Cyber is getting schooled

Oct 15, 2024

With help from Laurens Cerulus

Driving the day

— Despite the increasing threat of cyberattacks, schools are still struggling to implement basic security measures, partly due to institutional resistance.

HAPPY TUESDAY, and welcome to MORNING CYBERSECURITY! I’ve picked up competitive tennis recently and can say without a doubt that anyone who says they could score on Serena is a liar.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find me on X at @JGedeon1 or email me at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Industry Intel

FIRST IN MC — K-12 cybersecurity is facing a pop quiz, and the results aren’t looking too promising.

A recent first-of-its-kind cyber forum that brought together top officials and tech vendors looks to have exposed a rift between federal initiatives and on-the-ground realities in America’s classrooms, according to a PACE Forum press release first shared with MC.

— First things first: U.S. Deputy Secretary of Education Cindy Marten and Deputy National Cyber Director Harry Wingo headlined the Oct. 8 PACE Forum. The gathering was meant to tackle the growing digital dangers facing classrooms, which is already a high-priority item for Washington’s cyber world.

— Friction point: Multi-factor authentication faces serious hurdles in schools. Vendors report significant pushback from K-12 customers, especially for privileged accounts. Less secure forms of MFA, like email or SMS-based messages, are often seen as the only viable options in the K-12 context.

— Cultural inertia: The resistance to new security measures in schools isn’t just about technology — it’s deeply rooted in institutional culture, according to one expert.

Educators and administrators often share the same reluctance to change seen in other public sector roles, said Mike Hamilton, former CISO for the city of Seattle and founder of PISCES, which trains students to become cyber analysts.

“Setting aside that school districts are underfunded and must balance priorities just to continue operating, employees can have a sense of entitlement and can be intransigent regarding changes to work conditions,” Hamilton, now CISO at Critical Insight, tells MC, citing resistance to adopting new authentication methods as an example.

— Why it matters: Around 55 percent of K-12 data breaches have been linked to compromised vendors between 2016 and 2021.

The forum, which was organized by UC Berkeley’s Center for Long-Term Cybersecurity and the Department of Education, aimed to shift the burden on cyber from resource-strapped schools onto tech companies.

— A growing threat: K-12 districts have surpassed hospitals, government offices and other public-sector targets to become the most frequent targets of cyberattacks, according to the latest State EdTech Trends report. The number of cyberattacks on schools nearly doubled between 2021 and 2023, those researchers — who consulted with state education leaders in 46 states — noted.

— Need more bake sales: Despite cybersecurity topping the ed tech priority list for two years running, the funding well is running dry. Only 8 percent of state leaders believe they have sufficient cyber funds, a sharp drop from 19 percent last year.

Meanwhile, 33 percent indicated only a small amount of funding is available up from 15 percent last year.

— What happens next: Forum organizers plan to convene a “community of practice” around edtech security. This lines up with the White House’s 2023 National Cybersecurity Strategy , which calls for “the most capable and best-positioned actors” to shield under-resourced organizations from cyber threats.

DEVELOPERS ASLEEP AT THE WHEEL — Less than 4 percent of developers globally are involved in Secure-by-Design upskilling initiatives, according to new research out this morning by Secure Code Warrior.

While critical infrastructure sectors show higher security postures, researchers warn that the lack of widespread developer engagement could leave organizations vulnerable to attacks.

— Show me the money: CISOs are struggling to prove ROI on SBD initiatives, particularly in the early stages. The absence of industry-standard benchmarks has been a key challenge, making it difficult to track progress.

— Size doesn’t always matter: The analysis reveals that both large-scale and smaller-scale SBD upskilling initiatives can be successful. The research shows that smaller-scale initiatives can ramp up quickly and run faster. But the kicker? For these initiatives to deliver measurable ROI sooner, a mandate has to be in place.

— Vulnerability reduction is real: When upskilling initiatives are firmly established, the payoff is significant. Developers within large upskilling programs (7,000+ developers in a single company) can predictably reduce vulnerabilities by 47-53 percent.

— (Former) government weighs in: Chris Inglis, former National Cyber Director, doesn’t mince words: “Now more than ever, we have a national responsibility to ensure SBD upskilling programs are in place.”

Former acting National Cyber Director Kemba Walden echoes the sentiment, calling for enhanced SBD initiatives across digital infrastructure to reduce critical vulnerabilities.

“This research issues a clear call to action for upskilling personnel and creating benchmarks to meet critical cybersecurity goals,” Walden said.

Vulnerabilities

CYBER CHIEFS EXODUS — A widespread job satisfaction crisis is pushing cybersecurity leaders to the brink, according to new research out this morning from security firm BlackFog.

The trend, as BlackFog describes it, stems from a toxic mix of overwork, stress and misalignment with senior leadership, which is driving CISOs and IT Security decision makers to seek new roles en masse.

— The numbers: About a quarter of security leaders in the U.S. and the United Kingdom are either actively job hunting or open to new opportunities since mid-2024, according to BlackFog.

The study reveals 98 percent of respondents work an average of nine extra hours weekly, with 37 percent turning to drugs or alcohol to manage stress.

BlackFog doesn’t speculate on potential industry-wide impacts of this looming exodus.

The International Scene

GERMANY SOUNDS THE ALARM — Germany’s top spy on Monday warned members of the Bundestag that he saw a “dramatic increase in cyberattacks” by Moscow’s hacking groups and that “hybrid and covert operations reached an unprecedented level” in Europe.

The trend is “greatly worrying to us all,” said Konstantin von Notz, a lawmaker and chairman of the committee overseeing intelligence services in the parliament.

— Testing the West: Bruno Kahl, president of the Federal Intelligence Service, said Russian President Vladimir Putin “will continue to test the West’s red lines and further escalate the confrontation,” our colleague Hans von der Burchard writes.

We’ve seen some of this play out in the digital realm already, where Russian hacking groups have targeted European governments to gain access to sensitive data; disrupt organizations like political institutions, media outlets and others; and, generally, make a lot of noise.

More signaling is happening in the information space, too. Through disinformation networks and influence campaigns, Russia is working to destabilize Europe. “Critical variables in the Russian calculation are the unity of the West and Europe’s ability to defend itself,” Kahl said. That unity is precisely the target of disinformation and influence campaigns.

— What’s the response: The EU has imposed sanctions on cyberattackers. It now also has a mechanism to slap sanctions on those behind disinformation, influence and other “hybrid” attacks. The proof of the pudding will be in when it can align on evidence and the scale of such attacks before imposing sanctions.

Tweet of the Day

Don’t let Big Awareness know that we’re onto them.

Quick Bytes

‘POKÉMON GO’ TO THE POLLS — Game Freak, the developer of the Pokémon games, suffered a data breach resulting in the release of employees’ personal information and confidential game data, including source code for past games, reports Oli Welsh for Polygon.

TEHRAN’S CYBERSPIES — The Iran-linked cyberespionage group OilRig has intensified cyber operations against government entities in the Gulf region, deploying a sophisticated new backdoor for the exfiltration of credentials through on-premises Microsoft Exchange servers. Ionut Arghire has the details for SecurityWeek.

Chat soon.

Stay in touch with the whole team: Joseph Gedeon ( jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Heidi Vogt (hvogt@politico.com).