Senate bill would order DHS to review K-12 cybersecurity

New legislation would direct DHS to review of K-12 cybersecurity risks and implement guidelines to defend against threats like ransomware.
U.S. Congress dome
Getty Images

A bill introduced in the U.S. Senate on Monday would order the Department of Homeland Security to undertake a thorough review of the cybersecurity policies of public school systems across the country and enact a set of guidelines and tools designed to help local education officials protect institutional and student data from ransomware and other online threats.

The K-12 Cybersecurity Act of 2019, introduced by Sens. Gary Peters, D-Mich., and Rick Scott, R-Fla., comes near the end of a year in which ransomware attacks have romped across school systems nationwide, leading to six-figure payments to hackers, governors declaring statewide emergencies and students missing days of classes.

The school district in Rockville Centre, New York, for instance, paid hackers using the Ryuk ransomware nearly $100,000 in August, while 11,000 kids in Flagstaff, Arizona, missed the first day of classes after ransomware was detected on that city’s schools. Louisiana Gov. John Bel Edwards declared a statewide emergency in July after several school districts were hit in what appeared to be a coordinated attack.

“Schools across the country are entrusted with safeguarding the personal data of their students and faculty, but lack many of resources and information needed to adequately defend themselves against sophisticated cyber-attacks,” said Peters, who was also a lead sponsor of a recently passed bill directing more federal cybersecurity aid to state and local governments.


The bill would give DHS’s Cybersecurity and Infrastructure Security Agency one year conduct a study on the “cybersecurity risks facing K-12 educational institutions,” including school districts’ technology inventories, IT security funding and any risks inherent to student and teacher data. CISA would then be given nine months to develop voluntary guidelines for K-12 institutions and an additional three months to develop a “toolkit” to implement those guidelines.

Many public school systems struggle to find adequate funding to address their cybersecurity needs, especially as more educational services are delivered online. Earlier this year, the Consortium for School Networking asked the Federal Communications Commission to revise its E-Rate program — which provides broadband subsidies to school districts and libraries — to help cover cybersecurity spending as well. Revisions to E-Rate approved by the FCC earlier this month, however, did not include new funding for cybersecurity.

Meanwhile, the education sector has been one of the biggest growth areas for ransomware in 2019, with 86 universities, colleges and school districts — accounting for a potential total of more than 1,200 individual campuses — impacted this year, according to the cybersecurity firm Emsisoft.

CoSN Chief Executive Keith Krueger praised the new Senate bill in a prepared statement.

“Improved federal, state and local government collaboration is needed to stop the recent flood of cyberattacks on schools,” he said. “This legislation recognizes that the United States desperately needs a comprehensive assessment of the network security challenges school districts face, coupled with a commitment to provide the additional tools and technical assistance required to better protect students’ confidential data.”


But in an interview Tuesday, Krueger said the bill only marks the “first step” of what CoSN and its members want from the federal government.

“We’re certainly pleased to see Sen. Peters and Sen. Scott introduce the bill,” Krueger said. “Honestly, we’d like to see some resources, not just another framework or study. It’s more than having a framework. We have to cover the costs and technical solutions, and nobody’s really talking about the human gap.”

Krueger added that cybersecurity has only emerged as a top priority for education-sector chief information officers in the last three years, and that even the biggest districts are only now starting to hire full-time chief information security officers, saying it’s “not a core competency” for school systems, and that it’s incumbent upon the federal government — which provides cybersecurity grants to colleges and universities — to offer similar assistance to grade schools.

“There are real funding shortfalls,” he said. “It’s great that we’re getting broadband and Wi-Fi, but if the network isn’t secure, it isn’t going to be good for learning.”

This story was updated on Dec. 17, 2019 with comments from Keith Krueger.

Latest Podcasts