Nick Leiserson and Michael Klein: Urgent Changes Needed to Update the E-Rate Program

Schools are under siege from cyber criminals. Each week, an average of five schools combats a cyber intrusion. Ransomware has shut down schools across the country — including Uvalde schools in Texas in September — and one technology vendor’s data breach in December 2024 affected more than 60 million students across thousands of school districts. What’s more, the criminals carrying out these hacks hail from all over the globe. That’s right, the Russian mob might be targeting your child’s school. But it doesn’t have to be this way. 

Thankfully, there’s a simple step that Congress and the FCC can take to protect schools in every community with an emphasis on the neediest school districts under the “cyber poverty line.” The Federal Communications Commission’s E-Rate Program already successfully ensures schools have the connectivity they need to facilitate student learning.

However, the program also has a glaring weakness. It supports only the most outdated, meager cybersecurity investments, exposing our students to sophisticated cyber criminals. It’s time for policymakers to realize that Internet access and cybersecurity must go hand in hand. Without a new approach, we risk further exposing students’ sensitive information and depriving them of the very education these technologies are meant to enable.

The FCC administers the E-Rate Program using monies from the Universal Service Fund, a fee-based mechanism that aims to ensure all Americans have access to affordable communications. Over the past decades, it has helped ensure that schools nationwide can provide their students with affordable, high-speed Internet and the networking equipment necessary to access it.

From the beginning, E-Rate has included protections for student safety. These include school district acceptable Internet use policies and filters intended to prevent children from accessing sexually explicit material and from joining chat rooms where they could be solicited by adults. However, the 1996 Telecommunications Act failed to account for threats outside of the school. In fact, the only mention of hacking in the E-Rate law involves students misusing school property to hack others.

The FCC’s longstanding practice has been to allow only for the purchase of “basic” firewalls—technology more suited to the 1990s than the AI era. By updating the allowable use of funds to cover modern cybersecurity solutions, policymakers can ensure that the Internet access needed to prepare our students for the 21st century does not put their privacy or educational opportunities at risk.

When cyber criminals strike, they can have real impacts on our children and their education. Stolen personal data can be used to create synthetic identities, leaving kids with damaged credit when they graduate. When schools shut down due to unavailability of their information systems, learning suffers—as does the delivery of other social services like nutrition programs that are integrated into the education system. When Congress passed E-Rate nearly 30 years ago, they could not have intended that Internet access enabled through universal service funds would end up denying students an education.

We know that cybersecurity tools can be effective. Data from insurers show that implementation of security controls reduces losses. We can see how technologies like protective DNS block intrusions before they even begin. And we know that backups and other resilience measures can prevent an incident from completely shutting down a district.

Recognizing this, the FCC already took an important step by creating a cybersecurity pilot last year. Just last month, one of us joined the Jefferson County Public Schools superintendent in Kentucky to announce a $3.7 million grant that will revolutionize the cybersecurity program for the district’s 96,000 students. The problem is that this pilot is woefully oversubscribed. In response to the FCC’s call for proposals, schools and libraries submitted over $3.7 billion in requests for assistance, more than fifteen times the program budget of $200 million.

Following the Supreme Court ruling in FCC v. Consumers’ Research, Congress is currently considering reforms to the Universal Service Fund. This is an incredible opportunity to shore up this weakness in E-Rate. Congress should codify and expand the pilot or place cybersecurity tools and services on the reimbursement list for traditional E-Rate, which we explain in detail in our recently filed comments to the bicameral, bipartisan USF Working Group. 

The pace of technological change keeps accelerating. Connectivity is vital to ensure students have the skills to compete in the economy of the future. It’s time for Congress to act to ensure that online safety is not just about protecting students from themselves, but also about preventing transnational criminal organizations from exploiting our children’s information and privacy.

Nick Leiserson is the Senior Vice President for Policy at the Institute for Security and Technology (IST). He previously served as a senior official in the White House Office of the National Cyber Director.

Michael Klein is Senior Director for Preparedness and Resilience at IST. A former educator, he last served in a cybersecurity policy role in the U.S. Department of Education.

This Expert Opinion is exclusive to Broadband Breakfast.

Broadband Breakfast accepts commentary from informed observers of the broadband scene. Please send pieces to commentary@breakfast.media. The views expressed in Expert Opinion pieces do not necessarily reflect the views of Broadband Breakfast and Breakfast Media LLC.