9/11/2023 – Esports in Public Schools on the KY K-12 Internet Service – An Update on the Nintendo Switch Titles

The KHSAA has received feedback from a number of member schools regarding games being played on the Nintendo Switch from their campus. KDE understands and is for KY K-12 students being part of all the different types of KHSAA teams and competitions, including eSports. KDE also understands the importance of and is for members of any type of KHSAA team to be together when practicing and competing, including eSports.   

All the non-Nintendo Switch games (i.e., League of Legends, Rocket League, Madden) played by KY K-12 students who are members of a KHSAA eSports team, always have and continue to work well over the existing KY K-12 Internet service that is also used daily by all 171 KY K-12 public school for instructional and mission-critical operational purposes. This also means these three non-Nintendo Switch games work well with the cybersecurity and cyber safety services that are required by both KY state law and the federal e-rate program. We have also found the KHSAA Nintendo Switch games work well in at least one school district (i.e., Lee County).  We’ve tried, but to date, cannot find out why the KHSAA Nintendo Switch games work well over our KY K-12 Internet service in one district and not in other districts. There is nothing special that KDE has put in place or allowed for Lee County that allows them to successfully play the KHSAA Nintendo games from their district over the existing KY K-12 Internet service. So, it may or may not be an operational or cybersecurity setting that is directly within the district’s control that is allowing or not allowing districts to play the Nintendo Switch games.  However, KDE encourages each district and school that has a KHSAA Nintendo Switch team to first see if the KHSAA Nintendo Switch games will work over our existing KY K-12 Internet service before pursuing a few of the other options listed below.   

The following is primarily focused on the Nintendo Switch games sponsored by the KHSAA. It contains information being provided from discussion and input with the Kentucky Department of Education’s Office of Education Technology (OET) regarding what is and is not required/permissible on the KY K-12 Internet Service for the 2023-2024 school year for any type of access and use of the KY K-12 Internet service, including the KHSAA Nintendo Switch games.

The following are Kentucky state and federal laws and requirements, that apply from a KY K-12 education technology perspective when a KY K-12 adult coach or KY K-12 student plays an electronic game (e.g., a KHSAA-sponsored Nintendo Switch eSports game) through a district-obtained/owned device and/or through a district and/or KDE paid for Internet service. 

• Senate Bill 230, enacted during the 1998 General Assembly (aka, 701 KAR 5:120), requires the prevention of sexually explicit material from being transmitted and accessed via KY K-12 education technology systems and thus directs each local public school district and each of their schools to use the latest available filtering technology (e.g., Internet content management systems) to ensure that sexually explicit material is not made available to KY K-12 students and KY K-12 adults via (1) any device obtained and/or owned by the school/district and (2) any KDE and/or district paid for Internet service. https://apps.legislature.ky.gov/law/kar/titles/701/005/120/. 
• The federal e-rate program, established in 1999, which KDE and each district greatly benefits from each year by getting up to 90% discounts on e-rate, also requires that KDE and any KY K-12 public school that is receiving those significant financial discounts each year must also prevent KY K-12 students and KY K-12 adults from accessing sexually explicit material via (1) any device (e.g., Nintendo Switch) obtained and/or owned by the district and (2) any KDE (aka the KETS Internet service) or district paid for Internet service (e.g., the KY K-12 public district/school acquires a totally separate Internet service that is used exclusively for that school to play electronic games for KHSAA sanctioned eSports like the Nintendo Switch games). E-rate also requires that the primary Internet service receiving Internet e-rate discounts (i.e., the KETS Internet service) only be used for instructional and mission-critical operations during core hours each day (e.g., 6 a.m. to 4 p.m.). https://education.ky.gov/districts/tech/kfun/Pages/E-Rate.aspx
• The KY K-12 Data Security and Breach Notification Best Practice Guide. A KY state law was enacted for KY K-12 in 2017 in this area. https://education.ky.gov/districts/tech/Documents/DataSecurityandBreachNotificationBestPracticeGuide.pdf
• The Kentucky Education Technology System (KETS) Product and Design Standards, including for KY K-12 cybersecurity. The KETS 2018-2024 KETS Master is an administrative state regulation. https://education.ky.gov/districts/tech/Pages/KETS-2018—2024-Master-Plan—Appendix-E.aspx

In SY2022-2023 there were, again, an increasing number of cyber-attacks on KY K-12 public schools from external organizations throughout the US and the world than there have ever been. The chart below was provided to us by Microsoft and is based on their data, clearly showing that education, for many reasons, has become the leading target for malware, which includes viruses and ransomware. Educational organizations, like KY K-12 public schools, are by far the most targeted by cybercriminals and cyber scammers so it is very important that we have a very good cybersecurity defense.  On an average year, KY K12 can expect to receive about 4 BILLION (with a “B”) cyber-attacks. During the Covid pandemic, we saw a startling rise in those numbers up to 16 BILLION. However, because of cyber-criminals taking advantage of the confusion and increased technology usage during the pandemic and post-pandemic and ongoing events in other countries, we believe KY K12 may have instead received many times that number, even as high as 76 BILLION cyber-attacks, based on information from the FBI. That significantly increased number of unauthorized connection attempts, in the school year 2022-2023, by cybercriminals and cyber scammers against Kentucky K-12 instructional, administrative, communication and operational technology-enabled systems was successfully defended by our KY K-12 statewide cybersecurity defense services Included in these attacks were the 529 external denial of service cyber-attacks targeting 106 specific KY K-12 districts with the purpose of not taking any information but instead attempting to completely shut down every instructional and administrative technology-enabled service that the district was using. While this is about the same number of DDOS attacks we saw a couple of years ago and down from last year, it was concerning to see about twenty more school districts being targeted. Because of (a) the KETS product and design standards/policies and (b) the work and savviness of OET edtech staff, district edtech staff, our edtech vendor partners, cyber security partners, KDE staff, and district students/teachers/staff, these attempts by external organizations on KDE or KY K-12 school districts were largely prevented by our cybersecurity defense. 

Given all the new federal relief funds available to KY K-12 to help address the effects of the pandemic, it continues to be anticipated by national cybersecurity experts that K-12 will be getting even more attempted cyberattacks going forward over the next school year.

Therefore, KDE will continue to take measures and actions to ensure we protect KY K-12 public schools from this kind of scale and sophistication of cyberattacks through our KY K-12 cybersecurity defense services. It is important to note that KDE will not do anything that weakens or compromises that cybersecurity defense given that all its KY K-12 cloud-based technology-enabled instructional, administrative communication, and operational systems, used daily/hourly by KY K-12 schools, rely on available, capable and stable KY K-12 Internet service.

Therefore, for the 2023-2024 school year, any technology-enabled service that uses the KY K-12 core Internet service from any KY K-12 public school and district office in KY must work within the existing KY K-12 cybersecurity design. That means the vendor marketing or selling their technology-enabled product/service to KY K-12 public schools must make the changes to their product/service to allow their product/service to work within that KY K-12 cybersecurity framework and should not be asking any district or the KDE to change or turn off any component of its cybersecurity defenses in order for their product/service to work over the KY K-12 core Internet service.

• IF planning to use the KY K-12 Internet service (from a school campus or facility) as the “field of play” for KHSAA eSports participation, any Nintendo Switch game offered by PlayVS to school districts must work with the existing KY K-12 cybersecurity and cybersafety design framework of the KY K-12 Internet service, and must not be played during core KY K-12 instructional and operational hours (between the hours of 6 AM to 4 PM all seven days per week). So first try to play the game over the KY K-12 Internet service.  OR
• IF the KHSAA eSports Nintendo Switch game will not work on the KY K-12 Internet service and the overall KY K-12 cybersecurity and cyber safety defense environment at the state or district level, either:

1. The vendor selling that Nintendo Switch game needs to change their product so it will work over the cybersecurity defense framework for the KY K-12 Internet services; or
2. That game will need to be played using a temporary “field of play” for up to the next 12 months (aka a totally separate Internet service dedicated exclusively for the use of playing eSports games) from a location on the school campus or beyond the school campus. For cybersecurity reasons, this temporary totally separate Internet service that is dedicated for exclusive use for eSports in a school building on the school campus must not use or connect to any component (e.g., the network hub and wireless access points in a school building) that is also used by KY K-12 core Internet service for instructional and mission-critical operational purposes. Examples of this are playing the game from a community recreation center, the home of the student, wireless Internet hotspots provided by the district, or a totally separate Internet connection on the school campus that goes directly to the room the game will be played without a connecting in any way to any internal district network hub/wireless access component that already connects to the core KY K-12 Internet service that provides access for KY K-12 students for instructional and missional critical operational services through the KY K-12 core Internet service.  

In short, the KDE will not be turning off, changing, or compromising any component of its existing KY K-12 cybersecurity defense design, or significantly increasing the risk/probability of a successful cybersecurity attack, for its KY K-12 schools so the Nintendo Switch can be played over the KY K-12 Internet service from a KY K-12 school building. However, KDE is open to districts identifying and using a temporary Internet service over the next 12 months (aka “field of play”) that is totally separate from the KY K-12 Internet service. We say temporary because KDE will be transitioning all 171 KY K-12 school districts from our current KY K-12 Internet service provider to Education Network of America (ENA) over the next 12 months. We will know within the next 12 months if the Nintendo Switch will or won’t well with the cybersecurity and technology of the ENA Internet service.  However, the district leadership team has a major role in selecting and funding a field of play during this temporary 12-month period for an eSports game that doesn’t work over the KY K-12 Internet service (i.e., our current provider or ENA). If we find that the Nintendo Switch does not work well with the ENA Internet service, then a district having a totally separate dedicated Internet service to play Nintendo Switch games transitions from a temporary to a full-time option for districts to choose or not choose to do. The eSports “field of play” must be considered, planned for (including financial commitments), and tested by local school and district teams prior to full season commitments – as well as the ongoing expenses to maintain the “field of play.” Additionally, all KY public schools are currently going through an internet upgrade which includes a bandwidth upgrade as well as cybersecurity and defense upgrades, with a new Internet service provider.  All school districts will be working through a transition cycle on a district-by-district schedule, coordinated between the KDE and school district EdTech leaders and CIOs. The KDE will be working with the new partner and Internet service provider to potentially have the Nintendo Switch consistently working on the KY K-12 core Internet service.  As such, installing an additional internet connection for the Nintendo Switch “field of play” should be viewed as a “temporary” strategy.   

Going forward, teams have the ability to compete from a “field of play” at remote locations off campus, through additional internet connections (not connected to the KY K-12 Internet service) at a district facility, or through the use of an internet hotspot at a district facility. However, there is a 1998 state regulation regarding cybersecurity and a cyber safety aspect that must also be met if the district is providing/paying for any Internet service (i.e., an additional Internet connection or Internet hotspots) on or off the school campus that is being used by any KY K-12 student, teacher, or staff member for a school-related activity.

Internet connections or hotspots paid for by school districts (1) can’t create a hole in the KY K-12 cybersecurity defense and (2) must meet the KY K-12 Internet cybersafety law requirements for browsing the Internet. Obviously, if a KY K-12 student is using a student/parent paid-for Internet service (e.g., regular wired Internet service, wireless hotspot) from a location beyond the school campus, then neither one nor two mentioned above needs to be considered.

From a KY K-12 cyber safety perspective, the 1998 state law (KRS 156.675) and the subsequent state regulation that came from that law (701 KAR 5:120) requires every KY K-12 public school to be going through an Internet content management filtering system for cyber safety purposes for school-related activities while using state or school district provided/paid for Internet service on the school campus. This includes when the district is not using the KY K-12 Internet service that goes to all 171 school districts but instead uses a separate wired or wireless hotspot Internet service that is paid for and provided by school districts to be used by their KY K-12 students for the purposes of eSports Nintendo Switch participation. Therefore, if the district is paying for an Internet service that is being used by KY

Any technology bought to play a KHSAA eSports game (e.g., the Nintendo Switch end device, headsets, chairs, monitors, hotspots, separate Internet service, etc.) are not considered instructional systems, administrative systems, or mission-critical operational systems and thus are not eligible to be purchased with KETS (aka EdTech) funds.  Those items should be acquired with the same type of funding sources that acquire and maintain sports-related equipment (e.g., football helmets, game uniforms, basketballs) and fields of play (baseball/softball field, football field, basketball court, etc.) in other extracurricular sports and activities.

Questions regarding the use of an Internet hotspot or separate Internet services should be directed to your district’s CIO/EdTech staff.

For Kentucky Public K-12 district-owned Nintendo Switch Consoles, please reference KHSAA/KDE instructions on how to disable the “hidden” Switch Web Browser:

https://khsaa.org/9-18-2023-disabling-the-hidden-browser-on-district-owned-nintendo-switch-consoles/

– KHSAA –

About the Kentucky High School Athletic Association

The Kentucky High School Athletic Association was organized in 1917 and is the agency designated by the Kentucky Department of Education to manage high school athletics in the Commonwealth. The Association is a voluntary nonprofit 501(c)3 organization made up of 290 member schools, both public and non-public. The KHSAA awards 229 state championships to 59 teams and 178 individuals in 13 sports and six sport-activities, funds catastrophic insurance coverage for its more than 109,000 rostered member school student-athletes, provides coaching education and sports safety programs for more than 12,000 coaches and licenses and facilitates the distribution of training material for over 4,000 contest officials.