House lawmakers roll out legislation to protect schools against hackers

A group of bipartisan House members led by Rep. Doris Matsui (D-Calif.) on Thursday introduced legislation intended to protect K-12 institutions from cyberattacks, which spiked during the COVID-19 pandemic. 

The Enhancing K-12 Cybersecurity Act would appropriate $10 million yearly for the next two years to fund a K-12 Cybersecurity Technology Improvement Program to protect school networks from security risks. The program would be established by the Cybersecurity and Infrastructure Security Agency (CISA) and run by an information sharing organization.

The bill would also direct CISA to establish a cybersecurity incident registry within the agency to track cyberattacks on K-12 institutions and requires CISA to establish a cybersecurity incident exchange program to help schools share best practices and increase security of critical systems.

Other sponsors include Rep. Jim Langevin (D-R.I.), chairman of the House Armed Services Committee’s cybersecurity subcommittee, along with House Homeland Security Committee ranking member John Katko (R-N.Y.) and Rep. Andrew Garbarino (R-N.Y.), ranking member of the House Homeland Security Committee’s cybersecurity panel. 

The bill was previously introduced by Matsui and Langevin last year, but it never got a vote in the House.

The previous version would have established a $400 million grant program at the National Science Foundation to improve infrastructure and the cybersecurity workforce to help protect K-12 institutions against malicious hackers. 

A congressional source told The Hill that the program had been modified due to stakeholder feedback. Other changes due to this feedback included changing the language to potentially allow for more collaborative information sharing between schools. 

Matsui on Thursday described the legislation as providing a “roadmap” to protect schools against escalating cyberattacks. 

“Cyber threats have been on the rise across the nation, causing massive disruptions to critical institutions,” Matsui said in a statement provided to The Hill. “It is imperative that America’s schools are prepared to address this growing threat.”

“Cyberattacks targeting schools have already forced class cancellations and exposed students’ sensitive personal information,” she added. “As cyber criminals grow more sophisticated and aggressive, we must provide the resources and information necessary to protect our schools.”

K-12 institutions have increasingly been targeted by hackers in recent years, with these institutions seen as more vulnerable due to aging systems. 

Ransomware attacks have become a particular nightmare over the COVID-19 pandemic, with cyber criminals identifying K-12 institutions dependent on online learning as more likely to pay ransoms to decrypt systems and prevent disruption of classes.

The phenomenon of “Zoombombing,” which involves individuals interrupting classes with inappropriate images or language, also became a headache for schools.

School districts across the nation saw classes interrupted during 2020 by cyberattacks, including those in Miami-Dade County, Fla.; Baltimore County, Md.; and Fairfax County, Va., among many others. The K-12 Cybersecurity Resource Center tracked 408 cyber incidents that hit U.S. K-12 institutions over the last year, a number the group described as “record-breaking.”

Langevin in March teased the reintroduction of the legislation, tweeting that he “strongly” supported the bill, and that “promoting information sharing with @CISAgov & providing resources for local officials to modernize critical systems will make us more secure in the Information Age.”

Additionally, Matsui and Langevin sent a letter to Education Secretary Miguel Cardona in April urging him to take action to defend K-12 institutions from cyberattacks. 

“To help ensure schools are keeping pace with the demands of the modern classroom, we urge you to issue guidance that will allow K-12 schools to make needed investments in increased cybersecurity measures,” they wrote.