Biden signs bill to strengthen K-12 school cybersecurity

President Biden on Friday signed into law legislation intended to strengthen the cybersecurity of K-12 institutions after a year in which cyberattacks aimed at schools spiked as classes moved online during the COVID-19 pandemic.

The K-12 Cybersecurity Act requires the Cybersecurity and Infrastructure Security Agency (CISA) to create cybersecurity recommendations and tools for schools to use to defend themselves against hackers after conducting a study on the cybersecurity risks facing K-12 institutions. 

The bipartisan bill, approved by the House late last month following passage by the Senate, is sponsored by Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and Sens. Rick Scott (R-Fla.), Jacky Rosen (D-Nev.) and Bill Cassidy (R-La.). 

Rep. Jim Langevin (D-R.I.) primarily sponsored the bill in the House, with Reps. Doris Matsui (D-Calif.), Andrew Garbarino (R-N.Y.), Andrew Clyde (R-Ga.) and Elissa Slotkin (D-Mich.) as co-sponsors.

Slotkin, who attended the bill signing at the White House, pointed to other major cybersecurity incidents, such as ransomware attacks on Colonial Pipeline and meat producer JBS USA and nation-state attacks like the SolarWinds hack, as highlighting mounting cyber threats. 

“The real-world consequences of cyber attacks have hit home with Americans across the country over the last year,” Slotkin said in a statement. “From the attacks directed at SolarWinds, the Colonial Pipeline, JBS USA and even EA video games, folks are beginning to realize that cybersecurity isn’t just a tech issue — it goes to the heart of the systems we rely on in our daily lives.”

“Our schools aren’t exempt from this emerging threat; in fact, they’re prime targets,” she said. “Our bill lays the groundwork for better cybersecurity policies in our schools and stronger coordination between them and the experts at CISA. This is an important first step, and I’m grateful to the President for helping us begin to address this challenge.”

Peters and Rosen were also present at the bill signing. 

Cybersecurity threats for K-12 institutions have multiplied during the pandemic, as classes were forced online to platforms vulnerable to exploitation and hacking. As a result, many districts were forced to delay or cancel classes at various times in the past year due to cyberattacks, in particular ransomware attacks, including school districts in Miami-Dade County, Fla.; Baltimore County, Md.; and Fairfax County, Va.

The K-12 Cybersecurity Resource Center released a report earlier this year that found K-12 institutions in the U.S. experienced a “record-breaking” number of cyberattacks in 2020, with an average of two attacks per day aimed at schools. 

“While no one can predict whether another global pandemic will close schools to in-person learning, important lessons can and should be drawn from this experience to ensure that if such an event (or something like it) occurs again in the future, districts are better prepared,” the report read.