As schools across the nation struggle to manage the threat of ransomware and other cyberattacks, two US senators are calling on the Department of Homeland Security to offer more support. Their new bill, the K-12 Cybersecurity Act of 2019, tasks the DHS with assessing the scope of the problem and establishing guidelines to help schools improve their cybersecurity systems.
The legislation comes from Sens. Gary Peters, D-Mich., and Rick Scott, R-Fla., both members of the Senate Homeland Security and Governmental Affairs Committee.
"Schools across the country are entrusted with safeguarding the personal data of their students and faculty, but lack many of resources and information needed to adequately defend themselves against sophisticated cyber-attacks," Peters said in a statement.
Indeed, schools have become a top target for "big game hunters," or ransomware gangs that go after large entities rather than individuals. While the tactic has been around for some time, incidents of big game hunting spiked in 2019.
According to a report from the K-12 Cybersecurity Resource Center, there were 119 cyber-security incidents at US K-12 schools in 2018, including 11 that were attributed to ransomware. That's just a fraction of the ransomware incidents reported at US schools this year, according to two cybersecurity firms. In the first nine months of the year, ransomware infections hit more than 500 US schools, according to the firm Armor. The company Emsisoft tallied more than 1,000 educational institutions that were impacted within the first nine months of 2019.
These incidents put all kinds of sensitive information at risk, including student grades, faculty employment and payroll information, family records and medical histories.
Ransomware, of course, can also be a costly and resource-intensive problem for budget-strapped school districts. After ransomware took down the IT networks at three Louisiana school districts this past summer, Governor John Bel Edwards declared a state of emergency to handle the problem. The school districts were able to recover before the school year started -- without paying the hackers' ransom demand -- with the support of multiple state and private incident response teams.
The K-12 Cyberseecurity Act would first direct the DHS's Cybersecurity and Infrastructure Security Agency (CISA) to study the cybersecurity risks specific to K-12 educational institutions, including risks related to sensitive student and employee records. After that, it calls for CISA to develop cybersecurity recommendations and an online toolkit to help schools improve their cybersecurity systems.
While the legislation would provide a framework for school districts to follow, it doesn't provide the funding that some education advocates have requested specifically for cybersecurity.