Credit: Photo illustration: Kim Jackson | Sahan Journal

A proposal in the Minnesota Legislature could help K–12 schools recover from cyberattacks. But experts say it may not do much to prevent the attacks in the first place.

The $2.2 billion House education omnibus bill, which was unveiled Monday, would allocate $35 million in one-time grant funding for school districts and charter schools to address school safety issues, including both building security and cyber security.

The bill comes on the heels of several high-profile school safety incidents. The St. Paul Public Schools community is reeling from a fatal stabbing inside a high school in February, in which a student is accused of killing his classmate, 15-year-old Devin Scott. And the country is grieving yet another mass school shooting, this time at a private Christian school in Nashville. The funds would allow Minnesota schools to pay for building upgrades to enhance school safety. 

This year, for the first time, the Legislature’s school safety grants would also allow funding for cybersecurity. It’s an issue that has received increased attention in Minnesota since a February ransomware attack on the Minneapolis Public Schools, which the district has described as an “encryption event.” The attacker later released personal information of current and former staff and students on the dark web. Minneapolis Public Schools has said it is working closely with the FBI, reviewing the data, and contacting affected individuals. 

According to cybersecurity firm Emsisoft, at least 45 school districts nationally experienced ransomware attacks in 2022—including Minnesota’s Independent School District 728 in Elk River.

Governor Tim Walz’s budget proposal explained that the Legislature allocated $25 million to school safety grants for violence prevention and building security in 2018. The same day the Minnesota Department of Education opened the grant application process, the agency received nearly 1,200 applications requesting more than $250 million. Walz proposed $50 million for school safety grants this year, and broadened the grant criteria to include cybersecurity.

“Cybersecurity in general for the last few decades has gotten more and more important,” said Representative Cheryl Youakim (DFL–Hopkins), the House Education Finance Committee chair. “Our public schools, just like our cities and counties: Everybody has the same types of threats for the information and data that’s out there.”

Districts and charter schools could use the school safety funds for cyber insurance premiums and associated costs with obtaining the insurance. The bill would also allow school districts to use existing school safety funds for cybersecurity.

But experts told Sahan Journal that providing grant funding for cyber insurance would not solve the issues that make school districts vulnerable to cyberattacks. 

Doug Levin, the director of the K–12 Security Information eXchange, a national nonprofit dedicated to school cybersecurity, described the Minnesota bill as a “positive step.”

“There’s no question that schools need support,” Levin said. “But I think that school districts in the state would be better served by a more coherent strategy for building the long-term capacity of schools to better defend themselves.”

Soumya Sen, an associate professor of information and decision sciences at the University of Minnesota’s Carlson School of Management, said that training is the key to addressing cybersecurity challenges.

“While using the funds for security facility improvements and upgrading or patching systems can be useful, the key problem the schools need to address is that most cybersecurity incidents are a result of human negligence, and the lack of training to avoid phishing and scamming attempts,” Sen said in an email to Sahan Journal. Training staff, students, and others with access to the school’s computer systems on data security would be a better solution than using insurance to limit the damage, Sen said.

Levin, the director of the K–12 Security Information eXchange, raised concerns that the grants would provide one-time funding, though cyber insurance is an ongoing cost for districts. And he noted that insurance helps districts recover after a cyberattack has already happened; it doesn’t prevent the attacks.

“There are attacks every day against organizations that are much, much better resourced than schools,” he said. “So it’s not just money. It’s not just going out and buying a better firewall or better anti-virus software that’s going to make a difference. Some of what’s going to have to change are policies.”

While school districts might use different technological platforms, they have similar cybersecurity needs, he said. Centralizing technical expertise in regional hubs could be more efficient than trying to hire or train a cybersecurity expert in each district. 

Levin would also like to see the state look at cybersecurity reporting laws, like California passed last year.

Required reporting could help schools learn from districts that have suffered ransomware attacks, and take preventative measures, he said. Reporting laws can also make sure districts have to notify people affected by data breaches in a timely manner. “Parents, educators, other school staff, students themselves, can’t take steps to protect themselves if they don’t know that their information has been exposed.”

Youakim, the education finance committee chair, said that the House education omnibus bill focuses on increases to school funding. 

More than 80 percent of the House education budget goes to increasing the funding formula, indexing it to inflation, and tackling the “cross-subsidies” that have long eroded school budgets, Youakim said. State and federal governments require school districts to provide services for  English-language learners and special education students, but do not reimburse them. These cross-subsidies cost some districts tens of millions of dollars annually. Advocates have said that funding the cross-subsidies would free up districts to spend on other needs. The House proposal would fully fund the English language learner cross-subsidy starting in fiscal year 2027, and cut the special education cross-subsidy in half. 

“We had a lot of pent-up need. We were underfunded for two decades,” Youakim said. “It’s just about having to prioritize within a budget.”

The Senate education omnibus bill does not currently allocate funding for school building security and cybersecurity grants. The House and Senate versions must be reconciled in conference committee before the Legislature votes on a final education bill.

Becky Z. Dernbach is the education reporter for Sahan Journal. Becky graduated from Carleton College in 2008, just in time for the economy to crash. She worked many jobs before going into journalism, including...