Amid Alarming Rise in Cyberattacks, Senators Hassan, Sinema, Rosen, and Van Hollen Call for More Aggressive Steps to Strengthen Cybersecurity at K-12 Schools

WASHINGTON – U.S. Senators Maggie Hassan (D-NH), Kyrsten Sinema (D-AZ), Jacky Rosen (D-NV), and Chris Van Hollen (D-MD) are calling on the Department of Education and Department of Homeland Security (DHS) to take more aggressive steps to strengthen cybersecurity in K-12 schools amid an alarming rise in cyberattacks on school districts across the country. Their push comes after a nonpartisan Government Accountability Office report requested by Senator Hassan revealed that the Department of Education‘s current plan to address threats to K-12 schools is vastly outdated and is primarily focused on physical threats.

“K-12 schools are increasingly coming under cyberattacks from a diverse set of actors, driven largely by the rapid rise of ransomware,” the Senators wrote. “According to a database of publicly reported cybersecurity incidents at K-12 schools, 2019 saw almost three times more incidents than 2018  and 2020 saw a further 18 percent increase over 2019. These incidents include ransomware attacks on school districts in New Hampshire, Nevada, Arizona, and Maryland. “

In their letter, the Senators urge the Department of Education to work with DHS’s Cybersecurity and Infrastructure Security Agency (CISA) to update the Department of Education’s plan to address threats at K-12 schools – which was last updated in 2010 – to prioritize the risks posed by cyber threats. The lawmakers also urge the Department of Education and CISA to determine whether K-12 schools need specific guidance and best-practices to help improve their cybersecurity.  

Furthermore, the Senators are urging the Department of Education to bring together relevant stakeholders to promote better coordination between federal, state, and local entities and private sector groups that support K-12 schools to help address the threat of cyberattacks. Senator Hassan has led efforts to improve communication between federal, state, and local officials, and earlier this year, she successfully helped pass into law her measure to create a Cybersecurity Coordinator in every state to help facilitate information sharing on cyber security best practices and response strategies.

As Chair of the Emerging Threats Subcommittee, Senator Hassan is leading bipartisan efforts to strengthen cybersecurity across all levels of government. The bipartisan infrastructure package that will soon be signed into law includes Senator Hassan’s measure to create a state and local cybersecurity grant program. Furthermore, in an effort to strengthen cybersecurity within the federal government, Senators Hassan and Rob Portman (R-OH) passed into law the bipartisan Hack DHS Act, which establishes a bug bounty pilot program – modeled off of similar programs at the Department of Defense and major tech companies – that uses vetted “white-hat” or ethical hackers to help identify unique and undiscovered vulnerabilities in DHS networks and information technology.

To read the Senators’ letter, click here or see below:

Dear Secretary Cardona and Secretary Mayorkas:

We write today to strongly urge the Department of Education and the Department of Homeland Security (DHS) to do more to help protect our country’s K-12 schools from the growing threat of cyberattacks. We are glad that the Department of Education agreed to implement the recommendations of the October 2021 Government Accountability Office (GAO) report on federal support for K-12 schools, and we further urge the Department of Education and DHS to go beyond those recommendations and establish a Government Coordinating Council and a Subsector Coordinating Council for the Education Facilities critical infrastructure subsector.

K-12 schools are increasingly coming under cyberattacks from a diverse set of actors, driven largely by the rapid rise of ransomware. According to a database of publicly reported cybersecurity incidents at K-12 schools, 2019 saw almost three times more incidents than 2018 and 2020 saw a further 18 percent increase over 2019. These incidents include ransomware attacks on school districts in New Hampshire, Nevada, Arizona, and Maryland. These cyber incidents disrupt the education of our country’s students.

We appreciate the work the Department of Education and DHS have put into the cybersecurity resources and services that the federal government is already providing to K-12 schools, which are outlined in the October 2021 GAO report. These include resources offered by the Readiness and Emergency Management for Schools Technical Assistance Center and Privacy and Technical Assistance Center funded by the Department of Education, along with the services provided by the Multi-State Information Sharing and Analysis Center funded by DHS.

However, K-12 schools need additional support, as evidenced by the increasing number of successful cyberattacks on K-12 schools.

We strongly agree with the GAO recommendations for the Department of Education, working with DHS’s Cybersecurity and Infrastructure Security Agency (CISA), to update the Education Facilities subsector-specific plan and determine if subsector-specific guidance is needed, and we are glad to see that the Department of Education concurred with the recommendation. An updated subsector-specific plan will help the Department of Education and DHS effectively prioritize the risks, cyber and otherwise, to the Education Facilities subsector, while subsector-specific guidance would help K-12 schools better use existing cybersecurity frameworks and implement best practices.

In addition to implementing the GAO recommendations, we also urge the Department of Education and DHS, through CISA, to establish a Government Coordinating Council and Subsector Coordinating Council for the Education Facilities subsector. These councils would help promote better coordination between federal, state, and local entities and private sector groups that support K-12 schools, and provide a cohesive foundation upon which the Department of Education and CISA can better support the cybersecurity of our country’s K-12 schools, as demonstrated by the successes of the Election Infrastructure subsector and its coordinating councils. Bringing together the K-12 stakeholders would help ensure resources, services, and other support can be prioritized to allow schools to effectively utilize them. The councils could also help the Department of Education and CISA update the subsector-specific plan and develop subsector-specific guidance, as recommended by the GAO.

We are encouraged by the Department of Education’s willingness to work with CISA to quickly update the Education Facilities subsector-specific plan and determine if subsector-specific guidance is needed, and we urge the Department of Education and DHS/CISA to also establish a Government Coordinating Council and a Subsector Coordinating Council for the Education Facilities critical infrastructure subsector, taking lessons learned from the Election Infrastructure subsector.

We look forward to working with the Department of Education, DHS, and the administration to support our schools and improve our nation’s cybersecurity.

###