The U.S. Senate this week passed legislation that would direct the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to take a closer look at the threats like ransomware that have tormented K-12 schools, students and employees.
The K-12 Cybersecurity Act, sponsored by Sen. Gary Peters, D-Mich., the chairman of the Senate Homeland Security Committee, orders CISA to undertake a 120-day review of the cyberthreats facing the education sector and evaluate how schools can better protect the personal data of students and staff, including grades and academic records, medical files and family information.
“Increasing ransomware attacks against our K-12 schools are unacceptable and place children, faculty and staff at risk,” Peters said in a press release. “Unfortunately, many school districts that store valuable personal information currently lack the means to defend themselves against complicated cyber-attacks and ensure their networks are protected.”
Just last week, a school district near San Antonio confirmed it paid ransomware actors $547,000 to regain access to its systems and prevent the publication of stolen data, with officials saying they had “no other choice.”
The bill, which had bipartisan support, was approved less than a week after the Center for Internet Security, a nonprofit that provides cybersecurity services to state and local government entities, predicted an 86% rise in the number of cyber incidents against K-12 schools in the upcoming academic year. That projection came after a particularly brutal year of ransomware in which at least 408 attacks against schools were publicly reported.
Along with the study, Peters’ bill also instructs CISA to make resources designed to prevent ransomware and other attacks readily available to K-12 schools. Those resources could include cyber-hygiene training exercises and guides to best practices.
CISA already includes specialized content for the education sector in its anti-ransomware messaging, including a dedicated section of its StopRansomware.gov website. The agency also issued a public warning last December that ransomware attacks against schools were on the rise, including a two-month stretch in which the K-12 sector accounted for more than half of all publicly confirmed ransomware victims.
A bill similar to Peters’ Senate measure has been introduced in the House, but has not been voted on.