As students, educators, and families are preparing to go back to school, San Diego County Office of Education (SDCOE) Chief Information Officer Terry Loftus was at the White House this week to speak at the Back to School Safely: Cybersecurity Summit for K-12 Schools.
Loftus joined U.S. Secretary of Education Miguel Cardona, Secretary of Homeland Security Alejandro Mayorkas, First Lady Jill Biden, and school administrators, educators, and representatives of private sector companies to discuss best practices and resources available to strengthen schools’ cybersecurity, protect students and schools, and prevent cyberattacks from disrupting classrooms.
“We know that our nation’s K-12 system makes high-quality education accessible to all and is an institution that is key to the future prosperity of United States,” said Loftus. “Unfortunately, our K-12 sector is deeply under-resourced and outmatched when it comes to evolving and increasing cybersecurity threats. A ‘better together’ strategy is critical moving forward. K-12 school districts, charter schools, county offices, and state-level agencies must continue to innovate and evolve best practices while concurrently building more robust and purposeful partnerships between K-12 entities, the U.S. Department of Education (USDOE) and other state and federal partners.”
Loftus is respected as an expert in K-12 cybersecurity. In 2021, he received the California State Information Security Leader of The Year Award, which recognizes an individual who demonstrates outstanding influence across organizational boundaries by developing future IT leaders and creating strategies to promote information sharing and collaboration within their own organization or among government organizations.
Under Loftus’s leadership, SDCOE has been a leader not only locally, but also across the state and nation for fortifying cybersecurity resilience in the K-12 education community. SDCOE was the first county office of education in the state to fully implement multi-factor authentication, which acts as an additional layer of security to prevent unauthorized users from accessing these accounts, even when the password has been stolen. SDCOE is also the creator of the Red Herring phishing awareness, training, and testing platform that enables schools, districts, and county offices of education to simulate phishing attacks and help train staff members to better identify suspicious emails and other security threats.
The United States has experienced an increase in cyberattacks targeting the nation’s schools in recent years. Not only have these attacks disrupted school operations, but they also have impacted students, their families, teachers, and administrators. Across the country, sensitive personal student and employee information – including student grades, medical records, documented home issues, behavioral information, and financial information – has been stolen and publicly disclosed. Additionally, sensitive information about school security systems was leaked online as a result of these attacks.
“Let’s face it: in today’s digital age, our students and their teachers will increasingly use technology in the classroom. Schools have access to more devices and connectivity than ever before, and this technology in education has incredible potential to help students better connect with their learning and achieve, and teachers better engage with their students,” said Cardona. “But to make the most of these benefits, we must effectively manage the risks. Just as we expect everyone in a school system to plan and prepare for physical risks, we must now also ensure everyone helps plan and prepare for digital risks in our schools and classrooms. The Department of Education has listened to the field about the importance of K-12 cybersecurity, and today we are coming together to recognize this and indicate our next steps.”
At the summit, leaders announced several additional actions and resources to strengthen the cybersecurity of the nation’s K-12 school systems, including:
- The USDOE will establish a Government Coordinating Council (GCC) that will coordinate activities, policy, and communications between, and amongst, federal, state, local, tribal, and territorial education leaders to strengthen the cyber defenses and resilience of K-12 schools. By facilitating formal, ongoing collaboration between all levels of government and the education sector, the GCC will be a key first step in the department’s strategy to protect schools and districts from cybersecurity threats and for supporting districts in preparing for, responding to, and recovering from cybersecurity attacks.
- The USDOE and the Cybersecurity and Infrastructure Security Agency (CISA) jointly released K-12 Digital Infrastructure Brief: Defensible & Resilient, the second in a series of guidance documents to assist educational leaders in building and sustaining core digital infrastructure for learning. Additional briefs released by the USDOE include Adequate and Future-Proof and Privacy-Enhancing, Interoperable and Useful.
- CISA is committing to providing tailored assessments, facilitating exercises, and delivering cybersecurity training for 300 new K-12 entities over the coming school year. CISA plans to conduct 12 K-12 cyber exercises this year, averaging one per month, and is currently soliciting exercise requests from government and critical infrastructure partners, including the K-12 community.
- The Federal Bureau of Investigation and the National Guard Bureau are releasing updated resource guides to ensure state government and education officials know how to report cybersecurity incidents and can leverage the federal government’s cyber defense capabilities.
View Loftus’s portion of the summit here. Watch the full event here.