California eyes $100M cyber funding boost for community colleges

Community colleges across California stand to gain an additional $100 million in cybersecurity funding this year, and $25 million in subsequent years, under the state budget proposed by Gov. Gavin Newsom.

The 2022-23 budget, which Newsom unveiled in January, would distribute $75 million to the state’s 115 community colleges to help them pay for risk assessments and compliance reviews, purchase new anti-fraud software and overhaul an online application platform. The budget also proposes $25 million this year and in future years to hire new staff and consultants.

The proposed cyber funding was the subject of a report last week from the California Legislative Analyst’s Office, which advises state lawmakers on budget issues. In the report, the office noted that while the California Community Colleges Chancellor’s Office — the governing body for the state’s two-year schools — is required to satisfy cybersecurity requirements set by the California Department of Technology and the federal government, the 115 schools spread across 73 districts that make up the system are largely left to fend for themselves.

“[The] state does not require community colleges to follow specific standards, and community colleges are not routinely subject to oversight or audits of their cybersecurity programs and processes,” the report reads.

Under Newsom’s proposal, the $75 million in one-time cyber funding would be split between $40 million for vulnerability assessments and new software and hardware purchases, $29 million for anti-fraud software and $6 million to upgrade CCCApply, the system’s online application platform. The money for the cybersecurity assessments and IT upgrades would be distributed based on each school’s size, while the money for the application platform would go to the chancellor’s office.

The LAO report states that the CCCApply platform has seen a surge in fraudulent applications since the start of the pandemic, as malicious actors attempted to claim the “significant amount of federal relief funds for student emergency financial aid.”

Meanwhile, community colleges nationwide remain a frequent target of other cybercrimes, especially ransomware. California’s schools haven’t been spared: In February, the Ohlone Community College District, which serves 15,000 students southeast of San Francisco, was knocked offline for more than a week by a form of extortion malware.

Still, while broadly supportive of Newsom’s proposal, the Legislative Analyst’s Office offered some quibbles. In particular, it recommended that IT upgrade funds be allocated based on colleges’ cyber capabilities, not just their enrollments, “with less prepared colleges receiving somewhat more funding than more prepared colleges of the same size.” The office also found that some of the proposals Newsom’s budget listed as “one-time” costs will actually be recurring over time, as equipment will need replacing and networks will need fresh assessments.

“Typically, a college would be expected to undergo independent security assessments every few years, pay for network security and anti‑fraud software licenses annually, and make network upgrades periodically,” the report reads. “As a result of these factors, the proposed level of ongoing funding for college cybersecurity and anti‑fraud detection likely is underestimated.”