By Susan Gentz, NCSSS Director of Business Strategies

Happy spooky szn! The month of October is considered National Cybersecurity Month, and with the state of cybersecurity incidents in K-12 it seems to be the perfect month to make sure all guards are in place to battle.

Cybersecurity attacks are on the rise. It’s been a trend for several years but the amount of data and resources being held hostage in exchange for money is truly alarming. According to the K-12 Cyber Incident Map there were 1619 incidents in K-12 districts between 2016 and 2022. The number has risen since then. The calendar is now updated annually and can be accessed through K-12 SIX.

Some more frightening statistics from Cobalt:

29% of attacks on educational institutions originated from vulnerability exploitation and 30% from phishing campaigns on K-12 schools in 2023 (Infosecurity Magazine).

Ransomware attacks on K-12 and higher education globally caused over $53 billion in downtime costs from 2018 to mid-September 2023 (Comparitech).

These attacks breached over 6.7 million personal records across 561 incidents (Comparitech).

In the U.S., 386 ransomware incidents cost an estimated $35.1 billion in downtime (Comparitech).

The sophistication of both entry and manipulation of data are changing school landscapes as we know it. Not only are the attacks mining more private data than ever, it’s getting more challenging to spot what is real and what isn’t.

How are States and the Federal Government Trying to Combat These Attacks?

States have slowly but steadily been working on efforts to protect districts from hacking and ransomware. The National Conference of State Legislatures has a comprehensive list for recently enacted cybersecurity laws here. The range of incident reporting and requirements vastly varies among the states.

When it comes to the federal government they are working to prepare districts as well. According to Congressional Research Services, “Federal law provides several potential approaches to combat ransomware attacks. First, federal criminal laws, such as the Computer Fraud and Abuse Act (CFAA), can be used to prosecute those who perpetrate ransomware attacks. These laws and others, such as the statutes criminalizing conspiracy and aiding and abetting, might also be used to prosecute individuals who help to develop ransomware that is ultimately used by others. Victims who pay ransoms might also be subject to criminal or civil penalties in some cases—for example, where a ransom payment is made knowingly to an entity either designated as a foreign terrorist organization or subject to sanctions by the Department of the Treasury. Nevertheless, policy considerations, mitigating factors, and prosecutorial discretion may weigh against enforcement in such instances.” The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) also strengthens protections by requiring incidents to be reported to the Cybersecurity and Infrastructure Security Agency (CISA) Because CISA is granted regulating power, CISA has to follow the proper channels for proposed rulemaking. This process is long and tedious and final rules on how the agency will implement CIRCIA must be published no later than October 4, 2025.

Additionally, the Federal Communications Commission (FCC) has opened up the Cybersecurity Pilot Program. “The Schools and Libraries Cybersecurity Pilot Program will provide up to $200 million to selected participants over a three-year term to purchase a wide variety of cybersecurity services and equipment. Modeled after the FCC’s Connected Care Pilot, the Pilot Program will evaluate the effectiveness of using Universal Service funding to support cybersecurity services and equipment to protect school and library broadband networks and data in order to determine whether to fund them on a permanent basis.” Not only can attackers be prosecuted but now there is funding to help bolster efforts against cyberattacks.

The pilot program opened September 17, 2024 and will remained open until November 1, 2024.

This opportunity can help to protect even the scariest attack on a school district network.

The Problem is Bigger Than Protecting the Network

As these attacks are happening more frequently and are more sophisticated (hello deepfakes!) it is also glaringly obvious that the United States talent pipeline is not as full as it needs to be. There must be an emphasis on showing students in our schools today that a cybersecurity career pathway is something that should be strongly considered when thinking of the future. If we want to combat future threats and incidents related to cybersecurity breaches and attacks we have to have a workforce prepared to take it on and have only other reasons for a spooky month of October.