States Step Up to Help Schools Fight Hackers

At the federal level, 2023 also saw increased activity. The Federal Communications Commission (FCC) launched a three-year, $200 million pilot program to help schools and libraries acquire cybersecurity equipment and services. Meanwhile, the Cybersecurity and Infrastructure Security Agency provided recommendations to guide districts in prioritizing and implementing security measures. 

Julia Fallon, executive director of SETDA, which represents state leaders in digital learning and educational technology, points to several factors driving states’ increased attention. The number of cyberattacks on schools nearly doubled between 2021 and 2023, she says, including several ransomware attacks on high-profile districts. She believes that lawmakers also recognized that schools are more susceptible to attacks due to their rapid adoption of technologies during the pandemic, combined with new risks related to artificial intelligence.

There is also growing awareness that small and under-resourced districts need help, says Fallon. 

“It’s important to recognize that smaller districts, especially those in rural areas, face unique challenges,” she says. Without an influx of students or funds to support a dedicated cybersecurity professional, “they rely heavily on external support from the state.”

Task forces and other collaborative efforts give small districts the benefit of shared resources, training and cost-effective solutions, while state-funded assessments and cybersecurity awareness platforms can help them strengthen their security posture, Fallon says.

Here’s how schools in Michigan and Texas are leveraging state resources to help them navigate cybersecurity challenges.

RELATED: Small and independent schools are managing cybersecurity. 

Michigan Schools Team Up to Improve Cybersecurity Posture

In the Wolverine State, Senate Bill 173 amended the State School Aid Act in 2023 to allocate $9 million for a statewide security operations center (SOC), called MiSecure, service area of the Michigan Association of Intermediate School Administrators. MiSecure provides managed detection and response (MDR) services. The Michigan Education Technology Leaders (METL) group, a collaborative network of MAISA, played a pivotal role in securing the funding with the goal of helping districts implement high-impact cybersecurity measures, according to Dwight Levens. Levens is a MiSecure advisory board member and chief technology and information officer of Oakland Schools, an intermediate school district.

The METL cybersecurity task force and MiSecure developed a self-assessment tool for districts to evaluate their cybersecurity readiness. The state funding supporting MiSecure and its offering of a managed detection and response solution will allow districts to improve their cybersecurity posture immediately as they work to remediate any deficiencies found in the self-assessment, says Levens.

“Michigan has done a lot of statewide initiatives, and I think this one is going to be impactful for many years into the future,” he says.

The SOC offers districts the option to receive centralized support through MiSecure or purchase more granular security management while also leveraging the support of MiSecure. Having that flexibility is key to supporting the cybersecurity postures of the diverse districts served.

SOCs and other centralized services are one of the most effective ways that states can raise the overall cybersecurity posture, says Fallon. “State-managed services relieve some of the burdens on districts and provide them with real-time support,” she says.

In Michigan, MiSecure selected CrowdStrike Falcon Complete as the SOC’s MDR solution and is working with districts to obtain licenses. CrowdStrike’s suite of capabilities encompasses endpoint and cloud security as well as 24/7 threat hunting and response.

WATCH NOW: Check out one California district’s proactive cybersecurity efforts.

Levens emphasizes that while MDR services can vary by vendor, they are particularly important for districts that don’t have dedicated security teams. Through the SOC, districts will have access to consistent support and expertise they may not have budgets to sustain otherwise. 

“You have organizations that are all sitting in different places from a cybersecurity maturity and resource perspective, and this leverages the collective power of the group as designed in Michigan,” says Levens.

Texas District Seeks Funding for Security Assessment and Training 

Texas took significant action in 2023, passing five cybersecurity bills, including House Bill 1, which allocates $55 million to the state’s K–12 Cybersecurity Initiative. The Texas Education Agency (TEA) said it sought the funding “to counter the rising surge of ransomware and malicious activity.” The funds will support in-kind services to local education agencies, especially those in rural areas. 

While some state initiatives focus on long-term goals, such as expanding the cybersecurity workforce, this one is designed for immediate impact. TEA encourages districts to take advantage of the opportunity to implement controls such as endpoint detection and response, multifactor authentication and enhanced email security.

Eva Mendoza, the chief information technology officer for the San Antonio Independent School District, has applied for several grants offered through the initiative, including one that would fund a third-party cybersecurity assessment that she says would be very beneficial. 

“We do self-assessments, but an external assessment would provide an in-depth look that can serve as our roadmap for the next two to three years, says Mendoza. “It would show us where our gaps are and where we need to go.” 

She’s also hopeful about securing a workforce development grant to provide formal training for her homegrown cybersecurity team. 

“It’s a challenge in K–12 as we just don’t pay what a corporation pays,” she says. “My director has led a lot of in-house training with our team, but to get formal training for them would be amazing.” 

San Antonio ISD is still waiting to hear whether its requests have been approved, but Mendoza says she is optimistic.

DISCOVER: School districts are addressing cybersecurity on a budget. 

States Continue to Explore Longer-Term Funding Strategies

While IT leaders appreciate the increased support from state lawmakers, many believe K–12 cybersecurity challenges will require sustained efforts and additional funding.

“We are very grateful for the budget allocation, and it’s an incredible step in the right direction, but we know more is needed,” says Levens. “There are a lot of different ways that could happen, but that’s up to our legislators. We are hopeful that the success of MiSecure will motivate those efforts.”

Because the FCC’s $200 million program, while significant, must be distributed among many recipients — libraries as well as schools — that could lower the perception of the pilot’s potential impact: “Every step to protect our schools from bad actors is significant.”.

Fallon points to data from SETDA’s 2024 annual survey, which shows that there has been a notable decrease in the percentage of state leaders who believe their states provide sufficient cybersecurity funding. “This decline could be due to heightened awareness of the increasing costs of maintaining security systems as cyberthreats evolve,” she says.

The 2024 sunsetting of pandemic-era funding, such as the Elementary and Secondary School Emergency Relief Fund, also has districts worried, she adds.

“States are continuing to explore long-term funding strategies, though many districts, especially small ones, still rely on collaboration and shared services to meet cybersecurity needs,” she says.