- Sens. Gary Peters (D-Michigan) and Rick Scott (R-Florida) on Monday introduced the K-12 Cybersecurity Act of 2019, which would mandate a national Department of Homeland Security review of public school cybersecurity policies, according to a release.
- If passed and signed into law, the legislation would give the department's Cybersecurity and Infrastructure Security Agency a year to produce a study on cybersecurity threats to the nation's public schools, examining districts’ technology inventories, cybersecurity funding potential risks to student and teacher data.
- Following the initial study, DHS would then have nine months to establish guidelines and three months to develop tools and resources to safeguard institutional and student data from cyberthreats like ransomware, which have plagued schools and districts in an environment with limited funding and resources to address them.
The K-12 Cybersecurity Act's introduction comes at a time of rising attention to just how vulnerable the massive amount of data collected by schools and districts really is.
It was reported in 2016 that education faced the highest ransomware attack rate of any industry, and it has only become a bigger target in the years since as more schools embrace student information systems and other data analytics tools.
A report released earlier this year by the K-12 Cybersecurity Resource Center counted 122 cybersecurity incidents at K-12 schools in 2018, though report author and EdTech Strategies President Doug Levin suggested to EdSurge as many as 20 times as many incidents were unreported.
A September 2018 public service announcement from the FBI also warned schools are at increased risk of cybersecurity attacks, and Verizon’s 2016 Data Breach Investigations report ranked the education sector sixth overall in the U.S. for total number of “security incidents.”
Untrained staff and students remain the weakest link in the cybersecurity chain, as it takes just one click on the wrong link to compromise the entire system. But these systems also need to have safeguards in place to thwart malicious software if it does find its way in — and the funding and resources too often just aren't there to make that possible. This is especially true for smaller districts.
Many K-12 cybersecurity advocates hoped the recent modernization of the Federal Communications Commission's E-rate program would add coverage for cybersecurity services. While it wasn't included in this round of updates, Commissioner Michael O'Riley suggested it would still be in consideration for the future.
In the long run, growing attention to the severity of the issue only increases the likelihood it will ultimately be addressed through that avenue or legislation like the K-12 Cybersecurity Act.