A University of Maryland cybersecurity expert recently testified to Maryland lawmakers in support of legislation strengthening digital protections for the state's public schools.
Charles Harry, Director of the Center for Governance of Technology and Systems (GoTech) at the University of Maryland, College Park, testified before the Maryland State Senate in support of Senate Bill 907/House Bill 1309, which would establish statewide cybersecurity standards for educational institutions.
"Maryland's public schools play a vital role in our communities, and their security must be a priority," said Harry, who provided testimony in conjunction with Maryland State Senator Katie Hester, the bill's sponsor.
Harry, who previously served as a senior intelligence leader at the National Security Agency, presented data showing that cyber threats targeting school districts are increasing in complexity and impact. According to research from his center, there were 425 cyber incidents in K-12 schools nationwide between 2014 and September 2024, with 97% perpetrated by financially motivated criminal actors.
"These institutions face sophisticated and financially motivated attacks designed to disrupt school networks and pressure public officials into paying ransoms to regain access to compromised systems," Harry explained.
Harry cited several recent Maryland incidents, including an unauthorized access event at Prince George's County Public Schools in 2023, a ransomware attack against Baltimore County Public Schools in 2020 that cost over $10 million to remediate, and a 2016 data breach in Frederick County that affected more than 1,000 students.
A key finding from GoTech's research is that individual school districts currently make cybersecurity decisions in isolation without systematically monitoring their networks. In his testimony, Harry also referenced a recent vulnerability assessment by GoTech that identified numerous security concerns across Maryland's county school systems. He advocated for a comprehensive, statewide approach to cybersecurity risk management aligned with national standards such as those from the National Institute of Standards and Technology (NIST).
"While concerns about the cost of implementing these security measures are valid, the financial and operational impact of large-scale cyber disruptions makes these investments both necessary and prudent," Harry testified.
If passed, the legislation would establish minimum cybersecurity standards across Maryland's public school systems and create a framework for continuously monitoring and improving digital defenses.
