When Iowa Congressman Zach Nunn served on the White House’s National Security Council, he witnessed the dramatic impact of cybersecurity incidents. Nunn became especially concerned about how cybersecurity crimes impact schools and their ability to educate students. He also realized how the growing threats have been making it easier to disrupt not only individual schools but entire school systems.

“These are no longer attackers in basements or individuals who intend to do harm for a one-time profit,” Nunn told KGLO News. “These are now nation states, places like North Korea, the Islamic Republican Guard Corps out of Iran, Russian activists who are intentionally looking to steal information that can harm Americans for decades and generations.”

Recently K-12 schools have found themselves increasingly in the crosshairs of cyber criminals. In September 2022, the Cybersecurity & Infrastructure Security Agency issued an advisory that the Vice Society, a ransomware group, is launching ransomware attacks against educational institutions, specifically K-12. Numerous schools have canceled classes due to ransomware attacks, including an attack in Des Moines, Iowa, in January 2023, affecting 30,000 kids, and a February 2023 attack on a West Virginia district of 19,000 students that also involved student personal data.

Nunn decided to take action by proposing the bipartisan Enhancing K–12 Cybersecurity Act, which was co-led by Representative Doris Matsui, in April 2023. The bill focuses on making it easier for schools to get the latest information about cyberattacks, as well as prevention.

The bill also increases the resources schools need to improve cybersecurity and proactively prevent attacks. Six national education organizations endorse the Act, including the National Association of Elementary School Principals (NAESP) and the National Association of Secondary School Principals (NASSP).

Key Components of the Enhancing K-12 Cybersecurity Act

The cornerstone of the Act focuses on creating the School Cybersecurity Information Exchange. This publicly accessible website contains cybersecurity best 12 practices, training and lessons that specifically target the needs of K-12 schools. Federal, state, local and non-government organizations will collaborate to create the information for the Exchange. The Act provides multiple ways schools and school systems can improve cybersecurity protection and recovery.

Schools can use a database on the site to identify cybersecurity tools and services funded by the federal government, as well as tools and services recommended for purchase with state and local government funding. The Exchange also provides a database of funding opportunities for schools to improve cybersecurity.

In addition, the Act establishes a Cybersecurity Incident Registry for school-related incidents to help schools understand risks and best practices. The registry will include dates of the incident, description, effects on the school and any other information that can help schools prevent future attacks. The Director of the Cybersecurity and Infrastructure Security Agency determines what types of incidents to include in the registry and establishes the process for approval.

The proposed legislation also creates the K-12 Cybersecurity Technology Improvement Program to help provide information that reduces risks and threats to K-12 schools. The program installs tools, makes cybersecurity services available and offers training opportunities to school personnel.

As demonstrated by recent attacks on school districts, cyber crime in the education sector doesn’t just affect data and systems but also students’ ability to learn. By providing schools with additional resources, teachers can focus their efforts on teaching their students instead of recovering from a cyberattack.

More from News

Spot Fake Extortion Attacks Without Wasting Time and Money

3 min read - Ransomware attacks — the scourge of businesses, schools, hospitals and other organizations — follow a familiar pattern. Shady criminals contact an organization, telling them their company or customer data has been breached, encrypted and/or exfiltrated. Pay us money, or we’ll publish your data. In 2022, some 41% of victims paid, according to cyber-intelligence firm Coveware, rewarding the extortionists for their efforts. (Payment is declining every year, down from 76% in 2019.)That knowledge no doubt inspired lazier, less-skillful scammers into action. In…

3 min read

High-Impact Attacks On Critical Infrastructure Climb 140%

4 min read - Prior to the pandemic, cyber-sabotage attacks on manufacturing plants were non-existent. Today, the situation has changed dramatically. As per a recent report, attacks that led to physical consequences in process manufacturing, discrete manufacturing and critical industrial infrastructures impacted over 150 industrial operations in 2022. In addition, the total number of attacks increased 2.4x over the previous year. At this rate of growth, cyberattacks may shut down up to 15,000 industrial sites within the next five years. Growing Threat to OT…

4 min read

AI Assistance Cuts Alert Triage Times in Half

4 min read - Clearly, ChatGPT has placed artificial intelligence on everyone’s radar these days. But AI in mainstream business applications has been around for decades. In cybersecurity, AI can be used for data augmentation and attack simulation. It can also help detect anomalies in network traffic or user behavior to enhance overall threat detection and response. As per a recent report, one area where AI has made significant strides is in threat alert triage efforts. In fact, with AI assistance, alert triage timelines…

4 min read

Proven Methods to Prevent Human-Based Security Mistakes

4 min read - The most recent Verizon Data Breach Investigations Report reveals the human element continues to be a key driver of 82% of breaches, including social attacks, errors and misuse. Undoubtedly, human error generates massive security headaches. Meanwhile, the rate and cost of cyber breaches continue to climb. Why is it then that over half of employed people don’t have or don’t use security awareness training? Maybe security teams don’t believe in security training. Or maybe they don’t know exactly what kind…

4 min read