Cyber measures for education cool in state legislatures as sector matures
The nonprofit Consortium for School Networking on Thursday published a report showing that state legislatures last year introduced fewer cybersecurity bills affecting educational institutions, an indication of maturity in government policies, not reduced interest, according to the group.
The consortium’s State and Federal Cybersecurity Policy and Education in 2024 report collects information on state cybersecurity legislation affecting K-12 and postsecondary schools across the country. From 42 states, it tallies 258 bills introduced last year, 29 of which became law. This was a decline from 307 bills and 75 new laws in 2023.
“[T]he decrease likely reflects the substantial policy foundation established in previous legislative sessions rather than diminished policymaker interest,” the report notes. “Despite fewer total bills, states continued to advance new solutions worthy of consideration across the broader education sector.”
The group notes several trends in cybersecurity legislation, including the rise of new cybersecurity task forces and offices that include representatives from the education sector. The consortium also found that incident reporting frameworks, grant programs for educational institutions and the integration of artificial intelligence to protect against cyberthreats are all becoming more common.
Some states are more active than others. The report notes that with 27 measures, Massachusetts introduced more than any other state. Minnesota (25), New York (23), New Jersey (20), California (14) and Iowa (14) also introduced many cybersecurity bills.
The report also highlights what authors considered to be the most significant bills, including Alabama’s K-12 Technology and Cybersecurity Leadership Act and an updated Cyber Maryland Fund, which supports K-12 and higher education efforts. Such laws demonstrate “diverse approaches” to strengthening cybersecurity that attempt to coordinate programs across all levels of education.
This finding parallels the growth of “whole of state” cybersecurity programs led by state governments, which seek increased collaboration between all levels of government, the education sector, nonprofits and private industry. Such efforts have become more popular in recent years, in part spurred along by the federal State and Local Cybersecurity Grant Program, in which states must provide 80% of their grant funding to local governments.
State cybersecurity efforts could become more important under the administration of Donald Trump. Homeland Security Secretary Kristi Noem has in recent weeks cited plans to reduce the mission of the Cybersecurity and Infrastructure Security Agency, which aids state and local governments, along with educational institutions, in scanning for threats and sharing information, in addition to providing expertise and other resources.
But Noem hasn’t yet announced how CISA will be reorganized, and as a subcategory under CISA’s 16 critical infrastructure sectors, educational institutions could even see increased attention. Noem has said that protecting the nation’s critical infrastructure should be CISA’s focus. And according to an email obtained by the freelance cybersecurity reporter Eric Geller, CISA staff are among those ineligible for the Office of Personnel Management’s deferred resignation offer, because they fill a national security function.
Whatever CISA’s future, the education sector remains a favorite target of bad actors. A report published this month by the software review company Comparitech shows that ransomware attacks against educational institutions declined last year — 116 confirmed attacks, down from 188 in 2023.
And though the number of actual attacks is believed to be much higher, the decline might not be cause for celebration. A report published last August by the cybersecurity firm Sophos studying attacks against state and local governments found that the average cost of ransomware recovery is growing, up to an average of $2.83 million in 2024, up from the $1.21 million average in 2023.
