Those actions were among 75 new cybersecurity laws that passed in 33 states last year, according to the Consortium for School Networking’s (CoSN) 2023 Cybersecurity Policy Development Report. The report, released Jan. 18 and funded by the Bill and Melinda Gates Foundation, said legislators in 42 states introduced 307 cybersecurity bills last year. All told, the report found a 250 percent increase in the number of cybersecurity bills directly or indirectly impacting education since 2020.
“Policymakers increasingly understand that K-12 education is under siege from cyber threats,” CoSN CEO Keith Krueger said in a public statement. "School systems hold a vast amount of sensitive information about students and staff that cyber criminals can exploit, and it is imperative for both states and the federal government to enhance their efforts to secure educational networks and data.”
Most of the laws or bills cited in the report called for increased funding; new facilities, departments or personnel; new studies or task forces; or improved cooperation between agencies. Several pieces of legislation restricted use of social media or mandated new instruction or training related to cybersecurity awareness.
Nineteen bills introduced in 11 states in 2023 were specific to ransomware issues. Arkansas House Bill 1704, for example, prohibits public entities, including governments, school districts and state colleges, from paying ransom after a cyber attack. Michigan Senate Bill 380 proposes amendments to state aid formulas to include instances when hours or days of instruction are lost because of ransomware attacks.
The report also touches on 22 federal cybersecurity bills introduced last year that involved the education sector, though none of them have been signed into law. One of them, House of Representatives Bill 4512, proposes to withhold federal funds to colleges and universities that allow the use of TikTok on campuses unless for certain research purposes related to cybersecurity, law enforcement, telecommunications or national security.
CoSN's report expressed hopes that legislators, school administrators, policymakers and technology leaders will use its contents as a resource to continually improve data protection measures.
“In conclusion, the policy landscape in 2023 reflects a significant and dynamic response to the evolving challenges in education cybersecurity," the report said. "CoSN remains committed to guiding stakeholders through these complex issues and facilitating the development of effective policies and strategies to safeguard our educational institutions."
According to an October 2022 report from the U.S. Government Accountability Office (GAO), the loss of learning time following a cyber attack on K-12 institutions has ranged from three days to three weeks. Across all industries, the GAO estimated that the number of cyber attacks in the United States increased from about 400,000 in 2016 to 2.59 million in 2021.
