Why U.S. Schools Are Facing an Unprecedented Cybersecurity Crisis: The Call for Urgent Legislative Action

As of 2021, cyberattacks on K-12 school systems, colleges, and universities are on track to reach an all-time high. In the past week alone, schools in Oregon, Alabama, and New York were hit by cybercriminals, demonstrating that no educational institution is immune to this escalating threat. Cybercriminals are launching widespread attacks, targeting school districts of all sizes and demographics, causing financial, operational, and reputational damage. Addressing cybersecurity in education has become more critical than ever, with attackers increasingly focusing on schools as a target for ransomware and other criminal activities.

The Pervasive Impact of Cyber Attacks on Schools

With each passing day, more stories emerge about data breaches, ransomware attacks, and phishing scams threatening schools' stability. America is grappling with a cybersecurity emergency, and schools have become ground zero for crimeware-as-a-service (CAAS), a growing trend in cybercrime where criminals rent out tools like ransomware to target vulnerable institutions.

Student and staff data, including personal identifiable information (PII), is valuable to cybercriminals, who can use it for identity fraud and other illegal activities. Even research findings, such as those related to COVID-19 vaccine development, have been targeted by cybercriminals.

Case Study: Texas Leads the Way with Senate Bill 820

One of the strongest examples of legislative action aimed at addressing K-12 cybersecurity is Senate Bill 820 in Texas. Signed into law in January 2019, this law set a precedent for a statewide approach to cybersecurity in education.

Senate Bill 820 mandates:

• A designated cybersecurity oversight position to enforce policies and practices across school districts.
• The development of a comprehensive cybersecurity threat response plan.
• Immediate reporting of compromised data to the Texas Education Agency (TEA) and affected parents.

By establishing clear guidelines and oversight, Texas has laid the groundwork for addressing the growing cyber threats facing schools. Other states should look to this legislation as a starting point for enacting effective cybersecurity policies in K-12 education.

The Need for National Strategies in K-12 Cybersecurity

While Texas has taken the lead, it’s time for local, state, and federal legislators to take data security and cybersecurity in education seriously. Schools face numerous threats, including ransomware attacks, data breaches, phishing scams, and denial of service (DDoS) attacks. These attacks cause significant disruptions, wasting time, educational resources, and financial investments.

Here are some of the most pressing threats schools face today:

1. Ransomware Attacks

Ransomware has become the top method of attack for cybercriminals targeting schools. The average ransom demand is $50,000, though in some cases, it has been as high as $1.5 million. Even when schools pay the ransom, they face the risk that their data will not be returned, or worse, sensitive student information could be exposed online.

2. Data Breaches

The personal data held by schools is a valuable target for cybercriminals. Data breaches can cost large school districts millions of dollars to resolve. Without proper protections, schools risk the theft of sensitive information, including student records, health data, and financial information.

3. Phishing Scams

Both students and staff are vulnerable to phishing attacks, where criminals use deception to gain access to private data. Phishing remains one of the leading ways that attackers penetrate school networks, often leading to larger-scale ransomware attacks.

4. Denial of Service (DDoS) Attacks

Hackers use DDoS attacks to overwhelm school systems and disrupt online learning platforms. These attacks can prevent students and teachers from accessing essential educational resources, wasting valuable time and money.

5. Other Miscellaneous Intrusions

From hacking Zoom calls to accessing classroom cameras, schools are vulnerable to a range of cyber intrusions that can violate student privacy and create significant disruptions.

What’s Next for K-12 Cybersecurity?

The reality is that every school, whether K-12, college, or university, is a potential target for cybercriminals. It is no longer a question of if schools will be targeted, but when. Legislation at every level must address these threats head-on. The time has come for U.S. lawmakers to develop local, state, and national strategies to improve cybersecurity in education.

By enacting legislation similar to Texas Senate Bill 820, policymakers can begin to address the cybersecurity threats plaguing America's schools. Cybersecurity requires a collaborative approach, engaging public and private sector stakeholders to protect the most vulnerable institutions: our schools.

The Time for Action Is Now

Cybersecurity is a community-wide effort. Lawmakers, educators, IT professionals, and cybersecurity experts must work together to mitigate these ongoing threats and safeguard the future of education. The longer we wait, the greater the risk becomes. Schools are the foundation of our nation's success, and we must act now to protect them from the rising tide of cybercrime.