[UPDATE: January 7, 2018. This piece was originally published December 18, 2017 in partnership with EdSurge (based on my experiences in producing the K-12 Cyber Incident Map). It is reproduced in full below.]
Confronting K-12 Cybersecurity and the End of Innocence
Offer up your best defense
But this is the end
This is the end of the innocence
—Don Henley and Bruce Hornsby, The End of the Innocence (1989)
In discussions among educators and entrepreneurs about the importance of student data privacy, issues of information technology security risks and threats are often glossed over. While data breaches and technology vulnerabilities from companies such as Apple, Equifax, Google, Intel, Uber and even the federal government have been in the news, it has remained an open question as to whether K-12 schools themselves are really at risk. After all, what is the worst that could happen if such systems were compromised? How might breaches of student (or teacher) data be used to cause actual harm?
As we come to the close of 2017, it is increasingly evident that K-12 cybersecurity threats are neither hypothetical, nor imagined. In our rush to embrace technologies for teaching, learning and school operations, we may have made innocent, but ultimately faulty assumptions about the need and effort required to protect digital assets and data.
In an effort to understand the state of cybersecurity in the nation’s public schools, I launched the K-12 Cyber Incident Map earlier this year. By creating a visualization of cybersecurity incidents from 2016 to the present, my intent was to share some insights into questions such as:
- How prevalent are cyberattacks on school networks and on school vendors? What is the nature of these attacks? How significant are they?
- What costs are borne by schools in preventing and responding to malware, ransomware, and breaches?
- Are these threats increasing or decreasing over time? Are schools managing these threats better or worse than in the past?
As we come to the close of 2017, the answers to these and related questions are becoming clearer—and the emerging picture on the map is sobering. There have been nearly 300 cyber incidents experienced by K-12 schools from coast to coast in the last two years alone.
These are only the incidents for which there is a public record. Many more go undisclosed. They have resulted in the release of sensitive personal information of thousands of students and teachers, widespread identity theft and the loss of significant instructional time. Dealing with these events cost hundreds of thousands of taxpayer dollars. Some incidents have led to criminal charges against the perpetrators and to threats of jail time, even in cases where the accused are themselves young students caught hacking into their own school systems.
As if this wasn’t concerning enough, the consequences for inadequately secured technology in schools was thrown into sharp relief earlier this year by criminal hackers who made threats of violence against young children in multiple school districts.
As we turn to 2018, we will continue to see new money and investment flow to entrepreneurs convinced they can deliver on the promises of the next big thing in education. Many good (and bad) ideas and innovations will compete to gain traction in the K-12 market, which can be arcane and unforgiving to even the best of new entrants.
But as more online educational tools are funded, built, and used, cybersecurity will need to become a new priority for school officials and entrepreneurs both. Collectively, we must grapple with how to better secure and protect school technology assets and data. If it is collected, if it is connected, we must assume that it can and will be breached. The stakes for getting school cybersecurity right are very high indeed.
The good news is that there are quick wins to be had. Many commonsense cybersecurity steps for districts are not costly or complicated, including ensuring school software is patched and up-to-date, implementing modern password policies, and educating school staff and students about how to be more skeptical of emailed links and file downloads. Nevertheless, cybersecurity issues will require our constant vigilance and attention.
With the clear-eyed recognition that implementing technology in schools, while helping us to better serve students and make more effective use of taxpayer dollars, also introduces new risks, in the years to come we will look back and see that 2017 was the year that marked the end of the age of innocence for educational technology.