S 3033 Introduced – Education Cybersecurity

Last week Sen Peters (D,MI) introduced S 3033, the K–12 Cybersecurity Act of 2019. The bill would require the Cybersecurity and Infrastructure Security Agency (CISA) to establish a K–12 education cybersecurity initiative with the goal of providing “K–12 educational institutions with resources to aid cybersecurity efforts will help K–12 educational institutions prevent, detect, and respond to cyber events” {§2(3)}.

Definitions

Section 3(a) of the bill provides the key definitions used in the bill. Two cybersecurity terms are defined by reference to existing definitions in the US Code:

• ‘Cybersecurity risk’ – 6 USC 659(a)(1); and

• ‘Information system’ – 44 USC 3502(8)

CISA Study

Section 3(b) would require CISA to conduct a study “on the cybersecurity risks facing K–12 educational institutions, including the challenges K–12 educational institutions face” {§3(b)(1)} in securing”

• Information systems owned, leased, or relied upon by K–12 educational institutions; and

• Sensitive student and employee records.

CISA would provide Congress with a report on the results of the study. Separately, CISA would develop recommendations for voluntary cybersecurity guidelines to assist K-12 educational institutions face the cybersecurity risks identified in the study. CISA would also be required to develop an online training toolkit to{§3(d)}:

• Educate the officials about the cybersecurity recommendations developed under subsection (c)(1); and

• Provide strategies for the officials to implement the recommendations developed.

Moving Forward

Both Peters and his cosponsor {Sen Scott (R,FL)} are members of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that they probably have sufficient influence to see this bill considered in Committee in the coming year. There is nothing in this bill that would engender any significant opposition in either the Committee or before the full Senate.

If this bill is favorably reported out of Committee, the bill would likely be considered under the Senate’s unanimous consent process without debate or vote. The bill would not be ‘important’ enough to take up under the Senate’s regular order. The bill could also be included in a CISA authorization bill; one of the perks that comes from being an ‘agency’.

Commentary

The cybersecurity definitions in this bill, and the wording of the bill in general, make it clear that the crafters of the bill were only considering vulnerabilities in the IT portions of school computer systems. While these parts of the system are arguably the ‘most important’ for the purposes of accomplishing what schools are designed to do, they are not the only computer systems in place. Schools also have building services, security systems and fire systems that are becoming more and more computerized. Those computerized systems are also becoming more connected to outside systems and entities, while at the same time becoming more intertwined with the school’s IT systems. It is becoming increasingly possible to use these OT systems as a backdoor into the more conventional IT systems. CISA should not ignore this.

More importantly, congressional staffers need to become more cognizant of the increasing interconnectedness of IT and OT systems and ensuring that their legislative language takes these inter-system vulnerabilities into account. Again, I would like to refer readers and legislators to the blog post I made earlier this year about the importance of including appropriate OT/ICS definitions in cybersecurity legislation. I included specific recommended changes to the currently IT-restrictive cybersecurity definitions in §659(a).