“Regardless of their size or location, elementary and secondary schools increasingly face an onslaught of ransomware and other cyberattacks, which jeopardize sensitive data and the integrity of their digital infrastructure,” wrote Foresight Law + Policy founding partner Reg Leichty in an article published in the National Association of State Boards of Education’s September journal.
“The consequences of these attacks can be severe and costly, eroding community trust, disrupting learning, and permanently damaging equipment,” Leichty continued. “State boards of education must play their part in promoting effective cybersecurity practices in their districts.”
State boards of education play a crucial role in improving K-12 cybersecurity by building public awareness around the issue, applying their oversight authority and proposing strategic policies within the scope of their jurisdictional authority, Leichty stated.
“Shielding Student Data: The Critical Role of State Boards in K-12 Cybersecurity” details recent incidents — including Los Angeles Unified School District’s 2022 ransomware attack that resulted in the release of thousands of stolen confidential student records related to medical histories, details about students receiving special education services, and academic and disciplinary records on the dark web. The leaked information also included federal and state efforts to address the issue of cybersecurity in the education sector.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has noted that local educational agencies hold a massive amount of student, employee and financial data that can be used to open fraudulent accounts, apply for loans or credit cards, file phony tax returns, obtain medical services in another’s name, or make unauthorized purchases or withdraw money from a victim’s bank account.
According to the U.S. Government Accountability Office (GAO), such attacks can lead to prolonged disruptions to school operations — resulting in learning loss ranging from days to weeks, and recovery time lasting from two to nine months. The financial burden can prove substantial, the GAO found, with documented losses among districts that have experienced cyberattacks reaching $1 million due to expenses incurred during the recovery process.
Federal agencies and education technology organizations have warned that cyberattacks will continue to increase so long as LEAs lack the funding and specially trained staff required to defend their networks from the complex and evolving cyberattacks.
“These significant figures highlight the urgent need for new measures to bolster cybersecurity and mitigate the sometimes-devastating effects on schools,” Leichty wrote. State leaders are also stepping up to help schools meet their cybersecurity needs, but more must be done.”
In 2023, Leichty noted that 33 states enacted 75 new cybersecurity laws supporting the education sector that address areas including information sharing, workforce development and incident reporting.
California, for example, requires the state’s Cybersecurity Integration Center to include representatives from the California Department of Education and include school districts in its coordination of information sharing, including that related to cyberthreats.
Among several detailed recommendations, Leichty called on state boards of education to:
- Promote strategic transparency and information sharing among LEAs that rewards and supports those that seek and offer help to peers across the state. However, this should not require public sharing of technical or other information that could make districts more vulnerable to attacks.
- Engage and partner with the state agencies responsible for cybersecurity and advocate for strong state investment in K-12 cybersecurity supports.
“By acting decisively, state boards can help ensure that students and schools realize the benefits of education technology while the risks are mitigated,” Leichty concluded. “The effectiveness of digital learning and community trust in education systems depend on policymakers’ and practitioners’ ability to create a more secure digital environment. State education leaders will be central to reaching that critical goal.”
