In its comments on the FSA draft strategic plan for 2020–2024, EDUCAUSE expressed appreciation for a strategic goal on information security but raised concerns about text that appeared to place blame for security issues largely on higher education institutions.
The US Department of Education (ED) Office of Federal Student Aid (FSA) posted a draft of its five-year strategic plan for public review in late September and invited stakeholders and the public at large to submit feedback about it on or before October 23, 2020. Noting that the plan's fourth strategic goal (of five) concerned bolstering information security for FSA data, EDUCAUSE staff worked with the EDUCAUSE Policy Advisory Committee (EPAC) and the Higher Education Information Security Council (HEISC) Advisory Committee to evaluate the relevant elements and provide comments on behalf of the higher education IT community.
In its submission, EDUCAUSE expressed appreciation that the FSA named information security as one of its top strategic goals. Both FSA and ED officials have maintained a positive dialogue with EDUCAUSE over the last couple of years regarding the desire for a collaborative, effective working relationship with the institutional community on FSA data security. Parts of the plan reiterate the desire for a productive, collaborative information security relationship between FSA and higher education institutions. EDUCAUSE commends FSA for recognizing why this relationship is critical for ensuring that the personal financial information of students and their families is appropriately protected.
EDUCAUSE found some of the plan's text disappointing, however, in that it seemed intended to elevate FSA's information security standing at the expense of the colleges and universities with which it works. For example, the plan states the following:
- "The Department of Education and FSA received high ratings on data security, while the education sector as a whole fell short. The SecurityScorecard 2018 Education Cybersecurity Report puts the education industry last among 17 industries in terms of cybersecurity safety (Exhibit 14)."
- "The number of reported actual and potential cybersecurity breaches at postsecondary education institutions has risen dramatically, from 15 in 2015 to 432 in 2019—as reported by the Federal Student Aid Post-Secondary Institution Cyber Team (Exhibit 15)."
- "A 2014 EDUCAUSE report, 'Just in Time Research: Data Breaches in Higher Education,' highlighted over 700 education-related cybersecurity events between 2005 and 2014 through publicly released news articles. During that same time period, only two percent were reported to FSA."1
As EDUCAUSE noted in its comments, each of these findings is problematic. Citing the alleged security shortcomings of the "education sector," for example, fails to take into account the wide variety of institutions, organizations, and companies that the sector encompasses. It therefore also fails to focus the discussion on the aspect of the sector to which the section of the plan in question appears to relate: postsecondary institutions that participate in federal student financial aid programs. Emphasizing the increase in institutional reporting of "actual and potential cybersecurity breaches" to FSA between 2015 and 2019 overlooks that FSA did not begin to substantively reinterpret its data breach reporting provision and press for institutional compliance with this more expansive interpretation until 2015. Moreover, since that time, FSA has yet to work with higher education information security leaders to establish definitively what institutions should report and on what legal basis or regulatory authority they should report it. Without a shared understanding of what constitutes a "potential cybersecurity breach" or the appropriateness of FSA references to "cybersecurity incidents" as compared to "data breaches" in relation to institutional compliance, one might easily assume that much of the increase in reporting from 2015 to 2019 was not due to an actual rise in breaches of FSA data but rather to institutions overreporting run-of-the-mill incidents out of an abundance of caution.
Finally, the use of a past EDUCAUSE brief on higher education data breaches to support implied FSA concerns about the current state of institutional cybersecurity seems particularly misleading. First, the reference to "over 700 education-related cybersecurity events between 2005 and 2014" ignores the finding cited in the brief that only about three-quarters of those cybersecurity events pertained to colleges and universities.2 Additionally, this reference does not take into account that much of the data in question is more than a decade old. Even more importantly, the FSA strategic plan fails to cite the primary determination reached by the author of the brief:
Education, and particularly higher education, is often singled out as having a large number of reported data breaches, and at first look, the PRC [Privacy Rights Clearinghouse] database appears to confirm that view. Look more closely at the data, however, and a different picture emerges. As an industry, education has some of the lowest counts of records exposed per breach incident—the number of reported breaches in the education industry does not mean more records containing personally identifiable information are being compromised.
Many speculate that higher education's culture of openness and transparency encourages breach reporting by institutions, even when such reporting is not legally necessary. This culture does not exist in other industry sectors, where breach reporting could damage an organization's ability to be competitive in that industry. In these instances, a breach may only be reported when it is required by a law or some other regulation, and even then, only when the breach circumstances clearly fall within the purview of the underlying regulation.3
Thus, the FSA text fails to present an accurate interpretation of even the dated EDUCAUSE analysis it cites. That analysis illustrates that the number of higher education breaches for the 2005–2014 timeframe was just above the median for the set of industry sectors discussed. In addition, the average number of records exposed per breach for the education sector as a whole was the lowest for all of the sectors included, implying that the average number of records exposed for higher education-only breaches likely was relatively low, too, and cultural factors in higher education may lead to a greater volume of breach reporting than is witnessed in other sectors.4
With all of this in mind, EDUCAUSE asked FSA to reconsider its approach to discussing higher education information security in its strategic plan. Rather than raising points and citing references that seem intended to make colleges and universities look less than serious about information security or related compliance obligations, FSA should rewrite the relevant sections of its plan to highlight the positive impact its information security outreach efforts have had on EDUCAUSE and other stakeholder communities—particularly the communication channels and collaboration that are in place as a result. FSA could then build on those examples to outline in greater detail the processes through which it will work with stakeholders, such as higher education information security leaders and professionals, to achieve tangible outcomes that advance the shared information security objectives that FSA and EDUCAUSE members have already acknowledged.
EDUCAUSE will watch for the next iteration of the 2020–2024 FSA strategic plan in the hope that FSA adopts our recommendations. With that said, the association will continue to raise its concerns with ED and FSA about how the draft plan portrays higher education information security and what the EDUCAUSE community would find fair and appropriate moving forward. More importantly, EDUCAUSE remains committed to pressing for a collaborative process with FSA to resolve lingering concerns about the lack of publicly documented definitions, policies, and processes related to FSA cybersecurity compliance, given the compliance difficulties that those gaps have created for colleges and universities and will likely create in the future.
Author's note: In preparing this post, I identified a couple of mistakes that I made in writing the comments to FSA about the 2014 EDUCAUSE brief. First, while there is a subsection of the brief that focuses on 2005–2013, which led me to stress that the data on which FSA relied was even older than it appeared, the seven hundred and twenty-seven breaches on which the "over 700 cybersecurity events" reference was based span the 2005–2014 timeframe as the FSA plan text states. In addition, the 2005–2013 subsection identifies five hundred fifty-one higher education breaches as the basis for the analysis in that part of the brief, which is the figure cited in the EDUCAUSE comments. However, the brief identifies the correct figure for the 2005–2014 timeframe as five hundred sixty-two. Neither error substantively undermines the points raised about FSA's use and characterization of the brief in question, and the text of this post reflects the revised understanding of the brief. I want to acknowledge these mistakes, however, in the interest of fairness and accuracy.
For more information about policy issues impacting higher education IT, please visit the EDUCAUSE Review Policy Spotlight blog as well as the EDUCAUSE Policy page.
Notes
- US Department of Education, Office of Federal Student Aid, Fiscal Year 2020 Through 2024 Strategic Plan (draft), September 24, 2020. ↩
- Joanna Grama, Just In Time Research: Data Breaches in Higher Education, research report, (Louisville, CO: ECAR, May 2014). ↩
- Ibid. ↩
- Ibid. ↩
Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.
© 2020 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.