Safeguarding Students: The Impact of Funding Decisions

I am the father of two kids in public school. While I am a few decades (if I am honest, add a few more) from being a student, I am always amazing by how quickly our current crop of students can adapt and leverage technology. Take for instance creating graphics. I’ve used the SaaS app Canva to improve marketing images to help my storytelling in presentations. I thought it was pretty cool. My daughter, a 5th grader at the time, came home one day and showed me what she was working on. Yup, it was Canva and she’d created a 5-minute visual story about a girl who played soccer. It was 10x better than anything I’d done. Which brings me to this. Our schools are now highly digitized. Classes often involve Chromebooks, grading is provided by a portal, SaaS apps are leveraged and while I have not seen it yet, GenAI, I am sure, is on deck. While all of this is amazing and a solid investment in our future workforce, it cost with a cost. Personally Identifiable Information or PII. And guess what, that data has value not only to the school districts but to the cybercriminal. From grades and behavioral records to addresses, Social Security numbers, and medical histories, the sheer volume of PII held by school districts has made them prime targets for cybercriminals. Yet, even as cyber threats grow in scale and sophistication, school systems remain woefully underprepared—and increasingly underfunded—to defend themselves.

The recent spike in school-based cyberattacks underscores the scope of the threat. In December 2024, PowerSchool, one of the most widely used education software platforms (PowerSchool is now used in the school district I was educated in), was hacked. Sensitive information—ranging from home addresses and health records to Social Security numbers—was stolen, affecting thousands of students and educators across multiple districts. A 19-year-old was later charged with the attack, illustrating both how accessible such data can be and how relatively low the barrier to entry is for cybercriminals.

And this wasn't an isolated incident. In the same year, more than 20 school districts in Long Island, New York, were compromised through phishing attacks and exploitation of outdated systems. These breaches exposed personal data for more than 10,000 students, prompting fears of identity theft and long-term harm. Why is the data targeted? Because it is highly valuable.

Much like adults, Social Security numbers or health information are used for nefarious purposes and can circulate on the dark web for years. But unlike adults, children are less likely to monitor their credit or be alerted to fraud until they come of age. And when they do, more and more we are finding that their identities were compromised. This happens when applying for student loans or credit cards. That stolen identity may have been used to open fraudulent bank accounts, secure loans, or even commit crimes—all before the student has a chance to establish a legitimate digital identity of their own.

The criminal underworld actively trades in this data. On dark web marketplaces, stolen student PII is often packaged and sold in bulk, fetching high prices due to its long-term utility. With access to a student's full profile—name, date of birth, address, school records, and guardian contact info—scammers can launch targeted phishing attacks, impersonate family members, or manipulate online accounts. These aren't just theoretical risks; they represent a very real threat to the financial and emotional well-being of young people. And if that is not enough, wait until GenAI deepfakes come into play.

Alright, how do we protect our schools and the PII they hold better? It’s a complicated problem as most school districts lack the financial and human resources to defend themselves effectively. Many operate without a full-time IT security specialist. Some rely on outdated software and hardware, making them easy targets. Others, due to budget constraints, fail to provide routine cybersecurity training for staff and students—leaving them vulnerable to social engineering schemes and phishing scams.

One group which has been helping is the Cybersecurity and Infrastructure Security Agency (CISA). They have stepped in to offer guidance, free toolkits, and workshops. Alongside the U.S. Department of Education, CISA has launched a joint council to coordinate national efforts to improve cybersecurity in schools. But these initiatives, as impactful as they may be, are largely advisory and are now at risk due to funding challenges. Recently new developments indicate significant funding challenges for the Cybersecurity and Infrastructure Security Agency (CISA), which could have profound implications for school districts nationwide, including those in my home state of Oregon.

In May 2025, the new administration proposed a substantial $495 million reduction to CISA's budget for fiscal year 2026, decreasing its funding from nearly $3 billion to approximately $2.38 billion. This 17% cut is poised to result in the elimination of about 1,000 positions, effectively reducing CISA's workforce by one-third. Key areas affected include, yup, you guessed it, outreach programs, cyber training, and stakeholder engagement, all of which are vital for supporting K-12 school districts in enhancing their cybersecurity measures.

These budgetary constraints come at a time when school districts are increasingly reliant on CISA's resources to combat escalating cyber threats. CISA has been instrumental in providing guidance, training, and tools tailored to the unique needs of educational institutions. For instance, the agency has released comprehensive recommendations and toolkits to help K-12 schools bolster their cybersecurity defenses. However, with the proposed funding cuts, the availability and effectiveness of such resources may be significantly diminished.

The potential reduction in CISA's support could leave school districts, especially those with limited resources, more vulnerable to cyberattacks. This is particularly concerning given the sensitive nature of the data schools handle, including students' personal and financial information. Without adequate federal support, districts will struggle to implement necessary cybersecurity measures, increasing the risk of data breaches and associated consequences for students and staff alike.

Added to this, as reported by The Hechinger Report, the federal government's primary K-12 cybersecurity initiative, the Education Department's grant for student data protection, is set to end in 2025. This program was one of the only targeted efforts providing direct support to schools to help them implement best practices, hire cybersecurity consultants, and develop training programs. Meanwhile, additional proposed funding from Congress—most notably a $1 billion allocation championed by Senator Mark Warner to support cybersecurity in public schools—has yet to materialize. As a result, school districts will be left with no guidance from CISA and worst of all, no means to act on it.

So, what can you do? This is where the broader education community—and the public—must speak up. It's time for lawmakers to prioritize cybersecurity in our schools the same way we prioritize physical safety. Cyberattacks are not abstract threats; they're real, recurring, and growing in frequency. Every exposed student record is a potential lifetime of fraud, anxiety, and missed opportunities.

To truly protect students, we need a multi-pronged approach: enforceable data protection standards, robust school-level security programs, and meaningful federal investment in both programs to help schools understand the risk environment and upgrade the tools they leverage to store and protect this sensitive PII. Without it, our schools will remain easy prey—and our students will continue to bear the long-term consequences of today's inaction.

Cybersecurity is no longer a "nice to have" in education. It is foundational to safeguarding student futures. We must urge Congress and the greater government agencies to revive and expand cybersecurity funding for K-12 institutions. We must support groups like CISA and the Department of Education in their efforts to educate and protect.

The clock is ticking. Every day without proper safeguards increases the risk that another child's future will be compromised. Let's act now—before the next breach becomes another national headline.