Letter to Hon. Miguel Cardona, Secretary of Education, and Hon. Alejandro Mayorkas, Secretary of Homeland Security - Amid Alarming Rise in Cyberattacks, Senators Van Hollen, Hassan, Sinema, and Rosen, Call for More Aggressive Steps to Strengthen Cybersecurity at K-12 Schools

Letter

Dear Secretary Cardona and Secretary Mayorkas:

We write today to strongly urge the Department of Education and the Department of Homeland Security (DHS) to do more to help protect our country's K-12 schools from the growing threat of cyberattacks. We are glad that the Department of Education agreed to implement the recommendations of the October 2021 Government Accountability Office (GAO) report on federal support for K-12 schools, and we further urge the Department of Education and DHS to go beyond those recommendations and establish a Government Coordinating Council and a Subsector Coordinating Council for the Education Facilities critical infrastructure subsector.

K-12 schools are increasingly coming under cyberattacks from a diverse set of actors, driven largely by the rapid rise of ransomware. According to a database of publicly reported cybersecurity incidents at K-12 schools, 2019 saw almost three times more incidents than 2018 and 2020 saw a further 18 percent increase over 2019. These incidents include ransomware attacks on school districts in New Hampshire, Nevada, Arizona, and Maryland. These cyber incidents disrupt the education of our country's students.

We appreciate the work the Department of Education and DHS have put into the cybersecurity resources and services that the federal government is already providing to K-12 schools, which are outlined in the October 2021 GAO report. These include resources offered by the Readiness and Emergency Management for Schools Technical Assistance Center and Privacy and Technical Assistance Center funded by the Department of Education, along with the services provided by the Multi-State Information Sharing and Analysis Center funded by DHS.

However, K-12 schools need additional support, as evidenced by the increasing number of successful cyberattacks on K-12 schools.

We strongly agree with the GAO recommendations for the Department of Education, working with DHS's Cybersecurity and Infrastructure Security Agency (CISA), to update the Education Facilities subsector-specific plan and determine if subsector-specific guidance is needed, and we are glad to see that the Department of Education concurred with the recommendation. An updated subsector-specific plan will help the Department of Education and DHS effectively prioritize the risks, cyber and otherwise, to the Education Facilities subsector, while subsector-specific guidance would help K-12 schools better use existing cybersecurity frameworks and implement best practices.

In addition to implementing the GAO recommendations, we also urge the Department of Education and DHS, through CISA, to establish a Government Coordinating Council and Subsector Coordinating Council for the Education Facilities subsector. These councils would help promote better coordination between federal, state, and local entities and private sector groups that support K-12 schools, and provide a cohesive foundation upon which the Department of Education and CISA can better support the cybersecurity of our country's K-12 schools, as demonstrated by the successes of the Election Infrastructure subsector and its coordinating councils. Bringing together the K-12 stakeholders would help ensure resources, services, and other support can be prioritized to allow schools to effectively utilize them. The councils could also help the Department of Education and CISA update the subsector-specific plan and develop subsector-specific guidance, as recommended by the GAO.

We are encouraged by the Department of Education's willingness to work with CISA to quickly update the Education Facilities subsector-specific plan and determine if subsector-specific guidance is needed, and we urge the Department of Education and DHS/CISA to also establish a Government Coordinating Council and a Subsector Coordinating Council for the Education Facilities critical infrastructure subsector, taking lessons learned from the Election Infrastructure subsector.

We look forward to working with the Department of Education, DHS, and the administration to support our schools and improve our nation's cybersecurity.