Lawmakers urge Education Department to take action to defend schools from cyber threats

Reps. Doris Matsui (D-Calif.) and Jim Langevin (D-R.I.) on Friday urged the Department of Education to prioritize protecting K-12 institutions from cyberattacks, which have shot up in the past year as classes moved increasingly online during the COVID-19 pandemic.

In a letter to Secretary of Education Miguel Cardona, the two lawmakers highlighted concerns that cybersecurity threats to K-12 institutions have spiked during the pandemic, and urged Cardona to issue guidance to educational institutions to help navigate these threats.

“As the U.S. continues to battle the ongoing pandemic, the Department of Education will play a critical role in supporting American families as they navigate the challenges of distance learning and prepare to reenter the classroom safely,” Matsui and Langevin wrote.

“To help ensure schools are keeping pace with the demands of the modern classroom, we urge you to issue guidance that will allow K-12 schools to make needed investments in increased cybersecurity measures,” they noted. 

The letter was sent after a year in which school districts were hit with a wave of cyberattacks and other online interruptions as K-12 institutions were forced to hold classes online during the COVID-19 pandemic. 

A report released last month by the K-12 Cybersecurity Resource Center found that K-12 institutions in the United States recorded a “record-breaking” number of cyberattacks in 2020, while the Government Accountability Office (GAO) put out a report last year concluding that the rising number of cyberattacks was putting students at risk. 

School districts in Miami-Dade County, Fla., Baltimore County, Md., and Fairfax County, Va., were among notable ones that were hit by cyberattacks.

The Associated Press reported Thursday that Florida’s Broward County Public School District, which serves over 250,000 students, was struggling to recover from a ransomware attack in which the criminals were demanding $40 million to decrypt data. 

The escalating cyber threats to K-12 institutions, seen as easy targets by cyber criminals, led the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center to put out a joint alert in December warning of the increasing cyber vulnerabilities faced by schools. 

Matsui and Langevin pointed to the alert in warning that “the underlying cyber threat facing K-12 schools will remain even after we have crushed the coronavirus.”

“In light of this well-documented threat, we believe that the Department must be doing everything it can to support schools in protecting the confidentiality of students’ data and ensuring the availability of information technology systems essential for learning,” the lawmakers wrote. 

They specifically urged Cardona to issue guidance clarifying that recent funds included in COVID-19 relief packages for K-12 institutions can also be used to shore up cybersecurity. 

“While schools can reasonably interpret this text to indicate cybersecurity costs would be considered eligible expenses, written guidance from the Department to that effect will ensure schools have the information they need to make informed decisions about how to use these funds,” Matsui and Langevin wrote. 

The Department of Education did not immediately respond to The Hill’s request for comment on the letter. 

Matsui and Langevin introduced legislation last year to establish a $400 million grant program to help protect K-12 institutions from cyber threats, though the bill failed to advance. 

Langevin tweeted last month that he “strongly” supported the legislation, and said at a conference that he was looking at reintroducing the bill, which was led by Matsui. 

“Cyber incidents targeting schools are an urgent and growing threat that must be addressed,” the lawmakers wrote to Cardona.