Proposed Trump Cuts Could Put Student Data at Risk of Cyberattacks

When hackers target a school district, they can reveal Social Security numbers, home addresses, and even disability and disciplinary records. Cybersecurity experts now warn that the Trump administration's budget cuts and personnel reductions, along with rule changes, are removing key defenses schools rely on.

"School cyberattacks are on the rise and when we most need federal assistance, it's being taken away," said Keith Krueger, chief executive officer of the Consortium for School Networking, a group of K-12 technology officials. 

The stakes are high. Schools are the number one target in ransomware attacks, and cyber thieves have even succeeded in taking entire school districts offline. The biggest such breach happened in December when cyberthieves stole personal data of students and teachers from PowerSchool, a firm that operates student information systems and houses report cards. The haul consisted of data on over 60 million students and nearly 10 million teachers. PowerSchool paid an unspecified ransom but the thieves didn't relent. Now, in a second wave of extortion, the same cyber attackers are extorting ransoms from school systems.  The federal government has been ramping up to assist schools, especially since a 2022 cyberattack on the Los Angeles Unified School District, the country's second-largest. Now this desperately needed help hangs in the balance.

Of greatest concern is a cybersecurity service called MS-ISAC, short for Multi-State Information Sharing and Analysis Center.

It alerts over 5,700 schools across the nation who have enrolled in the service to malware and other dangers and suggests security patches. The technical service is available at no charge to schools but is funded by a yearly congressional appropriation of $27 million through the Cybersecurity and Infrastructure Security Agency (CISA), a department under the Department of Homeland Security. On March 6, the Trump administration provided notice of a $10 million reduction in funding as part of deeper budget and personnel reductions across CISA.

That was eventually bargained down to $8.3 million, but the service still spent well over half of its remaining $15.7 budget for the year. The non-profit organization that operates it, the Center for Internet Services, is draining its reserves to maintain it. But money for those services will be depleted in coming weeks, and it is not certain how the service will go on without charging user fees to schools. "Most districts lack the funds and resources to accomplish this themselves, so not being able to access our no cost services is a concern," said Kelly Lynch Wyland, a representative for the Center for Internet Services. Another issue is the successful dismantling of the Government Coordinating Council, which assists schools in responding to ransomware attacks and other attacks via policy guidance, such as responding to ransom demands, to whom to notify when an attack occurs and best practices for avoiding attacks.

This coordinating council was established just a year ago by the Department of Education and CISA.

It unites 13 nonprofit school groups serving superintendents, state education officials, technology officers and others. The council attended regularly following the PowerSchool data breach to exchange information. Now, during the second round of extortions, school officials have been unable to convene due to a modification of rules on open meetings. The group was initially exempt from meeting in public because it was deliberating threats to critical infrastructure. But the Trump administration's Department of Homeland Security revived open meeting rules on certain advisory committees, such as this one. That makes it hard to talk openly about stopping criminal activity. Non-governmental organizations are attempting to revive the council, but it would be in a weakened state absent government involvement. "The FBI really comes in when there's been an incident to find out who did it, and they have advice on whether you should pay or not pay your ransom," said Krueger of the school network consortium.

A third issue is the removal in March of the education Department's Office of Educational Technology. This seven-member office addressed education technology policy — including cybersecurity. It published cybersecurity guidance to schools and conducted webinars and meetings to describe how schools could close the gaps and harden their defenses. It also hosted a biweekly meeting to discuss K-12 cybersecurity throughout the Education Department, including offices that work with students with disabilities and English learners.

Removing this office has hindered efforts to determine which security controls, including encryption or multi-factor authentication, should be included in educational software and student information systems.

Many teachers fear that without this federal coordination, student privacy is in jeopardy. "My greatest fear is all the information that's floating out in the cloud," said Steve Smith, a founder of the Student Data Privacy Consortium and the previous chief information officer of Cambridge Public Schools in Massachusetts. "Most likely 80 to 90 percent of student data is not on school-district managed services. It's being transmitted to ed tech providers and being stored on their data systems."