The UN Ad Hoc Committee’s revised draft, published in November of the previous year — and expected to be finalized in early February for UN General Assembly ratification — nonetheless continues to raise grave concerns. The draft fails to incorporate the multistakeholder principles and the input from accredited organizations provided during the two-year negotiation process. In response, we’ve joined once again with the CyberPeace Institute and the Cybersecurity Tech Accord to advocate for the inclusion of human rights principles in the treaty.

Read the Multistakeholder Manifesto.

The post CDT Joins CyberPeace Institute and Cybersecurity Tech Accord to Reiterate Call to Include Human Rights in UN Cybercrime Convention appeared first on Center for Democracy and Technology.

As it stands now, neither E-Rate nor the Emergency Connectivity Fund (ECF) – both benefits programs under USF for eligible K-12 schools and libraries – provide sufficient flexibility to meet growing cybersecurity risks due to schools’ increased reliance on technology and remote learning tools. Rosenworcel’s proposed pilot program would take an important step toward solving this problem by allocating funds to address the full scope of cybersecurity protections that schools need to ensure safe and secure learning environments for students. 

CDT urges the full Commission to support this proposal so that schools can establish comprehensive cybersecurity programs to meet their needs for technical infrastructure, human capital, and mitigation of the costs of attacks.

The post CDT Applauds FCC Chairwoman Rosenworcel’s Proposal to Bolster K-12 School Cybersecurity appeared first on Center for Democracy and Technology.

Cybersecurity has become an increasingly pressing issue in K-12 education, as incidents have continued to escalate in frequency and severity. Responses to K-12 cyber attacks have focused on providing resources to educational institutions, increasing coordination and information sharing, and enforcing legal obligations. 

Some of the basic legal requirements for K-12 cybersecurity are summarized in this CDT brief, along with strategies for compliance and working with vendors and external partners. However, the law sets only the minimum requirements, and educational institutions should also consider additional best practices around data ethics, data governance, and technical implementation. 

Basic Legal Requirements

Three laws or groups of laws have a widespread impact on K-12 cybersecurity: the Family Educational Rights and Privacy Act (FERPA); the Children’s Online Privacy Protection Act (COPPA); and varying state laws. These are not the only legal requirements around K-12 cybersecurity, but are the most important. 

FERPA

What is FERPA?

• Federal law passed in 1974 that applies to school districts and schools that receive funds from the U.S. Department of Education (ED).
• Provides parents and adult students with rights to access student education records, request their amendment, and consent to their disclosure. 
• Includes a number of exceptions to the consent requirement, including for “school officials” and for audits, evaluations, and studies for specific educational purposes.

What does FERPA Say About Cybersecurity? 

ED has interpreted FERPA’s provisions to imply a cybersecurity requirement, as it prohibits schools from having “a policy or practice of permitting the release of education records . . .  without the written consent” of the parent or eligible student. Additionally, some of FERPA’s exceptions include specific security requirements, such as:

•  The “school official” exception allows disclosures to teachers, contractors, and technology vendors, but requires schools to “use reasonable methods” to limit the data access of school officials, including “physical or technological access controls” and “administrative policy.” 
• Audits, evaluations, or studies also require “reasonable methods” to limit use of student data and ensure data is destroyed when no longer needed.

Finally, ED issued a letter to a school district that stated:

We interpret this prohibition to mean that an educational agency or institution must use physical, technological, administrative and other methods, including training, to protect education records in ways that are reasonable and appropriate to the circumstances in which the information or records are maintained.

COPPA

What Is COPPA?

• Federal law passed in 1999 that applies to for-profit “operators” of online services that are “directed to children” under 13.
• Prohibits collecting, using, or sharing personal information from a child without verifiable parental consent; enforced by Federal Trade Commission (FTC).
• Schools may consent to the collection and use of children’s personal information in the “educational context.”

What Does COPPA Say About Cybersecurity?

Unlike FERPA, COPPA includes an express cybersecurity requirement, but it is very broad:

COPPA requires online services to “[e]stablish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.”

Additionally, the Federal Trade Commission, the agency responsible for COPPA’s enforcement, issued a policy statement that clarifies that “[e]ven absent a breach, COPPA-covered ed tech providers violate COPPA if they lack reasonable security.” Additionally, the FTC has interpreted COPPA’s cybersecurity requirements in case-by-case enforcement to include written security policies and procedures, training personnel, and utilizing standard technical measures. 

Although COPPA does not apply to schools, it may apply to their technology contractors, and its cybersecurity requirements may be helpful for schools in developing agreements with their contractors.

State Student Privacy Laws

What Are State Student Privacy Laws?

• There are 140+ state student privacy laws, with some predating FERPA but most passed in the past decade, including some in recent months.
• The laws cover a variety of topics, including parents’ and students’ data rights, targeted advertising, contracts with vendors, and cybersecurity.

What Do State Laws Say About Cybersecurity?

The following are examples of states’ approaches to K-12 cybersecurity:

• California requires local educational agencies to contractually mandate that vendors take “actions” to “ensure the security and confidentiality of pupil records” and to report “cyberattacks impacting more than 500 pupils or personnel.”
• Colorado requires both “local education providers” and ed-tech contractors to have information protection or security programs.
• Maryland requires county boards of education to adopt “reasonable security procedures and practices that are appropriate to the nature” of the student data. 
• Pennsylvania requires school districts to notify individuals in seven business days and the District Attorney in three days of breaches of unencrypted personal information.

Dimensions of Legal Compliance

Both ED and the FTC have interpreted FERPA and COPPA to require reasonable security policies and governance, training and supporting personnel, and protective technical measures. The compliance strategies in this next section reflect recommendations by ED and the FTC as well as other agencies that provide cybersecurity support, including the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Multistate Information Sharing and Analysis Center (MS-ISAC).

Policies and Governance 

Although the term “cybersecurity” might conjure thoughts of technical countermeasures, it is first an organizational practice. The vast majority of cybersecurity incidents occur due to human error, with one study finding that human error is the cause of or contributes to as many as 95% of incidents. Policies and governance can help address the critical human component of cybersecurity. 

• Establish comprehensive data security and incident response policies:
  • Approved by organizational leadership.
  • Based on an institutional cybersecurity review of risks and organizational maturity, ideally aligned with the NIST Cybersecurity Framework.
  • Defines goals and a vision for reporting, remediation, review, and feedback. 
• Formulate a concrete plan consistent with data security and incident response policies:
  • Identify and standardize responsible parties and timelines for initial response, notification, and reporting. 
  • Address most common attack vectors such as Remote Desktop Protocol and unique organizational risks.
  • Include procedures for performing and testing backups for partial and full restorations.

Training and Supporting Personnel

Another step in mitigating human error and in responding to incidents is training that supports school personnel and the school community: 

• Create a training and awareness campaign on all levels and for all staff, including organizational leadership, IT staff, educators, parents, students, and school operations.
• Training should cover awareness (how to spot a threat such as a phishing email) and ability (what to do when a threat is suspected).
• Training should be regular, substantive, tailored for local contexts (including state laws), and up-to-date.
• Update content periodically to provide reflections on “lessons learned,” alerts regarding new developments, and “just-in-time” training.

Protective Technical Measures

Finally, both FERPA and COPPA require institutions to adopt reasonable technical measures to protect student data.

• Take a small number of high-priority steps:
  • Encrypt data at rest and in transit.
  • Implement multifactor authentication (2FA), possibly in conjunction with a single-sign on (SSO) solution and beginning with the most vulnerable systems.
  • Patch known security flaws and install software security updates.
  • Perform and test back-ups.
  • Periodically check for personal information that is wrongly stored or incorrectly public facing.
• Implement CISA’s Cross-Sector Cybersecurity Performance Goals (CPG), which are a comprehensive set of best practices across sectors, rated by impact and complexity:
  • Adopt tools for detecting unsuccessful logins.
  • Set (and enforce) policies regarding minimum password strength.
  • Separate user and privileged accounts.
  • Maintain and secure network logs.
  • Implement transport layer security. 
  • Incident reporting.

Governing Vendors and Partners

The key to working with vendors and external partners is expressly mandating cyber requirements and making those requirements contractually enforceable. Governance and policies play a major role in ensuring that (1) agreements are entered into with vendors, and (2) those agreements appropriately structure their cybersecurity obligations. 

FERPA includes the following requirements for governing contractors:

• Use “reasonable methods” to limit access for “school officials” to records for which they have a “legitimate educational interest.”
• Use “reasonable methods” and written agreements to “authorized representatives” conducting audits or evaluations that limit uses of student data and protect it from further disclosure.
• ED has recommended specifying data use limitations and security requirements in written agreement with recipients of student data and to verify the existence of a sound data security plan.

Similarly, COPPA requires that contractors and their subcontractors be “capable of maintaining the confidentiality, security and integrity” of data and “provide assurances” that they will secure data.

Schools may wish to take the following steps to hold contractors accountable:

• Include cybersecurity requirements in the procurement process and in evaluating bids;
• Specify in service agreements security requirements and incident procedures, including prompt notification in the event of a breach or other security incident; and
• Ensure that access for vendors is limited to necessary data.

That governance does not have to occur at the school or school district level, but can occur at the state level or even across states. State-level governance can result not only in standardized procedures across school districts, but increased bargaining leverage to ask more of vendors — and hold them accountable.

[ PDF version ]

The post Policies, People, and Protective Measures: Legal Requirements for K-12 Cybersecurity appeared first on Center for Democracy and Technology.

K-12 schools have increasingly been victimized by malicious cyber actors through ransomware and other attacks, which have disrupted critical educational services and put students and their personal information at risk. To secure CIRCIA’s benefits for K-12 institutions, students, families, and policymakers, CDT urged CISA to:

(1) include K-12 schools, related educational institutions, and their private contractors in CIRCIA’s reporting obligations;

(2) adopt rules that account for the distributed nature of K-12 data systems; and

(3) coordinate with the U.S. Department of Education to ensure K-12 schools and other educational institutions have the resources they need to meet their reporting obligations.

Read the full letter here.

The post CDT Comments on Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) appeared first on Center for Democracy and Technology.

Ahead of the U.S. midterms, election misinformation appears to be thriving online. As always, local election officials hold the front line as the frequent targets of that misinformation. CDT and the Center for Tech and Civic Life (CTCL) have pointed out, though, that election officials are in a strong position to debunk and respond to misinformation, by “flooding the zone” with trusted information about how elections really work. But they can only do this effectively if they have a trusted web presence, which involves getting verified accounts on Facebook and Twitter and making those accounts look official. It also involves having a website that users know to trust.

Election official websites serve many important functions. Voters can use them to register to vote or request an absentee ballot. Election officials can use them to educate voters on when, where, and how they can vote; to convey election results; and to debunk misinformation and myths about local elections. But how is a voter supposed to know that they can trust that the election website they are accessing is authentic?

One indicator of trustworthiness is whether an election website uses the .gov top-level domain (TLD). Unlike other TLDs that are available to any interested entity (e.g., .com, .net, .org, .us), .gov is only available to federal, state, and local government entities verified by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In other words, the .gov TLD functions like a blue checkmark on Twitter: an indicator that a government website is authentic.

.gov adoption has improved since 2020, but is still too low

We analyzed a dataset of election websites maintained by CTCL and found that, of the 7,010 websites that we included for analysis (see methods below), only 1,747 (25%) used .gov. This low adoption rate creates an opportunity for bad actors to create fake election websites and spread disinformation. As an example, the official election website in Harris County, TX (home to nearly 5 million residents), is harrisvotes.com. A bad actor could register, say, harriselections.com and use it to spread false information about voting options, to collect private voter information, or to publish false results. In 2020, Steve Grobman of McAfee showed how easy it would be to set up a fake election website like this. 

And this isn’t theoretical — in 2020, the FBI identified dozens of fake election websites that may have been set up to mislead voters. In a Public Service Announcement released this month, the FBI and CISA warned the public that, because foreign actors may attempt to “manipulate information or spread disinformation in the lead up to and after the 2022 midterm elections,” voters should be wary around websites that solicit voting information that are not using .gov.

To address this problem, election websites — and all government websites — need to adopt .gov widely enough that voters know to look for it as an indicator of trustworthiness. There’s reason to believe this change would be helpful: In 2020, when Congress passed the DOTGOV Online Trust in Government Act of 2020, it found that “when online public services and official communications from any level and branch of government use the .gov internet domain, they are easily recognized as official and difficult to impersonate.” Obstacles to using .gov were recently lowered: in April 2021, CISA — which took over responsibility for administering the .gov program in March 2021 — announced that it was making .gov free for qualifying government entities, eliminating the old fee of $400 per year. 

So, has .gov adoption for election websites increased since CISA took over .gov and made it free? In 2020, Grobman analyzed a dataset that, unlike our dataset, consisted of only one URL per county; he found that only 20% of these websites used .gov. 

Because our research uses a different dataset, and because our primary analysis includes websites for both county- and municipality-level election officials, we cannot make an apples-to-apples comparison with Grobman’s results. But, after reducing our dataset — from 7,010 unique domains held by election officials responsible for election administration, to 3,021 unique domains held by county-level offices — we can offer a rough comparison. (This reduced set of domains is not necessarily the most accurate representation of election officials’ web presence, because it cuts out thousands of municipality-level officials who in many cases, particularly in the Northeast, are responsible for election administration.) After this reduction, we found that about 32% of county election websites used .gov, a marked improvement from the 20% found by Grobman in 2020, but still a long way to go. 

One might expect the most populous counties in the U.S. to have higher levels of .gov adoption — after all, the counties should be better-resourced and more able to spend the time and resources necessary to switch to .gov. We looked at the top 20 most populous counties, analyzing their 19 unique websites (because Brooklyn, NY, and Queens, NY, are both represented by vote.nyc); of these websites, eight (42%) used .gov. The most populous counties indeed appear more likely to use .gov, but adoption is still less than half.

HTTPS adoption is fairly strong

Another key component of a trusted web presence for election officials is HTTPS. When a browser connects to a website that supports HTTPS, the information flowing between the browser and the web server is encrypted, which protects the integrity and confidentiality of the information. For voters using an election website, encryption helps ensure, for example, that they are able to privately submit sensitive voter registration information and be sure that the information about how to vote or about election results is genuine. When websites don’t use HTTPS, the information flow may be more easily intercepted, read, or altered by malicious actors. HTTPS also provides authentication, by giving the browser an assurance that the server it is communicating with is indeed the one it tried to contact. Websites that don’t connect via HTTPS will typically show an unlocked padlock in a browser, indicating to the user that the connection is not secure and not authenticated.

While security experts urge all websites to adopt HTTPS, there have been specific calls for government websites to do so. In 2015, the Obama Administration issued an order requiring all publicly accessible websites administered by the federal government to use HTTPS. The order explains that Federal websites that do not adopt HTTPS leave “Americans vulnerable to known threats, and may reduce their confidence in their government.” Although the order could not require HTTPS by county or municipality websites, the reasoning applies equally — or more so — for sensitive election-related websites.

Our analysis found that, of the 7,010 websites that we analyzed, 6,260 (89%) supported HTTPS. The rates are similar for county-level websites and the 20 most populous counties. This rate appears to be a dramatic improvement from the 55% found by Grobman in 2020 — though we again note that we are using different underlying methods and data.

Conclusion

The federal government has made admirable moves in recent years to secure online elections infrastructure against cyber attack. The passage of the DOTGOV Act, as well as CISA’s work to increase .gov and HTTPS adoption, has made it easier (and cheaper!) for state and local election websites to secure their websites. Indeed, there appears to have been a substantial increase in both .gov and HTTPS adoption among election websites. But the overall number of election websites that have moved to .gov still appears quite low.

Why do election officials overall seem hesitant to move their websites to .gov, despite the established importance of having a trusted online web presence? This question deserves further exploration. For now, we speculate that a number of factors are slowing the move to .gov. For one thing, many election officials may simply not be aware that .gov is available and free to them.

Additionally, election officials tend to be stretched thin. For years, Congress has failed to provide election officials with sufficient, predictable funding, often leaving election officials with limited budgets and staffing levels for securing elections. CISA has provided a great set of online resources to help officials who want to move to .gov — but many election offices may not have a full-time IT staffer and might therefore have to hire a contractor for the work. 

And, as CISA notes, moving to .gov is “not solely a technical task.” Moving a long-established domain to .gov requires updating email addresses, business cards, and signage. The costs may seem too high to cash- and time-strapped officials, who are busy running elections and responding to other threats and harassment.

Once the midterms are in the rearview mirror, election officials will begin the hard work of preparing for the 2024 presidential election, which will no doubt present new challenges for security and for communication. If they haven’t already, election officials should then immediately get to work moving to .gov and HTTPS — key ingredients of a trusted web presence, which is essential for ensuring a trusted democracy.

The authors thank three programs at Georgetown for supporting this research: the Institute for Technology Law and Policy, Massive Data Institute, and Fritz Family Fellows program.

Methodology

We conducted our analysis primarily using pandas, the Python-based data analysis package. We used a dataset of 8,941 election official URLs in the 50 states and D.C. that is maintained by and was obtained from the Center for Tech and Civic Life (CTCL). While that dataset underwent CTCL’s quality assurance process, details and URLs may change over time. We did not independently verify each entry in the dataset, and thus recognize the possibility of some variation in the data as a result of recent changes.

We used Python’s urllib.parse to trim websites down to their network location, or domain name (i.e., reducing a URL from something like https://www.lavote.net/home/voting-elections to www.lavote.net). We used pandas to drop duplicate domains, bringing us to a set of 7,316 domains. Of these domains, 7,010 are associated with “primary election officials,” i.e., election officials whom CTCL has determined are responsible for election administration, possibly including voter registration websites. This was the set of domains that we analyzed.

To analyze these domains, we ran CISA’s pshtt (pronounced “pushed”) software on each domain. (CISA uses this software to monitor HTTPS adoption across the federal government.) pshtt reported over 99% of domains as “Live.” pshtt scanned each of four endpoints (URLs beginning with http://, http://www, https://, https://www) and records whether the endpoints redirected to a different location. We counted a domain as “using .gov” if any of the four endpoints ultimately pointed to a URL with a .gov suffix. We used tldextract to extract the suffix from the URLs reported by pshtt.

pshtt also provided information about HTTPS support. Our analysis reports the percentage of domains that pshtt found to “support HTTPS,” which in all of our cases indicated that the domain had valid HTTPS and did not downgrade the connection from HTTPS to HTTP at any point.

We replicated our findings by running pshtt on every website in the database a second time, from a different computer and network location, about a week after the first run. For all analyses presented here, differences in the number of websites that used .GOV or HTTPS were very low — in the single digits. In all analyses, the rounded percentages remained identical.

To make a comparison to the previous number reported by McAfee of the number of counties using .GOV, we trimmed the dataset only to those rows where “Office Name” included the word “County,” “Borough” (for Alaska websites), “Parish” (for Louisiana websites), or “DC,” to account for the names of county equivalents. This was a rough heuristic that brought the dataset down to 3,021 websites, roughly the same number as the 3,143 counties and county equivalents in the 50 states and D.C. and the 3,089 websites included in the McAfee study.

The post Only 1 in 4 Election Websites Uses the .gov Domain. That’s a Problem — and an Opportunity appeared first on Center for Democracy and Technology.

Virtual private networks (VPNs) enable users around the world to access and share information in a secure ecosystem while safeguarding their privacy and minimizing their digital data footprint. A new cybersecurity order issued by the Government of India’s Computer Emergency Response Team (CERT-In) requires VPN providers to maintain logs on users, undermining the purpose of using a VPN service and subjecting users to the very surveillance they are attempting to circumvent.

In the past month, a number of virtual private network providers have left India. ExpressVPN, NordVPN and SurfShark are a few services announcing they will no longer operate within Indian borders in an effort to protect the privacy and free expression rights of Indian users. In a recent blog post, ExpressVPN writes: “We will continue to fight to keep users connected to the open and free internet with privacy and security, no matter where they are located.” 

The cybersecurity order sets out new rules for VPN providers, cloud-service providers, intermediaries such as telecom and internet service providers, e-commerce giants, search engines, social media platforms, and nearly all other corporate and government entities. Among the many concerning requirements, several pertaining to VPNs are in direct opposition to how VPN services operate and why people use them.

The order, which was introduced in late April and comes into effect later this June, requires VPNs to maintain logs on all its users for five years including their validated names, IP addresses and email at time of signup, IP addresses allotted to or used by them through the VPN service, purpose of use, and other contact details. The Internet Freedom Foundation has written a very helpful explainer of the order in its entirety.

If the idea of VPNs holding incredibly sensitive information for up to five years rings any alarm bells for you, it should — particularly for users from marginalized and at-risk groups seeking secure communication and information channels. 

The requirements run counter to the purpose of offering a VPN service, which is to provide secure and private communications channels free from outside interference or access, and ideally to do so in a way that minimizes data collection, retention, and centralization (as CDT’s Signals of Trustworthy VPNs project back in 2018 shed important light on). The data retention mandate also runs counter to how VPNs should ideally be protecting and minimizing user data and how users expect them to work.

Data minimization is a large part of how trust between VPNs and users is maintained: users trust that VPNs will shield them from surveillance and scrutiny, and VPNs uphold this trust by maintaining few, if any, logs on the person’s use and online behavior. VPNs are especially egregious targets of this bill as the service masks activity from others but centralizes a significant portion of user traffic within the service, making users particularly vulnerable if VPNs are mandated to share data. 

What makes this order especially dangerous and threatening to Indian users’ rights is the context in which VPNs are used. Often VPNs are relied on when a user needs a secure, virtual place to speak freely or exchange information free from government surveillance, or when individuals need to access information that a governmental entity is trying to censor. Both instances make VPNs critical infrastructure to access the internet and exercise one’s rights.

A number of groups use VPNs. Journalists rely on VPN services to communicate with sensitive sources and keep themselves safe when reporting on human rights abuses, conflict situations, or any type of coverage that might make them vulnerable to scrutiny or backlash. VPNs are critical armor for journalists in a country like India, where they have been surveilled, arrested, or even killed for their work as freedom of the press continues to decline.

VPN services are also used by activists who are critical of the government and want to engage in democratic activities like speaking freely, sharing information, and organizing protests or assembly in a climate where those actions are not welcome. According to Freedom House’s Freedom on the Net India report, in the past year the Indian government has strong-armed social media platforms to take down content related to protests, including the farmers protest in early 2021, one of the largest protests in recent history. Just last week, the home of a young Muslim activist and her father was bulldozed by state government authorities because they were suspected of leading protests against the Islamophobic remarks made by a sitting government official.

Finally, VPN services are used by everyday citizens, including marginalized and at-risk groups seeking safe spaces or life-saving information. During the COVID-19 pandemic, VPN usage skyrocketed. Mashable reports that the use of ExpressVPN in India grew by 15% in the first three months of the COVID-19 pandemic due to increased remote work and employees seeking secure ways to exchange important files. The New York Times and several advocates reported instances of content related to COVID-19 and public health being taken down. India holds the dubious record of having the most internet shutdowns for four years in a row. During these periods, VPNs became a trusted avenue to access the internet and seek out information that may be blocked by government control.

With this order, Indian users lose out, as their government effectively seeks to monitor their communications and subject their speech to scrutiny. The Indian government also loses by failing to uphold its own principles laid out by the Personal Data Protection Bill (PDPB) of 2021. The PDPB followed a 2017 landmark judgment by the Supreme Court of India declaring privacy a fundamental right, to enshrine the Court’s decision into law. Yet, the new CERT-In order fails to uphold the PDPB’s foundational principles of data minimization borrowed from the European Union’s General Data Protection Regulation (GDPR) on which the PDPB is modeled, and runs counter to strong privacy by design principles.

This move by the Indian government is also part of a larger worrying trend amongst governments around the world to crack down on VPN providers. India joins a list of countries which effectively block the use of VPN services, including China, Belarus, Iran, and North Korea. Additionally, Russian users have recently reported ‘likely interference’ from authorities when trying to access VPN services. This comes at a time when the Russian government’s war against Ukraine has driven more users to seek out VPNs to access truthful information about the conflict, share critical documentation with the world, and communicate with one another free from interception. One estimate says that the volume of Russian traffic for a VPN provider increased 172 times.

With citizens being surveilled and arrested for their speech, and internet services being throttled in all corners of the country, the cybersecurity order is yet another way the Indian government is trending towards proto-digital authoritarianism. As CDT wrote last year, the conflict over online free expression is one that the government continues to escalate. The recent order is consistent with this undemocratic approach. We join civil society and human rights advocates to urge the Indian government to delay the order, and re-think its approach in order to safeguard the rights of Indian users.

Update: After facing substantial pushback from companies and civil society organizations, the Government of India has delayed the enforcement of the CERT-In cybersecurity order to September 25, 2022. Alongside requests to delay, local civil society advocates are also asking the government to reconsider the order and consult with human rights experts in order to ensure the protection of people’s rights.

The post India’s New Cybersecurity Order Drives VPN Providers to Leave, Chilling Speech and Subjecting More Indians to Government Surveillance appeared first on Center for Democracy and Technology.

Federal leaders have approved funds for K-12 schools, including funding for cybersecurity under the pandemic-related Elementary and Secondary School Emergency Relief fund and for secure, private devices and connections, as well as digital literacy, under the Infrastructure Investment and Jobs Act. 

Those strides at the federal level also included some requirements for coordination among K-12 stakeholders. For example:

• The State and Local Cybersecurity Improvement Act, which CDT discussed in a recent podcast episode, requires states to consult with local entities, including schools, in drafting cybersecurity plans. 
• The K-12 Cybersecurity Act similarly requires the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate with schools and other education stakeholders in developing recommendations and tools to better secure school networks. 
• And finally, the recently passed State and Local Government Cybersecurity Act of 2021 also requires the Department of Homeland Security to provide resources to local governments “in coordination as appropriate with Federal and non-Federal entities,” although it does not require that coordination to include the U.S. Department of Education (ED) or other educational institutions. 

Despite those strides, there is still substantial work to do to bolster K-12 cybersecurity, with a particular need to establish a long-term, sustained solution for K-12 schools’ cybersecurity funding needs and to improve coordination among federal stakeholders. 

Sustained, Flexible Funding

Cybersecurity risks to student privacy and K-12 networks are not going away. Yet current funding efforts are structured as one-time appropriations of funds, and some are designed to decrease support over time. Ending or diminishing funds may force schools to make a trade-off between providing services to students or ensuring those services are adequately secured — at a time when cyberattacks continue to increase. Further, many of those funding programs are focused on limited purposes and may not cover expenses that are essential to protecting K-12 networks, including training school staff or developing the digital literacy of students and parents.

Sustained, flexible funding for K-12 cybersecurity might be addressed by several pending proposals before the executive agencies and Congress:

• CDT has proposed changes to one Federal Communications Commission (FCC) program to help ensure long-term funding for K-12 cybersecurity. CDT proposed that the FCC’s E-Rate program be expanded to include additional uses for cybersecurity funding. Appropriately structured, including cybersecurity funding within E-Rate can provide schools flexibility to meet their needs for technical infrastructure, human capital, and resources for mitigating the costs of attacks without overtaxing the program.
• Other proposals would help support essential aspects of cybersecurity that are currently underfunded. For example, the Enhancing K–12 Cybersecurity Act would provide additional funding for training and sharing best practices. 

Federal coordination

Current coordination efforts focus on coordinating between states and local entities, and have largely not addressed the opportunity — and need — to encourage coordination among federal agencies tasked with cybersecurity. As the Government Accountability Office (GAO) recently observed, K-12 cybersecurity involves expertise across multiple federal agencies, and the two leading agencies — CISA and ED — have not adequately coordinated their efforts. A lack of coordination at the federal level creates risks for schools such as duplicative efforts (and wasted funds!), conflicting, outdated, or omitted guidance, and schools not knowing which agency to turn to for support.

At least one pending legislative proposal could support better coordination at the federal level on K-12 cybersecurity. The Improving Cybersecurity of Small Businesses, Nonprofits, and Local Governments Act would provide annual reports on cybersecurity for small entities, including small school districts. Although this information will be useful, the bill stands to benefit by requiring coordination between CISA, ED, and other federal agencies. K-12 data governance cuts across levels of government and spans across federal agencies, and K-12 cybersecurity policy should reflect that reality.

Conclusion

Developments in cybersecurity and increased device usage and remote learning have made it more vital than ever for schools to receive support from state and federal policymakers to protect their networks and their students. The complexity of these attacks has also increased the need for coordination at the federal level. Our unprecedented efforts to close the homework gap must be accompanied by commensurate efforts to protect student privacy and schools’ cybersecurity.

The post Federal Policymakers Should Continue to Build on Recent Steps to Help K-12 Schools Secure Their Networks and Protect Student Privacy appeared first on Center for Democracy and Technology.

“The FTC’s policy statement underscores the importance of thoughtful data practices in protecting students’ privacy,” said CDT President & CEO Alexandra Givens. “Limitations on data collection, use, and retention are essential to protect individuals from privacy harms and cybersecurity risks. We applaud the FTC for its work to strengthen enforcement of children’s privacy requirements in the context of education technology, and particularly thank the Commissioners who championed data minimization as a vital component of this work. While this policy statement represents an important step forward, we also join the call for the FTC to complete its long-awaited review of the regulations that govern children’s privacy, and to align those reforms with the wider movement to protect everyone’s privacy at the federal level.”

Critically, the statement notes that “even absent a breach, COPPA-covered [education technology] providers violate COPPA if they lack reasonable security.” Strong cybersecurity protections are essential, as K-12 cyberattacks are not only on the rise but increasingly aimed at the online services that COPPA covers. COPPA and its rules already require online service providers to adopt “reasonable procedures to protect the confidentiality, security, and integrity” of children’s data, and the policy statement underscores that security must be a top priority. 

Further, the policy statement clarifies that COPPA’s privacy requirements will be enforced, particularly around data minimization, use limitations (for educational purposes), and retention limits. These requirements have long been part of COPPA, and CDT supports these increased enforcement efforts to help protect students online in the same way we expect them to be protected in the classroom. 

For more information on this issue, see CDT’s previous call for the FTC to ensure that COPPA protects student privacy and for Congress to bolster protections for children and teenagers by establishing robust privacy protections nationwide.

The post FTC to Prioritize Cybersecurity and Data Minimization Enforcement Under COPPA to Bolster Student Privacy appeared first on Center for Democracy and Technology.

In particular, as the comments set forth, while the Framework rightly recognizes that vulnerability disclosure processes are an important component of a cybersecurity program, the current framework fails to reference widely accepted standards for best practices for coordinated vulnerability disclosure. The comments urge NIST to rectify this omission to help provide clearer and more consistent guidance.

Read the full comments here.

The post CDT Joins Comments Urging NIST to Incorporate Standards Setting Out Best Practices for Coordinated Vulnerability Disclosure appeared first on Center for Democracy and Technology.

From the letter:

In particular, we wish to bring attention to clause 103(2)(b) of the Online Safety Bill which provides the UK communications regulator, OFCOM, with the powers to order a provider of a user-to-user service, which includes private messaging platforms, “to use accredited technology” to identify child sexual exploitation and abuse (CSEA) content, including on private messaging platforms. However, in doing so, these notices could require that providers of such services introduce scanning capabilities into their platforms to scan all user content. Such scanning cannot be accomplished on end-to-end encrypted services for the simple reason that nobody, including the provider, has access to the content carried on that service except for the sender and the intended recipient(s). As a result, such a requirement could put users at risk by compelling their service providers to compromise or abandon end-to-end encryption.

We agree that more must be done to tackle pernicious CSEA content online. It is important to note that law enforcement agencies in the UK already possess a wide range of powers to seize devices, compel passwords and even covertly monitor and hack accounts to overcome security measures and identify criminals.

Read the full open letter + the list of signatories at the GEC’s website.

The post CDT Joins Dozens of Orgs & Cybersecurity Experts on Letter Expressing Concerns with UK’s Online Safety Bill appeared first on Center for Democracy and Technology.