2022 was nothing short of… interesting, to say the least, regarding K-12 cybersecurity. From Los Angeles Unified, the largest school district in the country, falling victim to a ransomware attack making smaller districts question their own security networks, to the emergence of one prominent cybercriminal organization known as Vice Society. Schools did their best to implement preventative efforts to combat the growing issue, but they can’t do it alone.
State legislators are beginning to understand the seriousness of cyber criminology against K-12 education, according to a new report from the Consortium for School Networking. In 2022, several hundred school-related cybersecurity bills were introduced, yet these efforts were “still insufficient,” the report claims.
In September, federal agencies issued a joint advisory in response to an increase in cyber threats against K-12 organizations, urging district leaders to prepare and anticipate an increase in ransomware attacks for the 2022-23 school year.
In an effort to #StopRansomware, the #FBI and @CISAgov issued a joint #CybersecurityAdvisory about the Vice Society ransomware threat. It recommends steps organizations should take to reduce the likelihood of ransomware incidents. https://t.co/APJRyz2eTx pic.twitter.com/qHgeQBBns5
— FBI (@FBI) September 6, 2022
State legislators also turned their attention to the issue. According to the report, policymakers in 36 states proposed 232 school-related cybersecurity bills in total last year, an increase from 170 in the previous year and more than twice the number introduced in 2020. Yet, only 37 bills were enacted last year across 18 states compared to 49 bills in 2021.
“Cyberattacks are among the leading operational and privacy threats facing the nation’s schools,” the report reads. “The problem plagues the entire education sector, including schools located in the smallest rural communities and the most sprawling suburban and urban areas.”
A majority of the bills focus mainly on policy changes across state and local government, not solely education entities, according to the report. The most common strategies adopted by states include mandatory incident reporting, required prevention and contingency planning and expanding the cybersecurity workforce.
In several instances, the newly enacted legislation allowed for increased funding for schools and districts to pay for these strategies. For example, California adopted Assembly Bill 2355 which, according to the report, “requires school districts to report cyberattacks that impact more than 500 students or personnel.” It also requires the California Cybersecurity Integration Center to establish a database to track reported cyberattacks.
In Alabama, House Bill 135 provides funding for hiring District Technology Coordinators and improving districts’ cybersecurity. These resources must “fund network administration and/or technology that sustains, complements, upgrades, or augments current security measures,” the report reads.
Room for improvement
While efforts to introduce education-related cybersecurity legislation have increased, more needs to be done in terms of the number of bills actually enacted, according to the report. To adapt to this ever-changing landscape, CoSN provides the following recommendations for leaders tasked with making cybersecurity policy improvements in 2023:
- Bolstering the workforce: If jobs in cybersecurity remain unfilled, schools and educational institutions will inevitably pay the cost. Filling in these gaps was indeed a priority for states in 2022, but the common solution was to simply fund new higher education degree programs. “This ‘build it and they will come’ approach, considered by many states in 2022, is a useful idea but it does not rise to the level of urgency associated with the problem,” the report reads. In summation, leaders must consider a more strategic and proactive approach focused on recruitment, training and retention with an emphasis on short-term credentialing options.
- Prevention and planning: Failure to understand your network’s weaknesses often results in an increased likelihood of cybersecurity threats. Federal funding must be able to provide districts with the technology to identify and repel threats, but resources must also be allocated toward educating students, staff, families, and the community on how to recognize and avoid these attacks.
- Incident reporting and coordination: Information sharing and collaboration are two of the best ways for school districts, especially those with fewer resources, to prevent and recover from cyberattacks. “Schools and other entities do not face a static cyber enemy,” the report states. “Attackers are constantly changing their tactics and the education sector must be similarly nimble in its collective defense.” Thus, policies should encourage participation in collaborative groups at the regional and national levels.