Lawmakers increasingly target cybersecurity threats in schools, report shows

The Consortium for School Networking (CoSN) unveiled its 2023 report on K-12 cybersecurity policy developments on Jan. 18, detailing the boom in state and federal education cybersecurity bills and laws that emerged last year.

The comprehensive resource highlights notable policy ideas and trends, and offers insights for education technology leaders, local educational agencies and policymakers to evaluate and potentially adopt in their respective states and communities in the year ahead.

“Policymakers increasingly understand that K-12 education is under siege from cyberthreats,” CoSN CEO Keith R. Krueger said in a statement. “School systems hold a vast amount of sensitive information about students and staff that cybercriminals can exploit, and it is imperative for both states and the federal government to enhance their efforts to secure educational networks and data.”

Cyberattacks in education pose a costly and disruptive threat to schools, jeopardizing confidential and personally identifiable information they collect and maintain on students, personnel and families. According to an October 2022 Government Accountability Office report, when a school district is targeted the “loss of learning following a cyberattack ranged from three days to three weeks, and recovery time could take anywhere from two to nine months.”

As these attacks have increased, so have lawmakers’ responses. CoSN found a 250 percent increase in the number of education cybersecurity bills introduced by state legislators compared to 2020. And the number of new laws adopted by states surged by 620 percent.

One such bill in California — CSBA-sponsored Assembly Bill 1023 — requires the California Cybersecurity Integration Center (Cal-CSIC), the state agency charged with responding to cyberattacks, to provide direct cybersecurity assistance to TK-12 schools. Prior to the passage of AB 1023, school districts and county offices of education were not designated for support from Cal-CSIC. The additional support will allow LEAs to prepare for and respond to cyberattacks more effectively to protect data for students, staff and families.

Other California bills highlighted in the report spotlight the state’s efforts to address the cybersecurity workforce gap in several ways, including by increasing the pipeline of students pursuing cybersecurity careers; improve security among local agencies that maintain public email addresses and websites for public use; and fund efforts for community college districts to implement local and systemwide technology and data security measures that support improved oversight of cybersecurity efforts, among other steps to improve overall cybersecurity.

Among the highlights from CoSN’s report, Education Cybersecurity Policy Developments in 2023:

  • Forty-two states introduced 307 cybersecurity bills with a direct or indirect focus on the education sector — a continued increase from 232 similar bills introduced in 2022, 170 bills in 2021 and 87 bills in 2020.
  • Of those introduced, 75 new cybersecurity laws with education implications were signed in 33 states. This also represents a significant increase from previous years, when governors signed 37 bills in 2022, 49 in 2021 and 10 in 2020.
  • A common theme among the bills introduced in 2023 emphasized policy revisions that applied to all state and local government rather than specifically focusing on school districts, covering a variety of cybersecurity policies and strategies.
  • Federal legislators introduced 22 cybersecurity bills, including five with an education focus. This equals the 22 federal bills introduced in 2022, but an increase from 19 such bills in 2021 and 10 in 2020.