As federal momentum to bolster K-12 cybersecurity surged in 2023, states too have begun to step up on school cyberdefense. But legislative outcomes have been a mixed bag.
The number of proposed state bills on education-related cybersecurity measures jumped 250% between 2020 and 2023, with 307 bills introduced last year, according to a recent report by The Consortium for School Networking. Among those proposals, 75 were ultimately enacted in 2023 — a 620% increase from 2020.
But despite the surge in state cybersecurity proposals and laws with K-12 implications, far fewer of these bills focused primarily on schools, said Julia Fallon, executive director of the State Educational Technology Directors Association.
In fact, CoSN found that just 47 bills across 18 states proposed school-specific cybersecurity measures in 2023. Governors signed nine of those K-12 specific cybersecurity proposals into law.
Successful federal action on the issue has been even slower. Of the 22 federal bills introduced last year that could have shaped cybersecurity in education, none were adopted into law, according to CoSN. One of those failed proposals was the Enhancing K-12 Cybersecurity Act, a $20 million bipartisan, bicameral bill that called for improvements in tracking K-12 cyberattacks nationally and stronger school cybersecurity protections.
Though Congress lagged on the matter, federal agencies and the White House have placed a bigger emphasis on K-12 cybersecurity in recent months.
In August, the White House released guidance and announced new initiatives to bolster K-12 cyberdefense. Specifically, the White House and the departments of Education and Homeland Security created a council to organize cybersecurity activities and communications among federal, state, local, tribal and territorial education leaders.
Additionally, the Federal Communications Commission issued a proposal in November to pilot a $200 million, three-year program that would analyze how the agency’s Universal Service Fund can best serve schools and libraries in combating cybersecurity threats.
Some of CoSN’s recommendations for lawmakers include encouraging school districts to train all employees and users on cybersecurity policies and for local, state and federal governments to allocate funds for schools to acquire cybersecurity insurance. CoSN also suggests the addition of funding dedicated to cybersecurity workforce development programs.
Furthermore, states need to implement multilayered supports for schools to prevent cyberattacks, Fallon said. She also expects the latest wave of K-12 cybersecurity policy momentum to continue into this year.
“I still think there’s lots of work to be had. Specifically, if you notice those policies or the bills that were passed — it wasn’t a high number in ed[ucation],” Fallon said. “I think they’re trying to get the structures in place and then they can figure out how they can support the K-12 sector.”
But that’s a “bleak” approach, Fallon said, because K-12 is more unique. For instance, if a state tries to require two-factor authentication for all devices and programs, that’s difficult to implement in a classroom full of kindergarteners, she added.