A bill recently introduced in the House would help define best cybersecurity practices for K-12 vendors and outline new spending that could benefit certain education companies focused on online safety.
The Enhancing K-12 Cybersecurity Act, introduced June 17 by Rep. Doris Matsui, D-Calif., would task the Department of Homeland Security with establishing a program to circulate K-12 cybersecurity best practices, training, and lessons learned, and with recommending online safety tools for purchase by state education agencies and school districts.
The bill calls on DHS to consult with school IT vendors and cybersecurity companies in putting together the list of best practices.
Doug Levin, the national director for the K12 Security Information Exchange is lobbying for the Matsui bill, expects significant regulatory action at the federal and state levels around K-12 cybersecurity, though it’s difficult to say exactly when that will happen. The K-12 Security Information Exchange operates the K-12 Cybersecurity Resource Center, an online database that tracks K-12 cybersecurity incidents.
The House bill could face a steep climb to become law, as the House Education and Labor Committee currently has no plans to consider the measure, and companion legislation has yet to be introduced in the Senate.
Lawmakers failed to vote on a similar bill introduced in 2020, before the previous congressional term ended in December.
Schools are relying more on technology for remote learning, and policymakers are seeing the need to start imposing baseline internet safety expectations for school districts and vendors, he said.
With cybersecurity policies likely to tighten, school districts and government agencies will increasingly look toward education companies that have already crafted and adhere to a set of best practices for cybersecurity, Levin said.
If passed, the federal bill charts the creation of a DHS-run database that would recommend security tools and services for schools to purchase, and allow schools and states to find and apply for funding opportunities to improve cybersecurity.
H.R. 4005 doesn’t spell out how the money would be dispersed, so the federal government would likely issue further guidance on expenses that might qualify for any cybersecurity grants issued, if the legislation is enacted, Levin said.
In addition to defining best practices and outlining new channels for K-12 cybersecurity funding, the legislation proposes the development of a voluntary registry of K-12 cyberattack incidents, and would require yearly DHS reports analyzing cyber incidents across all levels of K-12.
Information to be collected into the registry may include descriptions of the incidents’ size, and whether each incident was the result of a breach, malware, distributed denial of service attack, or other method designed to cause a vulnerability.
“The bill certainly is responsive to the needs that members of Congress have been hearing from the field,” Levin said. “School districts are feeling under assault from ransomware.”
Levin has compiled data showing that many cyberattacks have targeted teacher and student data stored by education companies, not just within schools.
According to the K12 Cybersecurity Resource Center’s most recent annual report on the state of K-12 cybersecurity, at least 75 percent of all data breach incidents affecting public K-12 school districts resulted from occurrences involving school vendors and other partners.
The Federal Trade Commission has ratcheted up its focus on data breaches in K-12 recently, signaling a stricter enforcement posture toward companies that collect data on K-12 students and teachers.
Organizations endorsing the Enhancing K-12 Cybersecurity Act include the National Association of Secondary School Principals, the National Association of Elementary School Principals, the Council of Chief State School Officers, the National Association of State Chief Information Officers, the State Educational Technology Directors Association, and the Consortium for School Networking.
“As cyber criminals grow more sophisticated and aggressive, we must provide the resources and information necessary to protect our schools,” Matsui said in a statement. “The Enhancing K-12 Cybersecurity Act provides a roadmap and prepares our cyberinfrastructure for the threats of tomorrow.”