Shielding Student Data: The Critical Role of State Boards in K-12 Cybersecurity
A coordinated push is needed to ward off increased threats and mounting costs.
Regardless of their size or location, elementary and secondary schools increasingly face an onslaught of ransomware and other cyberattacks, which jeopardize sensitive data and the integrity of their digital infrastructure. The consequences of these attacks can be severe and costly, eroding community trust, disrupting learning, and permanently damaging equipment. State boards of education must play their part in promoting effective cybersecurity practices in their districts.
The alarming scope and sometimes staggering costs of K-12 cyberattacks have captured the attention of law enforcement agencies, prompting government agencies and nongovernmental entities to document the problem more systematically. As the threat continues to evolve, the Federal Bureau of Investigation, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) collaborated on a joint Cybersecurity Advisory in 2022. The advisory detailed the nature of the threat to K-12 schools, stating, “Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff.”[1] In the case of ransomware attacks, the perpetrators take control of school and district networks or data in order to extort money from districts.
Understanding the Vulnerabilities
According to CISA, schools tend to be the focus of cyberattacks because they are “target rich and cyber poor.”[2] That is, school districts hold a massive trove of student, employee, and financial data that often are not well defended. Technically sophisticated cybercriminals can readily exploit these data, and because they sometimes operate from foreign countries, it can be hard for law enforcement to identify them. Criminals use stolen student information to open fraudulent accounts, apply for loans or credit cards, file bogus tax returns, or obtain medical services in the victim’s name. Stolen employee financial information, such as bank account details, can be used to make unauthorized purchases or withdraw money from the victims’ bank accounts.[3] Unfortunately, cybercriminals know that many schools lack the funding and specially trained staff required to defend their networks from the complex and constantly evolving cyberattacks they routinely face, so they continue to focus attacks on the educator sector.
Cybercriminals know that many schools lack the funding and specially trained staff required to defend their networks from the complex and constantly evolving cyberattacks they routinely face.
To better quantify the threat’s severity, the U.S. Government Accountability Office (GAO) analyzed the impact of cyberattacks on school districts. The GAO concluded that the “loss of learning following a cyberattack ranged from 3 days to 3 weeks, with recovery time spanning anywhere from 2 to 9 months.” This prolonged disruption to school operations underscores the far-reaching consequences of these attacks on students’ academic progress.
Moreover, the GAO findings shed light on the substantial financial burden borne by school districts in the aftermath of a cyber incident, stating that documented losses can “range from $50,000 to $1 million due to expenses incurred during the recovery process.” These significant figures highlight the urgent need for new measures to bolster cybersecurity and mitigate the sometimes-devastating effects on schools.[4]
Recent incidents in Maryland, California, and Connecticut demonstrate the problem’s severity:
- In November 2020, the Baltimore County Public Schools suffered a cyberattack that cost the system over $9.5 million, according to the Maryland Office of the Inspector General for Education. Expenses were related to recovery efforts, system upgrades, and migration to a new technology platform, placing a significant financial burden on the district and its stakeholders.[5]
- The Los Angeles Unified School District experienced a ransomware attack in 2022 that resulted in the release of thousands of confidential student records on the dark web. The leaked information included sensitive details about students receiving special education services, such as their medical histories, academic performance, and disciplinary records. The breach not only compromised student privacy but also exposed vulnerable individuals to potential exploitation and discrimination.[6]
- Hackers managed to steal over $6 million from the New Haven Public Schools in 2023 through multiple cyberattacks. The attackers gained access to the email account of the district’s chief operating officer, enabling them to carry out their scheme. This incident highlights the sophistication of cybercriminals.[7]
Ed Tech Leaders Sound the Alarm
Leading education technology organizations that serve school districts and state education agencies have warned about cybersecurity risks to schools for years. The Consortium for School Networking (CoSN), a national professional association serving districts’ chief technology officers, recently published national survey results showing that “cybersecurity continues to rank as the number-one concern” for its members.[8] Its State of EdTech Leadership Survey 2023 notes that cybersecurity has been members’ top concern since 2018. Likewise, in its 2023 State Edtech Trends Report, the State Educational Technology Directors Association’s (SETDA) said, “Cybersecurity is now the top [technology] need but is still not receiving enough funding or support.”[9] Julia Fallon, SETDA executive director, said, “This report signifies the uniqueness of this moment in time as school systems emerge from the pandemic into a technology-rich new normal rife with opportunity but also risk.”[10]
Despite the efforts of many to gauge the problem’s severity, it is important to note that not all attacks are reported to law enforcement or other officials. Despite the incidents’ frequency, many school districts hesitate to publicly disclose the details of individual attacks, fearing reputational damage or even additional attacks based on the inadvertent publication of vulnerabilities.
Despite the efforts of many to gauge the problem’s severity, … not all attacks are reported to law enforcement or other officials.
Federal Efforts
Defending against cyberattacks requires modern technology and specially trained staff. Addressing hardware, software, cloud-based services, and district staffing needs is expensive and especially challenging for schools serving the lowest-income communities. CoSN and the E-rate consulting company Funds For Learning, for example, estimated in 2021 that cybersecurity technology costs alone would aggregate nationally to an annual $2.389 billion.[11] In addition, it is often difficult for school districts to find candidates to serve in cybersecurity roles because their skills are in such high demand in other sectors that typically provide greater pay and benefits.
Given the problem’s technical complexity and districts’ struggles to independently expand their cybersecurity capacity, federal executive branch leaders and legislators have begun to take steps to assist them.
- In January 2023, CISA released a report that describes the current threat landscape and recommends ways schools can strengthen their cybersecurity.[12] CISA also developed an online toolkit that aligns resources and materials with each of the three key recommendations outlined in the report. CISA’s work was prompted by Congress’s passage of the bipartisan K-12 Cybersecurity Act of 2021 (P.L.117-47), which required the agency to study the K-12 cybersecurity landscape and produce guidance and other resources to help schools.
- In March 2024, the U.S. Department of Education partnered with CISA to launch a Government Coordinating Council to enhance K-12 cybersecurity. In May, the department launched the Partnership for Advancing Cybersecurity in Education, an initiative to better protect K-12 digital infrastructure by promoting greater cooperation among education technology vendors and cybersecurity experts.
- In June 2024, the Federal Communications Commission (FCC) approved a new $200 million K-12 School and Library Cybersecurity pilot program. The pilot’s purpose is to help school districts and public libraries “defray the costs of eligible cybersecurity services and equipment and help the FCC evaluate the use of the [Universal Service Fund] to support these services and equipment.” The FCC created the pilot in response to calls for help by NASBE and the association’s key partners.
State-Level Initiatives
State leaders are also stepping up to help schools meet their cybersecurity needs, but more must be done. In 2023, 33 states enacted 75 new cybersecurity laws related to education. The new laws address cybersecurity strategies, such as promoting information sharing, expanding workforce development, and encouraging incident reporting. New laws in California, Maryland, and North Carolina illustrate steps states are taking to help their schools:
- California required the state’s Cybersecurity Integration Center to include representatives from the California Department of Education and include school districts in its coordination of information sharing, including on cyber threats. The center coordinates information sharing among all levels of government, utilities and other service providers, academic institutions, and nongovernmental organizations.
- Maryland established the Cyber Maryland Program to increase the state’s cybersecurity workforce, build an advanced cybersecurity workforce more generally, and inform cybersecurity training and education programs operated by public or private entities. The law also requires the Maryland Higher Education Commission to expand the state’s Cyber Warrior Diversity Program.
- North Carolina updated its cybersecurity reporting law so that requests from local jurisdictions, state agencies, or critical infrastructure partners for operational support from or access to operational cyber resources would be sent to the North Carolina Emergency Management 24-Hour Watch for intake and activation. The law also reopened the proposal period for the state’s cybersecurity pilot program.
Many other states considered cybersecurity policy ideas that did not become law but which may still be instructive to state boards working to identify strategies for improving K-12 cybersecurity in their states. State legislators introduced 307 related bills in 2023. They featured interesting ideas: allocating funds for cybersecurity infrastructure and other capacity-building initiatives; outlining actions to be taken in the aftermath of cyberattacks; requiring cybersecurity policies and plans; creating task forces, boards, or commissions; strengthening governance; expanding the cybersecurity workforce through recruitment and training efforts; mandating the reporting of cybersecurity incidents; and exploring the potential role of artificial intelligence in enhancing cybersecurity measures.[13]
What Can State Board Members Do?
State boards can play an important role in improved K-12 cybersecurity by building public awareness, applying their oversight authority, and proposing strategic policies within the scope of their jurisdictional authority. There are many ways to help, but to start the conversation, interested board members might consider one or more of the following ideas:
- Build a record for sound K-12 cybersecurity planning and decision making. State boards are well positioned to help school leaders, other executive branch leaders, and policymakers understand the status of K-12 cybersecurity in their states. The board could, for example, ask school districts to report on their cybersecurity readiness and needs, hold board meetings focused on K-12 cybersecurity readiness, and promote information sharing among school districts and regional educational service agencies or units.
- Engage and partner with the state agencies responsible for cybersecurity. Responsibility for cybersecurity in state governments is typically shared among several agencies and departments, depending on the state’s organizational structure. State boards should initiate conversations with the state leaders and agencies tasked with statewide cybersecurity, beginning with the state chief information officer or chief technology officers, who oversee the state’s overall technology strategy, including cybersecurity initiatives. Boards should also talk with state law enforcement, emergency management, and any existing task forces. State boards should stress the need to invest in K-12 cybersecurity.
- Promote strategic transparency and information sharing. School districts sometimes avoid reporting cyberattacks because they are concerned about the ramifications of sharing. State boards should consider adopting policies that encourage or require districts to become part of statewide and regional coordinated cyber threat information sharing. Boards should also create a culture of strategic information sharing that rewards and supports districts that seek and offer help to peers across the state. Note, however, that this step should not require public sharing of technical or other information that could make districts more vulnerable to attacks.
- Educate school personnel, students, and families. Strong cybersecurity includes a savvy community. Boards should adopt policies that aim to educate school staff, teachers, and families about how to protect themselves and their schools from cyberattacks. Boards should also consider requiring teacher preparation and professional development programs to include a focus on ensuring all educators understand the important role they must play in protecting student data and school networks.
Conclusion
The cybersecurity challenge schools face is complex and evolving, requiring a concerted effort from local, state, and federal stakeholders. State boards have a vital role to play in raising awareness, fostering collaboration, and implementing policies that prioritize the security of student data and school networks. By acting decisively, state boards can help ensure that students and schools realize the benefits of education technology while the risks are mitigated. The effectiveness of digital learning and community trust in education systems depend on policymakers’ and practitioners’ ability to create a more secure digital environment. State education leaders will be central to reaching that critical goal.
Reg Leichty is the founding partner of Foresight Law + Policy.
Notes
[1] Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Multi-State Information Sharing and Analysis Center, “#StopRansomware: Vice Society,” Joint Cybersecurity Advisory (CISA, 2022).
[2] Krystal Tena, “U.S. K-12 Schools Are a Playground for Cyber Criminals,” comment (S&P Global, January 24, 2024).
[3] Federal Bureau of Investigation, “FBI Tech Tuesday: Protecting against Personally Identifiable Information (PII) Theft,” press release, May 24, 2022.
[4] U.S. Government Accountability Office, “As Cyberattacks Increase on K-12 Schools, Here Is What’s Being Done,” WatchBlog: Following the Federal Dollar (GAO, December 1, 2022).
[5] Maryland Office of the Inspector General for Education, “Findings Regarding the Baltimore County Public Schools Cyberattack,” Investigative Summary 21-0001-I, N.d.
[6] Mark Keierleber, “Trove of L.A. Students’ Mental Health Records Posted to Dark Web after Cyber Hack,“ The 74, February 22, 2023.
[7] Anna Merod, “Cyberattacks Cost New Haven Public Schools over $6M,” K-12 Dive, August 18, 2023.
[8] “CoSN 2023 State of EdTech Leadership: Tenth Annual National Survey” (Consortium for School Networking, 2023).
[9] “2023 State EdTech Trends Report” (State Educational Technology Directors Association, 2023).
[10] State Educational Technology Directors Association, “New Report: Cybersecurity Tops List of State Education Technology Priorities,” press release, September 14, 2023. Also see Julia Fallon and Lu Young’s article in this issue.
[11] “E-rate Cybersecurity Cost Estimate: Calculating the Annual Expense to Provide Universal Service Funding Support for K-12 School Network Security in the United States,” report (CoSN and Funds For Learning, January 2021).
[12] “Protecting Our Future: Partnering to Safeguard K–12 Organizations from Cybersecurity Threats,” report (CISA, 2023).
[13] “Summary of Education Cybersecurity Policy Developments in 2023,” report (Consortium for School Networking, 2024).
Also In this Issue
State Education Policy and the New Artificial Intelligence
By Glenn M. Kleiman and H. Alix GallagherThe technology is new, but the challenges are familiar.
Opportunities and Challenges: Insights from North Carolina’s AI Guidelines
By Vera CuberoEarly guidance helps all schools seize the technology’s potential and mitigate the risks.
Connecting the National Educational Technology Plan to State Policy: A Roadmap for State Boards
By Julia FallonState leaders can use the plan to gauge whether their policies are expanding technology access, teachers’ capacity, and the learning experience.
Navigating Systemic Access to Computer Science Learning
By Janice MakReal advances to broaden participation in K-12 computing will come when state boards take a 360-degree view.
Ensuring Student Data Privacy through Better Governance
By Paige KowalskiState boards should champion laws to stand up robust cross-agency boards and advocate for best practice.
Advancing Policy to Foster K-12 Media Literacy
By Samia Alkam and Daniela DiGiacomoSome state leaders are moving to provide students with what they need to better navigate the digital world. More should.
Shielding Student Data: The Critical Role of State Boards in K-12 Cybersecurity
By Reg LeichtyA coordinated push is needed to ward off increased threats and mounting costs.