As cybersecurity continues to be top of mind for ed tech leaders, states are stepping up to mitigate risks for increasingly vulnerable school districts.
In May, for instance, Minnesota approved education spending legislation that includes one-time funding of $24.3 million in grants that school districts or charter schools can apply for to address cybersecurity needs, including “security-related facility improvements, cybersecurity insurance premiums, and associated costs” starting in fiscal year 2024.
The approval of the funding comes the same year that a ransomware gang targeted Minneapolis Public Schools, and later when the Minnesota Department of Education fell victim to having sensitive student data exposed in a global data breach.
While states are not often providing this level of direct funding to help districts address cybersecurity, there are state leaders looking to use their roles to help reduce cybersecurity risks for schools, said Julia Fallon, executive director of the State Educational Technology Directors Association. States are also providing shared services in lieu of direct funding to districts, she said.
One example of this is in Connecticut where the state gives schools software to mitigate distributed denial of service, or DDoS, Fallon added. This type of cybercrime occurs when an attacker inundates a server with internet traffic to block users from getting to their online services and sites.
In 2022, 18 states enacted 37 new cybersecurity laws that impact the education sector, according to a January report by the Consortium for School Networking.
One of the more notable laws passed that year was California’s AB 2355, which requires school districts to report cyberattacks that impact more than 500 students or staff. Additionally, the law states that the California Cybersecurity Integration Center must create a database that tracks these cyberattacks reported by districts.
Another prominent state law that emerged in 2022 was Alabama’s HB 135, which allocated over $16 million for school districts to hire district technology coordinators and to provide grants of no less than $25,000 to improve cybersecurity and protect data and infrastructure.
SETDA has also established a Cybersecurity and Privacy Collaborative to serve as a professional learning community of state ed tech leaders and corporate members looking to find key resources, evaluate state-level K-12 cybersecurity advocacy efforts and develop policy recommendations.
This month, SETDA announced it had received a grant from Microsoft to support the Cybersecurity and Privacy Collaborative. The funds will help the group begin a new phase to develop “cybersecurity resources targeted toward small, rural, and other under-resourced districts and produce a spotlight of cooperative service models and state-coordinated programs.”
“It’s one thing to have funding, but a small district may not need to hire a cybersecurity professional,” Fallon said. “They just may need to have somebody that could be keeping an eye on things for them.”
While it’s great to give direct funding to schools and shed light on that, Fallon said, it’s important to provide multiple, layered approaches when taking on K-12 cybersecurity challenges.
Other strategic routes Fallon pointed to include the Enhancing K-12 Cybersecurity Act, a bipartisan and bicameral legislative proposal introduced in Congress in April to strengthen school cybersecurity nationwide.
The Federal Communications Commission is also considering public comments submitted earlier this year regarding the potential use of its E-rate program to pay for school and library cybersecurity improvements, like advanced or next-generation firewalls. SETDA has advocated for these upgrades to E-rate funding alongside other organizations.
“It’s a coordinated approach. Not one thing is going to do it all,” Fallon said. “Sort of like our COVID mitigation strategies. When you layer them, they work well depending on what you’re doing. But when you only rely on one thing, that could be a vulnerable position for somebody to be in.”