Texas SB 820 Advances K-12 Cybersecurity Despite Limitations

Image

Like many organizations, K-12 schools adapted to COVID-19 by accelerating their digital transformation journeys. And like everyone else who followed this path, they invited unwanted attention from digital criminals in the process.

In December 2020, for instance, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued a joint alert with the FBI and MS-ISAC warning of malicious actors targeting school computer systems to disrupt distance learning with digital threats such as ransomware. More than half (57%) of ransomware attacks reported to MS-ISAC in August and September 2020 involved K-12 schools, as noted by CISA. By comparison, just 28% of reported ransomware incidents from January through July targeted schools.

Those ransomware attacks didn’t just disrupt access to schools’ computer systems. Threat actors also sometimes used their malware payloads to steal confidential student data. Per Yahoo Finance, nine percent of parents said that their school had suffered a ransomware infection while their child was a student there. Of those respondents, 61% indicated that malicious actors had compromised their child’s data during the infection.

It's therefore no surprise that some school districts have reported a dramatic increase in their cyber insurance premiums. Bleeping Computer reported that one school district in Illinois saw its policy renewal costs jump from $6,661 in 2021 to $22,229 a year later. This reflects the growing number and severity of threats confronting K-12 schools (as well as other organizations in general) along with the elevated potential for costly disruptions.

Government Steps in to Help

In response to the trends discussed above, governmental agencies at all levels have taken action to help schools to strengthen their cybersecurity measures. At the federal level, for instance, U.S. President Joe Biden signed the K-12 Cybersecurity Act to help schools across the country better protect sensitive information. Simultaneously, there have been a variety of efforts at the individual State level. Let’s examine one initiative in particular: Texas’ Senate Bill (SB) 820.

Overview of Texas SB 820

SB 820 requires each school district in Texas to adopt a cybersecurity policy that helps them to defend their computer systems against security incidents and to evaluate their cybersecurity risks for the purpose of mitigation planning. The policy must also not conflict with other information security standards adopted by the State’s Department of Information Resources (DIR). Those standards include the Texas Cybersecurity Framework (TCF). Modeled off the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), TCF uses self-assessments to help organizations measure their security maturity across 42 control objectives that apply to one of the five following security functions: Identify, Protect, Detect, Respond, and Recover.

Once they have a cybersecurity policy in place, the superintendent of each Texas school district needs to appoint a cybersecurity coordinator who shall serve as a liaison between the school district and Texas agencies. In this role, the cybersecurity coordinator will be responsible for reporting security incidents to the State government as soon as they can following discovery. The cybersecurity coordinator will also be charged with notifying parents and guardians of instances where malicious actors compromise their students’ information and explaining what school officials are doing to protect that data going forward.

On May 22, 2019, the Texas State House of Representatives passed SB 820 with amendments. The body went on to say that the Act would take effect on September 1, 2019.

Analysis

In its form outlined above, Texas SB 820 is a step in the right direction. But there are two potential drawbacks that are worth pointing out. First, it could be challenging to perform (and track) the self-assessment for large school districts because each school or each department might have different maturity levels in each of the 40 requirements. That doesn’t even account for the bias that sometimes comes with self-assessments.

Second, in complying with the TCF, SB 820 requires school districts to rely on self-assessments along with a single maturity rating based on their overall percentage per each of the 40+ requirements. This design might cause cybersecurity teams to miss glaring holes. Cybersecurity is not about “overall percentages,” after all. It’s about the weakest links. Attackers will find an organization’s most vulnerable and softest spots, and they’ll enter from there. It doesn’t matter if 90% of an organization has achieved maturity Level 5 of the third requirement, “Critical Information Asset Inventory,” for instance. If they can’t identify and inventory 10% of their organization’s networks, then that is a major issue.

Part of a Larger Trend?

It’s possible that smaller government entities taking portions of the NIST CSF will become a trend going forward. Acknowledging this possibility, organizations need to get more strategic about their security programs by focusing on NIST CSF and other well-known cybersecurity standards. That’s where Tripwire comes in. Tripwire has thousands of pre-written policies for compliance testing to NIST CSF, the CIS Controls, NERC-CIP, and others. Its platform makes it easy for customers to pick and choose from multiple cybersecurity policies to create their own. With reference to SB 820 specifically, Tripwire can build a Texas Cybersecurity Framework policy to help a school district automatically track and record its security controls rather than rely on self-assessments. This would help them create different zones or departments and record the maturity ratings individually to build tailor-made roadmaps and identify their weakest links.

Learn more about how Tripwire can help you to comply with the Texas Cybersecurity Framework.