FCC seeks to secure school broadband networks

The FCC released a public notice on Monday pitching a pilot program in order to examine cybersecurity solutions to protect school and library broadband networks from attacks.

Dubbed the Schools and Libraries Cybersecurity Pilot Program, it is being described as a $200 million, three-year program to be funded through the Universal Service Fund (USF). According to a public notice, the program would enable the USF to provide funding to approved schools and libraries to cover "qualifying costs" for cybersecurity and advanced firewall services "needed to protect their E-Rate-funded broadband networks and data from the growing number of K-12 school- and library-focused cyber events."

Overall, the FCC cited three goals for the pilot program: "(1) improving the security and protection of E-Rate-funded broadband networks and data; (2) measuring the costs associated with cybersecurity and advanced firewall services, and the amount of funding needed to adequately meet the demand for these services if extended to all E-Rate participants; and (3) evaluating how to leverage other federal K-12 cybersecurity tools and resources to help schools and libraries effectively address their cybersecurity needs."

In a press release, FCC Chairwoman Jessica Rosenworcel called the pilot "an important pathway for hardening our defenses against sophisticated cyberattacks on schools."

Related:What's the Story? FCC grants E-Rate funds for Wi-Fi on school buses

She added: "Ultimately, we want to learn from this effort, identify how to get the balance right, and provide our federal, state, and local government partners with actionable data about the most effective and coordinated way to address this growing problem."

In addition to the requested $200 million to be administered through USF, the FCC said it expects to leverage "free and low-cost K-12 cybersecurity resources provided by our federal partners" in the Department of Homeland Security and Department of Education.

If implemented, the FCC said the program would enable K-12 schools and libraries to apply to participate in the pilot and – if selected – apply for funding for their eligible services.

Notably, the FCC said it is proposing to limit pilot eligibility to "network-based" equipment and network-based and/or "locally installed" services, and to exclude end-user devices. 

"To be eligible for the Pilot, we further propose that the equipment or services be designed to identify and/or remediate threats that could otherwise directly impair or disrupt a school's or library's network, including to threats from users accessing the network remotely," added the FCC.

E-Rate stakeholder cybersecurity

The proposed pilot program would help secure networks funded by the existing E-Rate program, also supported through the USF at roughly $3 billion per year, through which the FCC approves funding for school and library broadband services. According to 2022 data, the E-Rate program funded more than $230 million in requests for broadband and data services that included basic firewall services, and over $16 million for standalone basic firewall services.

While basic firewall services are covered by E-Rate, the FCC is now seeking to also cover "advanced" firewall services via its proposed pilot. The Commission has previously declined requests from E-Rate participants to make advanced firewall services eligible due to limited available funds.

According to a cost estimate cited in the public notice, adding advanced firewall and other network security services to E-Rate could grow the program's annual budget by an estimated $2.389 billion. The FCC is seeking further input on a dollar amount in its notice of inquiry.

Notably, the notice also seeks to define what an "advanced" firewall is, and/or if the pilot should just apply eligibility to firewalls in general. The FCC previously sought input on a definition of advanced firewalls through a public inquiry last year, but cited a "lack of consensus around the scope of these terms."

Warnings from CISA

The FCC's move to initiate a pilot program comes after a report was published by the Cybersecurity and Infrastructure Security Agency (CISA) earlier this year outlining threats to school and library broadband networks, in which CISA said that "cyber actors are targeting K–12 education organizations across the country, with potentially catastrophic impacts."

The report offered recommendations for addressing cybersecurity risks, including investing in "the most impactful security measures," leveraging free and low-cost services, and "requiring technology providers to enable strong security controls at no additional charge."

The CISA advised: "K-12 entities should begin with a small number of prioritized investments: deploying multi-factor authentication (MFA), mitigating known exploited vulnerabilities, implementing and testing backups, regularly exercising an incident response plan, and implementing a strong cybersecurity training program."

According to the FCC, school broadband networks are expected to "continue to be prime targets for malicious actors, primarily because they are data-rich environments that tend to lag behind in terms of their available resources and cybersecurity program maturity."

Comments on the Commission's notice of public inquiry are due within 30 days.