The U.S. Education Department should give better instructions to K-12 schools that they can spend federal pandemic relief money on cybersecurity, especially as ransomware attacks against districts nationwide continue to run rampant and many school systems plan for some degree of long-term virtual learning, two senators said Thursday.
In a letter addressed to Education Secretary Miguel Cardona, Sens. Mark Warner, D-Va., and Susan Collins, R-Maine, wrote that the department needs to issue clearer guidance that the programs established in multiple rounds of federal COVID-19 relief “can be spent on cybersecurity resources and engage with school districts to increase awareness of the critical need for prioritizing stronger cybersecurity measures.”
Since the passage of the $2.2 trillion CARES Act in March 2020, K-12 districts have been supported by two funds: the Elementary and Secondary School Emergency Relief Fund, or ESSER, which provides school systems with aid based on the same proportions as standard federal K-12 funding programs, and the Governor’s Emergency Education Relief Fund, or GEER, which gives additional support to K-12, higher-education institutions and workforce-development programs. Both funds were replenished by an omnibus spending bill last December and President Joe Biden’s $1.9 trillion American Rescue Plan.
The Education Department’s guidance on how the funds are to be used makes frequent references to the technologies used to support virtual learning, including laptops, mobile devices, video conferencing and online education software. But cybersecurity only appears once, with the guidance telling school administrators that cyber expenditures related to “educational and other needs of students related to preventing, preparing for, or responding to COVID-19” are allowable.
In their letter, Warner and Collins argued that falls short.
“You know better than anyone the dramatic ways the COVID-19 public health crisis has affected how students learn,” they told Cardona, who was previously the education commissioner in Connecticut. “Experts agree that the increased reliance on online learning programs is likely to far outlast the pandemic. While online learning offers an abundance of positive opportunities for educators and students, without proper cybersecurity defenses, our nation’s education systems face formidable risks.”
The letter mentions ransomware incidents that resulted in online classes being canceled and some school districts, including Fairfax County Public Schools in Virginia having sensitive student and faculty data stolen and published by ransomware actors. Warner and Collins also wrote that their offices have heard from school districts asking for more clarity on how to use their relief funds and that the Education Department should publish more guidance with specific recommendations on how to defend against ransomware.
“We respectfully ask that the Administration take steps to publicize this information and help school districts understand the importance of using funding for cybersecurity efforts, including by promulgating lists of recommended cybersecurity benchmarks that additional resources could help school districts attain,” they wrote.
Separately on Thursday, a bipartisan group of four House members led by Rep. Doris Matsui, D-Calif., introduced a bill aimed at sharing more cybersecurity intelligence with school districts. The Enhancing K-12 Cybersecurity Act would direct the Cybersecurity and Infrastructure Security Agency to create a cybersecurity information exchange, a K-12 incident reporting registry and a $10 million annual technology improvement program.
The bill was endorsed by several intergovernmental organizations, including the Consortium for School Networking, State Educational Technology Directors Association and National Association of State Chief Information Officers.