Budget Cuts and Rule Changes Leave Institutions Vulnerable to Ransomware Attacks, Putting Student Data and Education at Risk

The Trump administration’s budget and personnel cuts, along with rule changes, are stripping away key defenses that schools need to protect against cyber threats. Cybersecurity advocates warn that the escalating number of ransomware attacks on schools could have devastating consequences, exposing sensitive student data and disrupting education.

When hackers hit a school district, they can gain access to Social Security numbers, home addresses, and even disability and disciplinary records. The stakes are high, with schools being a top target in ransomware attacks. In December, hackers stole personal student and teacher data from PowerSchool, a company that runs student information systems and stores report cards, affecting over 60 million students and almost 10 million teachers.

The federal government has been stepping up efforts to help schools, particularly since a 2022 cyberattack on the Los Angeles Unified School District, the nation’s second-largest. However, the assistance is under threat due to budget cuts. The Multi-State Information Sharing and Analysis Center (MS-ISAC), a free cybersecurity service that warns schools about malware and other threats, has lost more than half of its remaining budget for the year. The non-profit organization that runs it, the Center for Internet Services, is digging into its reserves to keep it operating, but those funds are expected to run out in the coming weeks.

Another concern is the effective disbanding of the Government Coordinating Council, which helps schools address ransomware attacks and other threats through policy advice. The council was formed by the Department of Education and CISA, but the Department of Homeland Security, under the Trump administration, reinstated open meeting rules for certain advisory committees, including this one. This makes it difficult for school leaders to speak frankly about efforts to thwart criminal activity.

The elimination of the Education Department’s Office of Educational Technology has also hampered efforts to decide which security controls, such as encryption or multi-factor authentication, should be in educational software and student information systems. Many educators worry that without this federal coordination, student privacy is at risk.

“I would hate for us to go back a few years and not be giving them the attention they should,” said Steve Smith, the founder of the Student Data Privacy Consortium and the former chief information officer for Cambridge Public Schools in Massachusetts. “It’s taken a long time to get to the point where we see privacy and cybersecurity as critical pieces. We need to continue to prioritize these efforts to protect our students and schools.”

Some federal programs to help schools with cybersecurity are still running, including a $200 million pilot program launched by the Federal Communications Commission to support cybersecurity efforts by schools and libraries. However, with budget battles ahead, many educators fear these programs could also be cut. Perhaps the biggest risk is the end to the entire E-Rate program that helps schools pay for internet access, which is slated to be decided by the Supreme Court this term.

“If that money goes away, they’re going to have to pull money from somewhere,” said Smith. “They’re going to try to preserve teaching and learning, as they should. Cybersecurity budgets are things that are probably more likely to get cut. It’s a vicious cycle that we’re in right now, and it’s going to take a concerted effort to get out of it.”

To make matters worse, the increasing reliance on cloud-based services has left many schools vulnerable to data breaches. According to Smith, around 80 to 90 percent of student data is stored in the cloud, making it a prime target for hackers.

“How do we ensure that those third-party providers are providing adequate security against breaches and cyber attacks?” Smith asked. “The office of ed tech was trying to bring people together to move toward an agreed upon national standard. They weren’t going to mandate a data standard, but there were efforts to bring people together and start having conversations about the expected minimum controls.”

The situation is dire, and educators are calling for increased federal support to help schools protect themselves against cyber threats. As Smith noted, “We don’t expect every town to stand up their own army to protect themselves against China or Russia. In the same way, I don’t think we should expect every school district to stand up their own cyber-defense army to protect themselves against ransomware attacks from major criminal groups.”