The Department of Homeland Security’s cyber agency will spend the next several months researching the risks and vulnerabilities of K-12 school districts as the education sector continues to face an onslaught of ransomware attacks, following President Joe Biden’s signing Friday of a bill aimed at shoring up school cybersecurity.
The K-12 Cybersecurity Act directs the Cybersecurity and Infrastructure Security Agency to undertake a 120-day review of the cybersecurity risks faced by school districts and report back to Congress. According to the text of the legislation, CISA will examine “how identified cybersecurity risks specifically impact K–12 educational institutions” and evaluate the challenges schools face in securing their information systems, protecting student and teacher data and implementing and enforcing cybersecurity controls.
Following the completion of its report, CISA will have 60 days to develop guidelines for K-12 organizations and then another 120 days to create an online toolkit school districts can use to implement those strategies and recommendations.
“As malicious cybercriminals continue to target the network of K-12 schools across the nation, the federal government needs to provide them with the resources needed to protect themselves from hackers,” Senate Homeland Security Chairman Gary Peters, D-Mich., said in a press release.
The issue has been on lawmakers’ mind for some time. Last December, Sen. Jacky Rosen, D-Nev., another of the act’s sponsors, pressed CISA’s then acting director, Brandon Wales, to offer more resources to K-12 schools. And Sen. Maggie Hassan, D-N.H., frequently cited incidents against districts in her home state in crafting a state and local cybersecurity grant program now attached to a bipartisan infrastructure package.
While the act does not contain any direct spending on K-12 cybersecurity — a separate bill lingering in the House would create an incident-reporting system and a $10 million annual fund — CISA undertaking an in-depth look at the issues facing grade schools will be a positive step, said Doug Levin, the national director of the K12 Security Information Exchange.
“It’s very encouraging that the federal government is prioritizing the cybersecurity threats facing schools across the country. This has been an issue that’s emerging over a number of years,” Levin told StateScoop. “Districts that’ve been victims of these attacks have experienced pretty negative outcomes. Hopefully this will be the beginning of a broader conversation.”
‘Modest,’ but ‘concrete’
While CISA has published recommendations for K-12 schools — including materials on its StopRansomware.gov website — Levin said the agency has not been “well-integrated” into the sector and that educators need more than just reminders about cyber-hygiene fundamentals.
“We need to look a little bit more deeply at some of the systemic issues that make getting the basics in place a challenge for schools,” he said. “What I’d like to see is an emphasis on the need for establishing a baseline standard for school districts. Right now parents, students and teachers cannot be assured schools have those basics in place.”
Those deeper issues, Levin said, revolve around many schools’ limited resources for IT and cybersecurity and the lack of talented professionals in many parts of the country.
“The track record of school districts being able to consume that advice from CISA is mixed, and I think that’s in part because school districts don’t have the capacity to consume that advice,” he said. “It’s a very challenging notion that every school district would hire a dedicated CISO. We need to think about regional or national supports we can provide to school districts, particularly vendor-agnostic support.”
Implementing robust cybersecurity guidelines for K-12 organizations will also have to navigate a thicket of state and local regulations, and possibly other bureaucratic issues, like contracts with teachers’ unions, Levin said. While he said some states — he mentioned New York, New Hampshire and Texas — have started directing more resources toward school cybersecurity, this CISA study will be a first step for the federal government.
“This is the first concrete action, as modest as it is, that the federal government is trying to address it,” he said. “That’s positive. The threats are ongoing. There is a sense of urgency I feel as well, but I understand we have to work through the process.”