“Schools have access to more sensitive information and fulfill a more essential purpose than virtually any other local government agency and deserve robust, focused support to prepare for ransomware attacks,” said CSBA President Susan Markarian during a June 26 press conference held in support of Assembly Bill 1023, which aims to improve cybersecurity and preserve data privacy in California TK-12 schools.

The CSBA-sponsored legislation, authored by Assemblymember Diane Papan (D-San Mateo), would allow schools the same access to the information, guidance and coordination needed to effectively implement cybersecurity as other government agencies receive through the California Cybersecurity Integration Center (Cal-CSIC). It would also require Cal-CSIC to gather input from local educational agencies.

“I’m so honored to be able to do this bill … to make sure that all of our elementary schools, all the way through high school, are protected from cyberattacks,” Papan said during the event, which took place at Elk Grove Unified School District’s Florence Markofer Elementary. “As technology begins to play a bigger role in schools, we’ve got to make sure that they’re protected.”

A day after the press conference, on June 27, the bill passed out of the Senate Governmental Organization Committee with a 13-0 vote and is headed for the Senate Appropriations Committee.

“Throughout California, districts small and large have been victimized by cyberattacks that shut down operations, hold data hostage and put student and staff privacy at risk. As ransomware attacks continue to grow, local educational agencies have increasingly been identified as soft targets lacking the capacity to ward off hackers,” Markarian said. “For many districts, it is not a matter of if — but when — their school information system will be subject to a cybersecurity attack. In 2022, cyberattacks against the education sector increased by 36 percent from the previous year.”

In September, Gov. Gavin Newsom signed AB 2355, which requires LEAs to report cyberattacks impacting 500 or more individuals to Cal-CSIC. This will allow for more complete data on the impact cyberattacks have on LEAs in the future.

Last year, large districts such as Los Angeles USD, San Diego USD and mid-sized districts including San Luis Coastal USD were hit, as well as county offices like Glenn County Office of Education, which affected multiple districts in the Sacramento region. The San Luis Obispo Tribune recently reported that San Luis Obispo COE was the subject of a cyberattack on June 12.

AB 1023 would especially benefit smaller LEAs, as they often lack the resources and candidate pool to hire experienced cybersecurity personnel. Though Gov. Gavin Newsom has proposed funding in this year’s budget to enhance Cal-CSIC, the support is not specific to schools. As of now, statutory language only mentions “academic institutions,” which typically applies to postsecondary institutions, according to Papan. This could exclude TK-12 schools from cyberdefense funding.

To prevent that from happening, explicit and direct support is needed to help LEAs prepare for the threats they are facing and equip them to better handle this critical aspect of school safety. AB 1023 would ensure that TK-12 schools are included in the statutory requirements so relevant state agencies are required to provide direct cybersecurity assistance to schools. It would also ensure that any duties and steps undertaken by Cal-CSIC include efforts to specifically serve LEAs.

“We need to be prepared to implement [technology] responsibly and to protect students, staff and their privacy,” Markarian said. “AB 1023 is an important step in that direction, which is why it passed the Assembly unanimously. Now, it’s time to send this bill to the Governor’s desk where he can sign it into law.”

As California schools collect and retain data on nearly 6 million students and generally lack the resources that corporations have to protect themselves, they are increasingly at risk, shared Sacramento COE Executive Director of Technology Services Jerry Jones, who is also a board member of California IT in Education (CITE).

“Ransomware can cripple an entire school district in mere hours and has become the most common form of cyberattack on schools. There have been over 1,300 publicly disclosed ransomware attacks against U.S. school districts since 2016 and an estimated cost of over $7.5 billion. This doesn’t include all instances,” Jones said.

Attacks against LEAs have skyrocketed since 2020, he noted. The number of devices they are responsible for protecting has also risen significantly as schools have more than five times the number of student devices than they did pre-pandemic.

“While the number of devices that K-12 schools must protect has grown exponentially these past three years, the number of staff dedicated to supporting those devices has not increased very much,” Jones said. Because K-12 agencies don’t have any dedicated funding for cybersecurity defense and staff, “this means that schools have little or no resources to combat the barrage of phishing emails, social engineering scams and other attacks that we face on a daily basis.”

With cybercriminals also growing in sophistication with a goal of stealing data to sell back to LEAs, implementing multifactor authentication for staff is an important step that LEAs can take to safeguard themselves, Jones said, as it’s the No. 1 way the criminals are gaining access to systems and accounts.

The press conference was held in the computer lab of Florence Markofer Elementary, where K-6 students learn skills such as TV and podcast production, 3D printing and computer science, including lessons on cybersecurity.