs create a competitive market. In turn, US school districts must establish a competitive edge and market themselves to attract and retain students to maximize the money received by their respective states. The problem is the K-12 ecosystem is a soft target gaining much unwanted attention of late. K-12 cyberincidents are steadily increasing, yet only a few make national headlines. In July 2019, the state of Louisiana declared a month-long state of emergency due to ransomware attacks on 3 school districts.9, 10 In Alabama, a school district delayed the start of its school year due to another ransomware attack.11 In Arizona, a ransomware attack closed 15 schools for 2 days.12 The K-12 Cybersecurity Resource Center provides fantastic situational awareness of the K-12 situation in the United States.
It has become common practice for US states to waive missed school days attributed to state of emergency declarations.13, 14 Up to this point, waivers were attributed to weather events. With little reason to believe cyberincidents will decrease or even plateau, what are the lasting implications on individual learners, regions and the nation if this practice extends to cyber incidents?
Survival in the information age requires digital literacy, security consciousness and strict protection of personal data, which is a struggle given how data are monetized in the United States. I am appalled that the US Children's Online Privacy Protection Act (COPPA) was written to only protect children age 12 and younger. I was momentarily excited to hear the US Federal Trade Commission (FTC) sought input on the need to update COPPA. That is, until the bill’s original author introduced legislation that only extends protections to up to age 15. The age of majority in the United State is 18. Some might argue that in the United States, individuals can drive at age 16; however, driving is a privilege not a right. Parental rights are universally understood to extend to age 18 unless emancipated. The closest US law on the books is the US Family Educational Rights and Privacy Act (FERPA), which affords certain parental rights to include requiring written consent prior to disclosing personally identifiable information (PII) of their children up to age 18 unless emancipated or attending schooling beyond high school. Throughout US history, public education strategy changed to address various challenges. Despite some legislative glimmers of hope across the United States, the system is largely broken.
With regard to infrastructure, the United States has a framework to build upon, which simply requires legislative cooperation and competent persons to adapt it for K-12. The Framework for Improving Critical Infrastructure Cybersecurity,15 authorized by EO 1363616 and further ratified by the US Cybersecurity Enhancement Act of 2014,17 coupled with US Presidential Policy Directive 2118 provides a solid foundation to build upon. I view the following as critical pieces for success:
- Designate K-12 as a critical infrastructure sector. It is currently buried under Government Facilities and given the number of high-profile US government agencies and buildings, K-12 will never get the attention and resources required.
- Establish a dedicated US federal funding line that can only be used for K-12 cybersecurity (practitioners and technology). General funds do not work. The funding line must be auditable.
- Appoint a state K-12 chief information security officer (CISO). Positioning matters, so the person should report to the respective US state governor.
- In all US states, implement a resource similar to the state of Michigan Cyber Civilian Corps (MiC3),19 which is a civilian cyber national guard that provides mutual aid to all levels of government, education and businesses in the state.
Awareness campaigns serve a purpose, but they will not mitigate all the vulnerabilities in the US K-12 system. Those outside the information security industry believe cyberinsurance is a panacea. They must be educated on its limitations. Further, cybersecurity is a public safety issue that requires we not only revisit what we teach, but how we teach. In my experience, the purists among public educators despise any mention of public-private partnerships and are quick to dismiss any workforce development influence in K-12. While I understand their concerns, what we have today is not working. In their 2018 Cost of a Data Breach Report, IBM reported 27% of data breaches are attributed to human error.20 We can no longer delay teaching and modeling good digital behavior until students are through the K-12 educational system. How many children can we save from cybercrimes? How many situations can be avoided by teaching digital ethics? How many breaches can be prevented? I fully expect any change in strategy, let alone curriculum changes, to be contentious. It should not be, but education has unnecessarily been politicized in the United States.
Jonathan Brandt, CISM, CCISO, CFR, CISSP, CSA+, PMP
Is a senior information security practice manager in ISACA’s Knowledge and Research department. In this role, he contributes thought leadership by generating ideas and deliverables relevant to ISACA’s constituents. He serves ISACA departments as a subject matter expert on information security projects and leads volunteer and paid author management teams whenever external resources as necessary. Brandt is a highly accomplished US Navy veteran with more than 25 years of experience spanning multidisciplinary security, cyberoperations and technical workforce development. Prior to joining ISACA, Brandt was a project manager for classified critical infrastructure projects across the globe.
Endnotes
1 Dignan, L.; “Global Security Spending to Top $103 Billion in 2019, Says IDC,” ZDNet, 20 March 2019.
2 This basic assessment assumes equal spending across all regions. In reality, of course, industrial nations spend more on security per person than those in emerging markets.
3 US Department of Homeland Security, National Cybersecurity Awareness Month, USA
4 Cassada Lohmann, R., “Making a Difference in 2019: An Awareness Calendar,” Psychology Today, 8 January 2019
5 GuardChild, Internet Statistics
6 Ibid.
7 Ibid.
8 Chase Cunningham, Ph.D., is a principal analyst at Forrester, and cofounder and chief technical officer at CynjaTech, which authored The Cynja cyber comic book.
9 Matthews, L.; “Louisiana Governor Declares State of Emergency After Ransomware Hits School Systems,” Forbes, 26 July 2019
10 Ropek, L.; “How Louisiana Responded to Its Recent Ransomware Attacks,” Government Technology, 20 September 2019
11 Cyware, “Houston County Schools Hit With Ransomware Attack,” 29 July 2019
12 Kass, D. H.; “Arizona Schools Ransomware Attack: Recovery Update,” MSSP Alert, 9 September 2019
13 Office of the Superintendent of Public Instruction, Schools Can Apply to Waive Missed Days During State of Emergency for Storm, Medium, 12 February 2019
14 Caramody, S.; The Associated Press, “Governor Signs Bill Forgiving School Districts for Snow Days During State of Emergency,” Michigan Radio, 10 May 2019
15 National Institute of Standards and Technology, Cybersecurity Framework, USA, 2018
16 113th Congress of the United States, Cybersecurity Enhancement Act of 2014, General Publishing Office, USA, 2014
17 Ibid.
18 The White House, Presidential Policy Directive--Critical Infrastructure Security and Resilience, Office of the Press Secretary, USA, 2013
19 Michigan.gov, Michigan Cyber Civilian Corps
20 IBM and Ponemon Institute, 2018 Cost of a Data Breach Study, USA, 2018