WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Intelligence Committee, and Sen. Susan Collins (R-ME), a member of the Senate Intelligence Committee and the Senate Committee on Health, Education, Labor and Pensions, urged the Biden administration to ensure that school systems across the country are equipped to fend off the growing number of cyberattacks targeting K-12 schools. 

In a letter to the Department of Education Secretary Miguel Cardona, the senators requested that the department issue guidance affirming that school districts across the country have the authority to use federal dollars from two COVID-19 relief funds on cybersecurity resources. The two funds – Elementary and Secondary School Emergency Relief Fund (ESSER) and Governor’s Emergency Education Relief Fund (GEER) – were authorized by the CARES Act supported by both senators. 

“Experts agree that the increased reliance on online learning programs is likely to far outlast the pandemic.  While online learning offers an abundance of positive opportunities for educators and students, without proper cybersecurity defenses, our nation’s education systems face formidable risks,” the Senators wrote. “School systems must have strong cybersecurity resources available to protect themselves against cyber and ransom attacks. With the increasingly persistent attacks on our schools, they simply cannot wait until they are a target to take action.”

In the letter, the Senators highlighted last year’s cybersecurity breach at Fairfax County Public Schools, the 11th largest school district in the nation, which had private informationstolen and published online. The senators also cited a report from the Government Accountability Office (GAO), which found that since 2016, more than 17,000 public school districts and approximately 98,000 public schools have experienced breaches that resulted in the disclosure of personal information.

Noting that they have heard from school district leaders who are unsure as to whether they can use relief funds to adopt better cybersecurity measures, the senators specifically requested that the Department of Education publish and publicize guidance clearly stating that these funds may be used to improve cybersecurity. The senators also urged the department to provide recommended cybersecurity benchmarks as well as guidance on suggested spending priorities to best address the disproportionate number of cyber-threats facing school systems.

A PDF of the letter is available here. Text is available below.

Dear Secretary Cardona: 

We write today regarding the continued need to prioritize cybersecurity efforts in the context of our nation’s school systems. You know better than anyone the dramatic ways the COVID-19 public health crisis has affected how students learn. Experts agree that the increased reliance on online learning programs is likely to far outlast the pandemic.  While online learning offers an abundance of positive opportunities for educators and students, without proper cybersecurity defenses, our nation’s education systems face formidable risks.  School districts have a unique opportunity to use COVID-19 relief funds to revamp their cybersecurity systems. Therefore, we strongly urge the Biden Administration to publicize guidance stating allowable Elementary and Secondary School Emergency Relief Fund (ESSER) and Governor’s Emergency Education Relief Fund (GEER) monies can be spent on cybersecurity resources and engage with school districts to increase awareness of the critical need for prioritizing stronger cybersecurity measures. 

The pandemic has changed daily life for almost everyone in many ways; perhaps, there is no clearer example than the sudden shift to remote learning for students of all ages across the country. Census data shows that nearly 93% of people in households with school-age children reported their children were engaged in some form of “distance learning” over the past year.  While the distribution of COVID-19 vaccines has significantly slowed the spread of the virus, some remote learning is likely to continue, with hundreds of the nation’s 13,000 school districts having already created virtual schools intended to operate well into the pandemic’s aftermath.  Even as our nation’s schools fully return to in-person learning, cybersecurity risks will still be plentiful in the technology-dependent modern learning environment. 

With the shift to online instruction, school districts are now incredibly vulnerable to cybersecurity threats. Last fall, Virginia’s Fairfax County Public Schools, the 11th largest school district in the nation, was the target of a cybersecurity breach and ransomware incident that included theft of protected information.  This incident is far from an outlier. A report from the United States Government Accountability Office (GAO) released in September 2020 stated more than 17,000 public school districts and approximately 98,000 public schools throughout the U.S. had experienced breaches that resulted in the disclosure of personal information since 2016.  

School systems must have strong cybersecurity resources available to protect themselves against cyber and ransom attacks. With the increasingly persistent attacks on our schools, they simply cannot wait until they are a target to take action.  

The COVID-19 relief bills Congress passed over the past year allocated millions to ESSER and GEER funds, which can be used for this purpose. In total, these bills included almost $200 billion for ESSER and over $7 billion for GEER. These available funds provide schools with a unique opportunity to invest in cybersecurity resources. While we understand schools must divide these funds across various crucial concerns, the pandemic has catapulted our school systems to an inflection point where investment in cybersecurity is now more critical than ever.

We have heard from school districts unsure whether they can use relief funds for this purpose. We greatly appreciate the Department of Education recently issuing a “Frequently Asked Questions” document, which confirms they can be used to improve cybersecurity “to better meet educational and other needs of students related to preventing, preparing for, or responding to COVID-19.”  We respectfully ask that the Administration take steps to publicize this information and help school districts understand the importance of using funding for cybersecurity efforts, including by promulgating lists of recommended cybersecurity benchmarks that additional resources could help school districts attain. Specifically, we urge the Education Department to issue public guidance clearly stating that states and local education authorities (LEAs) can use ESSER or GEER funds to improve cybersecurity, with guidance on suggested spending priorities to address the endemic threat of ransomware disproportionately impacting school systems. We also ask that the Department develop a plan to make sure school districts are aware of this allowable use and engage with LEAs to ensure they understand the importance of these resources.

We implore the Administration to recognize the urgent national need to prioritize cybersecurity in our nation’s education systems. Because of the relief funding Congress has provided over the past year, we have a real opportunity to address accumulating cybersecurity risks in schools. We encourage the Administration to ensure school systems are aware of this use for these funds and engage with LEAs, so they are equipped to take on this challenge. 

Again, thank you for your attention to this matter. We greatly appreciate your efforts on behalf of our nation’s students, and we look forward to continuing work together as our systems grapple with the aftermath of the pandemic. 

Sincerely,

###