Dive Brief:
- The Enhancing K-12 Cybersecurity Act, a bipartisan and bicameral proposal to strengthen school cybersecurity protections, was introduced Tuesday to promote school and district access to cybersecurity best practices and information and improve tracking of cyberattacks nationally.
- The legislation specifically directs the Cybersecurity and Infrastructure Security Agency to create a Cybersecurity Incident Registry, allowing schools to voluntarily share when they experience a cyberattack. CISA would then develop an annual report based on the analysis of this data, such as the type of incident and the date it occurred.
- The bill would also provide up to $20 million over two years to provide schools with new cybersecurity resources, with CISA establishing a K-12 Cybersecurity Technology Improvement Program to address cybersecurity risks and threats to K-12 networks. The bill would authorize funding of $10 million per year to the program for fiscal years 2024 and 2025.
Dive Insight:
Tuesday's introduction is a redo of the Enhancing K-12 Cybersecurity Act initially introduced in 2021 in the House with bipartisan support. While that bill did not advance, Congress the same year did pass the K-12 Cybersecurity Act, which mandated CISA to conduct a study of the K-12 sector’s cybersecurity needs in addition to developing tools and guidance for districts.
The bill was proposed by Rep. Doris Matsui, D-Calif., and Rep. Zach Nunn, R-Iowa alongside Sen. Mark Warner, D-Va., and Sen. Marsha Blackburn, R-Tenn.
CISA released that highly anticipated study in January which emphasized that school leaders need to embrace a “cybersecure culture,” saying the burden cannot fall solely on district IT and cybersecurity staff. The report also recommends districts implement multifactor authentication and run strong cybersecurity training programs.
The renewed legislative effort to bolster K-12 cybersecurity follows an October report by the U.S. Government Accountability Office that called out a lack of coordination on school cybersecurity by the U.S. Department of Education and CISA with other agencies and K-12 communities.
Between 2016 and 2021, school districts experienced 1,331 cyberattacks, according to the nonprofit K12 Security Information Exchange’s 2022 annual report.
As high-profile school cyberattack cases continue to pop up this year, the severity of stolen and leaked data also appears to be escalating.
In March, the Medusa ransomware gang claimed responsibility for a cyberattack against Minneapolis Public Schools, while also claiming to leak files that included sensitive information — including an alleged student-involved sexual assault — on its darknet website.
Arizona’s Tucson Unified School District was alerted via a January letter that staff found on a school printer, notifying officials the district’s network was compromised by the Royal strain of ransomware, and its data had been encrypted and copied. Later that week, Superintendent Gabriel Trujillo said no evidence suggested personal or confidential information was stolen.
But a Tuesday report by Bloomberg found hackers obtained gigabytes of files from that cyberattack, including thousands of current and former employees’ Social Security numbers among other confidential data. That information — from a high schooler’s medical records to thorough arguments for expelling multiple students — was uploaded in February to the dark web and was still easily accessible as of Monday, according to Bloomberg.
With some school cyberattacks becoming more heinous in nature, districts face a difficult task to prevent and combat these efforts as their IT budgets are often strained and the cybersecurity workforce shortage persists across sectors, especially for K-12.
“Cybercriminals are rapidly evolving their strategies to cause chaos and disruption, yet a lack of resources for our schools is forcing them to do more with less,” said Matsui in a statement. “The Enhancing K-12 Cybersecurity Act would establish a crucial roadmap to prepare our K-12 cyberinfrastructure for future attacks.”
