Just when many school districts were starting to feel good about their wireless coverage and internet bandwidth, they face yet another question about technology infrastructure: how good are their defenses against hacking, or what’s more formally known as “cybercrime”?
Access to the identities of staff and students is one of the main attractions for hackers. According the Federal Trade Commission, “a child’s Social Security number can be used by identity thieves to apply for government benefits, open bank and credit card accounts, apply for a loan or utility service, or rent a place to live.” To add more concern, children may not discover their identities have been stolen until they apply for their first job.
Even without social security numbers, student and staff data have monetary value for spammers and marketers. Rather than go to the trouble of reselling data, some hackers find it more lucrative to hold a district’s data to ransom. Hackers simply lock users out of their own data until a ransom is paid. Nearly 10 percent of educational institutions in the US have already received “ransomware” according to CETPA president Aaron Barnett in his keynote address at the organization’s most recent annual conference in Sacramento, Calif.
School districts are soft targets
School districts are attractive for another reason: they are easy. Most districts cannot afford the resources to mount a solid defense against an increasingly sophisticated and constantly changing adversary. Tools are getting better but skilled staff to make optimal use of the tools and monitor the network 24x7 is not increasing. This is an “arms race” most districts are destined to lose. Nearly all IT leaders I spoke to at CETPA agreed: it is only a matter of time before their district network would fall victim to a major break-in.
Making districts less attractive to hackers: moving to the cloud
Khai Nguyen, senior manager in the technology services department at the Los Angeles County Office of Education, said that he and his colleagues are constantly reminding themselves that IT is just a utility—education is their core business. Given that education funding is not likely to increase significantly anytime soon, IT departments need to seek the most cost effective ways to deliver secure technology to their users. Making itself less attractive to hackers by reducing the amount of data it houses on its own servers may be a better financial strategy for a district as a whole than funding a comprehensive cybersecurity program; it may make economic sense to move most of their applications to the “cloud” (that is, let vendors “host”).
Moving to the cloud can be good for both vendors and schools
It is in the interests of the edtech industry for educators to feel confident about using technology. Wireless, once a frustration for many teachers, has largely improved. Edtech cannot afford to let the specter of cybercrime dampen enthusiasm.
Providing hosted services rather than giving districts the software to install on their own servers is better for edtech companies; it makes their products easier and cheaper to deploy and maintain. Given the financial and user support challenges facing edtech companies, these economies should translate into benefits for both vendors and schools, and stimulate the edtech market as a whole. But while IT leaders at CETPA agreed it was just a matter of time before everything would be in the cloud, most were not ready to give everything away right now and cited a plethora of reasons for their caution:
Resistance to the cloud: facts, myths and emotions
- Loss of Control: “I like to have control over what is going on.” (Doesn’t everyone have this concern about driverless cars?)
- Loss of visibility: “I like to be able to see what is happening at all times.” (The first astronauts wanted a window in their space capsule, even though they had control over nothing.)
- Concerns about ownership of data: “I don’t want to risk the vendor going out of business or changing its hosting agreement that holds our data to ransom.”
- Need for flexibility: “I need access to the server to integrate other applications.”
- Nervousness about reliability: “My operations are very time critical and cannot risk the internet going down just when I need to run payroll.”
- Skepticism that the cloud is more secure: “Even if the applications are hosted, cybercriminals can still access our data if they hack our network.”
- Concerns about data privacy: “I don’t trust the vendor to keep our student data private.”
- Reluctance to delegate: “I don’t actually believe vendors can do a better job protecting the data against hackers than we can.”
- Ego: One CTO of a large California district admitted, “running servers in a data center is what many of us have been doing for most of our careers; we need time to make the mental shift.”
Cybersecurity is a fast moving game of cat and mouse
Nearly all myths and emotions are based to some degree on fact. But while most industry experts agree the cloud is not intrinsically more secure, underfunded and understaffed district IT departments cannot win this fast moving game of cat and mouse without a lot of outside help. Plus, what is true today may not be true tomorrow. According to cybersecurity firm Symantec, 54 “zero-day vulnerabilities” (security holes in platforms such as Microsoft Windows that can be exploited by hackers before the vendor can deliver a fix) were discovered in 2015, an increase of 125 percent from the prior year.
Edtech companies cannot address all the concerns listed above, but they can take actions that make district tech directors feel more comfortable with hosted solutions. Since technology is their core business, they should be following cybersecurity best practices and provide transparency into their operations to give tech directors the confidence to let go.
The buck still stops at the IT director’s desk
However, Carl Fong, executive director of IT for the Orange County Office of Education, has stressed that moving the data to the cloud does not abrogate the district’s responsibility for the security of its data. While they should make sure their security concerns are met before they purchase any hosted solution, they still should do as much as possible to secure their own networks, like following the Cybersecurity Framework for K-12 that is about to be published by CETPA and the Technology and Telecommunications Steering Committee of California County Superintendents Educational Services Association.
Fong also stressed the need for annual cybersecurity audits of both the district and their cloud vendors, and suggested that hiring third party consultants for the audits might be a good use of district funds. (In a lawsuit for a data breach, Fong advised how a jury could be unforgiving to a district that pleads poverty for not deploying adequate expertise to cybersecurity.)
Wanted: A joint effort among districts, vendors and government
When concerns about lack of broadband threatened to choke the expansion of educational technology, the Obama administration launched the Connect Ed initiative in 2013 and expanded the E-rate program that has enabled thousands of school districts to upgrade their networks.
Cybercrime is the next threat.
According to the Global State of Information Security Survey 2015, the number of detected incidents has increased at a compound growth rate of 66 percent since 2009. By providing cloud services that IT directors can feel good about, edtech companies can help maintain the momentum that has been powering the industry. And perhaps in the future, E-rate can be modified to help districts fund cybersecurity when the current program expires in 2019.
The silver lining
Summit Public Schools CTO Bryant Wong and Director of Digital Safety Joe Bielecki provided a more positive note during their CETPA presentation. Summit leaders have been using their security tools not only “to keep the bad stuff out” but also to allow both teachers and students to see what was being accessed, and provide teaching and learning opportunities about living safely and thriving in the digital world.