Tech Talk: K-12 Cybersecurity — Talking Tech w/ Doug Casey & Cody Venzke
CDT Tech Talks | 2022-04-12 | 32:59
We have another exciting show for you this week!<br><br>Here to talk about the importance of cybersecurity for K-12 schools is Doug Casey, Executive Director for the Connecticut Commission for Educational Technology and Cody Venzke, Senior Counsel for CDT’s Equity in Civic Technology Project.<br><br>More on our host, Jamal https://bit.ly/cdtjamal<br><br><br>Attribution: sounds used from Psykophobia, Taira Komori, BenKoning, Zabuhailo, bloomypetal, guitarguy1985, bmusic92, and offthesky of freesound.org.
Top Keywords
- cybersecurity 0.017
- school 0.012
- schools 0.011
- students 0.010
- cody 0.010
- doug 0.009
- connecticut 0.007
- attacks 0.006
- coordination 0.005
- state 0.005
- jamal 0.005
- school district 0.005
Transcript
Speaker 0
0:10 – 0:12
Welcome to Tech Talk. Bye.
Speaker 1
0:13 – 0:13
CT.
Speaker 2
0:13 – 1:01
Tea. Welcome to CDT's Tech Talk, where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Jamal Magby, and it's time to talk tech. We have another exciting show for you this week. Here to talk about the importance of cybersecurity for k through 12 schools is Doug Casey, executive director for the Connecticut Commission for Educational Technology, and Cody Vinski, senior counsel for CDT's equity and civic technology project. Doug and Cody, thank you so much for being here today. Pleasure to be here. Thanks, Jamal. Likewise. And, Doug, I just wanna extend a very special welcome. This is your first time in on the show, and we're super glad to have you.
Speaker 1
1:01 – 1:06
Well, I'm I'm thrilled to be here, and I can't think of a more important topic right now.
Speaker 2
1:06 – 1:14
Well, since you brought it up, let's kick it off. I can you explain why why cybersecurity is especially important to our schools?
Speaker 1
1:15 – 2:09
Sure. And and I think to start off with, it makes sense to define cybersecurity because I think for a lot of folks, they hear cybersecurity and images of, you know, hackers and and, dark apartments and the matrix come up. I think, you know, really simply put, we can think of cybersecurity as keeping keeping bad actors out and protecting systems and computers and networks from folks who wanna do harm. And so when we think about this in the framework of education, we're really thinking about protecting, student information and student systems, but we're also thinking about that whole ecosystem of schools, which are includes teachers and staff and sometimes even, information about parents and and other community partners. So it's a really important topic to be covering.
Speaker 2
2:09 – 2:17
So how have cybersecurity concerns changed in the last two years? What is the cost to schools and students if we don't protect schools' cybersecurity?
Speaker 1
2:18 – 7:58
Well, you know, it's really hard to calculate the cost. So I may I may bypass that for a second, but maybe to sort of flesh out what teaching and learning look like today in our schools to to give a flavor or sort of paint a picture a little bit? There there are a number of different reasons why this is important. I mean, one is that there's a heightened awareness for cybersecurity concerns. All you gotta do is open up, your social media feed or look at the news and you see that cyberattacks are garnering a lot more national attention. They're impacting virtually every aspect of society. We all know or, someone who are or have been, victims of, you know, folks trying to steal our information, you know, even, things that are less techie like, phishing scams, those kinds of things. It it's a lot more out in front. And so I think the general, education community understands the the potential, you know, impact of cyber attacks. Schools are continue to be vulnerable from a staffing and maturity perspective. It's nothing against schools. But if you think about these institutions that are designed to teach students and provide support to teachers and, feed people and, provide transportation, and the list goes on and on, to add cybersecurity to their list of concerns is, it's one more thing. And it's not to say that they don't have a a a very important stake in it, but, I think schools, have been perceived as, good targets from bad actors because, they generally don't have the deep resources that say, a corporate entity does. But that said, district leaders are definitely taking notice. There are conversations at the board and senior leadership levels, like at at the superintendent, in your operations folks. And I think this is really important, Jamal. The the the framework for this is starting to change, and I see this from conversations with school district leaders that they are starting to see cybersecurity as a parallel to more traditional sort of incident prevention and response. If you talk to any school leader, in fact, a lot of them have received guidance on this in their in their education about needing to have plans in place for a bus accident or active shooter or, you know, fire and natural disasters. Now we can add to that with cyberattacks. It's not a question of might it happen. It's really a question of when will it happen and how are you gonna respond. And the last thing I would say in terms of the the awareness, we've just come across a lot of virtual learning, at home learning, and in some places that continues to take place. So parents are also a lot more in tune with cyber risks because they've been the ones who have essentially served as proctors and supports for their students as, especially during 2020 and 2021 when their students were at home doing remote learning. They they seen firsthand sort of what that data footprint looks like and how much technology their students are using. So I think from a from an awareness perspective, the word has gotten out. You know, in terms of the footprint, as I mentioned, we have a lot more computers in students' hands. In our own state in Connecticut, we went, one to one with computers to students in 2020. We filled that gap. But that also means that there's a lot more, sort of a wider footprint for technology use and and hence a, as as the cyber people would say, there's a lot more surface area for potential attacks. You know, and while we've returned to in class instruction, there's still a heavy use of technology. So that that footprint has shifted. I would also say that when you think about, students going home at night and they're on their own home networks, and, most of those home networks aren't as well protected as, say, a school network with a professional who's managing it and overseeing and having firewalls around it. So there's potential for students to be downloading, you know, malware and other kinds of, you know, cyber software that they might be bringing back into the school network. So, again, you've got this sort of blending of technology that's going on. And then, you know, I think finally, in terms of awareness, in addition to all those behaviors going on, you know, you have reports coming out around cybersecurity, cyber attacks. You know, and we look at the totals, and we see sort of the totals in terms of hundreds or thousands of attacks. The reality is is the real number of attacks is far wider, far greater than those that are reported. So I think in terms of the culture within schools, we have to think creatively about how to create a safe space for schools to share what's going on, potential or real threats and attacks, and looking at means of of allowing a safe space for school leaders to to share that information and help their colleagues so that together there's a a broader community that can fight these attacks and and and outsmart the bad guys.
Speaker 2
7:58 – 8:01
That's a really great point, Doug, about the importance of of,
Speaker 3
8:02 – 10:09
being transparent and feeling like you are safe as an institution to share what's going on in the cybersecurity space. And one of the reasons for that is the the point that you raise, which is that both in the pandemic world and a post pandemic world, families and communities are as much part of the user base as teachers and students are in the school building. And CDT conducts focus groups to try to hear from parents and students about their experience with education technology, and we conducted some of those this past week. And of, I think, two dozen parents and students that we talked to, I think only one stated that they are no longer using school issued devices at home for some reason. So that attack surface was the was the term that you use. I know our cybersecurity folks are fans of. It's still very, very broad for schools compared to pure institutions like a local government or a small business. Jamal, you asked at the top too about some of the costs, and, Doug touched on there's a financial cost for schools to recover lost data, data that's locked in a ransomware attack. But I wanna point out that some of the costs extend beyond just dollars and cents. You might see a school lose valuable data in a ransomware attack where a hacker might lock down and encrypt data so that the institution can no longer access it. That's critical information that's important to students' and families' well-being and academic success. You also might lose instructional time. We've seen multiple examples where schools, whether they're in person, hybrid, or remote, have to shut down for days at a time in order to recover their systems. And, of course, losing school days is not optimal. But perhaps the biggest cost is a loss of trust. We know that students and parents trust schools and educational institutions with their student data. But that loss of trust, if there's a cybersecurity incident, can be extremely hard to recover. And losing that trust can make it difficult for educational institutions to provide services to students.
Speaker 2
10:09 – 10:48
So I I wanna touch on something that that, Doug, you mentioned earlier. And and you talked a little bit about the shifts from, you know, from in person learning to remote learning. And I think a lot of us would would assume by now that schools would have, have a lot more systems in place to protect, you know, this this vulnerable information. But it seems like they don't. So I'm wondering why schools are so bound so still so vulnerable. And and how is leadership responding? And and also to add to that, how do we teach new behaviors to to improve the outcomes and to keep our students' information safe?
Speaker 1
10:48 – 15:53
Yeah. Those those are heavy questions. And I, you know, I think in in some ways, it it's a great segue from Cody's points about sort of the costs of, attacks and responding to them. You know, the the converse of that is how do you protect and how do you get in front of these things as much as you can. I think anytime you talk about a risk, you really need to start with leadership. As I mentioned at the top of the program, I think there is an increasing awareness among leaders. And by leaders, I mean, members of school boards, who are in charge of overall strategy and governance of a school district, and are the ones who are going to advocate for, increased budgets in this area. So really important role there. I think also thinking about superintendents, as as the, you know, the the superintendent of a school district. She's in charge of the overall operation of of the school and teaching and learning and outcomes. And then you've got folks like the technology directors and even school business officers who who can move along procurement of services and supports. So So that's sort of the mechanics of it. I think in terms of awareness, there is greater awareness, among all stakeholders in in the education community. You know, and I think it's a very personal thing. Everybody uses technology. Everybody in the school district uses technology. You know, when you think about, the importance of student data, I think that's in there too. But she also can't forget that, school district is employing lots and lots of, adults, who have sensitive data that needs to be protected. So, you know, I think I think leadership is aware of these things. But I think one of the challenges is sort of meeting in the middle of if we can all agree to your point, Jamal, if we can all agree this is important, it's timely, why is there so much of a challenge? And I think, one of the one of the reasons why, it's hard to catch up is there is capacity gap. In our own research in Connecticut, and we did this, during and and post COVID, we reached out to our school district leaders and asked them about the number of staff who are available to support, technology. And and keep in mind, with the expansion of technology used during COVID, now you're looking at a lot of districts, picking up an expanded sort of definition of support. It used to be, that some students in schools had computers, and so during your normal school hours, you'd need to support those kids. Now what you're looking at is in a lot of states and regions, you have students taking computers home, and not just sort of as doorstops, but really central to teaching and learning. That's where all their assignments are. That's where they're meeting with their peers to do project work. It's where they may be engaging in personalized learning experiences. And what I mean by that is, they need help with, say math, for example, and they're gonna log in and they've got a certain pathway of, you know, doing drills and exercises and maybe even getting real live, real in person help from a tutor, at night on this work. So that technology is essential for them to have, but the sort of staffing that's come around it is now expected to be available almost 24 by seven, seven days a week to students and, their families. So I think that capacity is has been stretched. And from our research has not been responded to with a commensurate increase in in in staffing. To give a sense of what we're talking about, our staff to computer ratio in Connecticut is about one to a thousand. So every tech staff member is on average is managing a thousand computers. And that's that's a, a significant challenge, taking care of that on top of the sort of cybersecurity concerns that are out there. You know, the the the last thing I'd say is a lot of this comes down to behavior. Cyber hygiene as we call it, a lovely term, but cyber hygiene is is key. Having a sense of shared responsibility, to think twice before clicking on things that might download. You get an email, and it looks too good to be true, and you're downloading malware. It happens all the time. I think we've all sort of clicked on things we shouldn't have or didn't take the time and attention to do that. So I think, really, it starts with leadership. It's backed up by capacity, and it's really operationalized, and and it becomes a day to day culture when everybody from the superintendent, even board members, all the way down to teachers and students have this shared understanding and commitment to protecting the school environment. And that means, practicing good cyber hygiene.
Speaker 3
15:54 – 17:20
Doug, that statistic you shared of a thousand to one computer to staff ratio, I think, really demonstrates the unique circumstances that k twelve networks are situated in. One is that a broad swath of the user base for k twelve networks are nonprofessional folks. They're students and they're family members. And that goes back to the point you were saying about building capacity and training and, coordinating behaviors of these folks who aren't IT professionals. And that's absolutely critical for ensuring that school network stay safe, that families and students receive digital literacy training as well. It's another interesting point, though, too. When you have one IT professional for every thousand computers, schools aren't able to develop their own technology solutions, and instead, private vendors play a big role in meeting the needs of educational technology in k twelve districts. But that also means that k twelve data flows are particularly complicated from the local level to state databases up to the federal level, and along the way, incorporating lots and lots of private vendors that will hold critical data. And we've seen a number of incidents where attacks aren't directly on a k twelve network, but on their private vendors that provide certain services. So the the multifaceted nature of k twelve educational data really creates some of these vulnerabilities that we've seen.
Speaker 1
17:20 – 19:15
It's a really good point, Cody. And I think, you know, I sort of glossed right over it or didn't even address it at all. You put a really good point on it, which is, you know, you you ask the average person who's going to an office or working from home, the systems that they use, and my guess is that 90% of them at least are are what we call cloud based. Right? So they're, you know, something like Salesforce or even their their their email is through a web browser. And the same goes for a lot of school systems where, systems that are managing student enrollment or testing data or, even your employee data. A lot of this is hosted externally. So while we talk about the school environment, really, we're talking about this extended footprint. And, you know, protections over that are are important. One trend that I've seen is, this idea of cybersecurity insurance, where in the same way that you take out an insurance policy to protect your home or your car, schools and towns and, even private enterprises have taken out cybersecurity insurance to, you know, protect against those, situations where they get attacked and sort of how they recover. Interestingly enough, I'm seeing, in in our state and other locations, it's increasingly hard to get that kind of insurance coverage, because, it's not worth from the the carrier's perspective, may not be worth the risk that they are adopting. So it's another reason why that sort of behavior aspect of this is so important that if you can demonstrate good adherence to best practices and cybersecurity protections down to each individual taking ownership of this, it increases your chances of, of getting that kind of coverage so that you're minimizing that risk.
Speaker 2
19:16 – 19:31
So we've laid out a few key issues. And and, Doug, I I wanna hear, what has Connecticut done to address some of these. Right? How and and how has it paid off? What what has Connecticut done differently than than other states?
Speaker 1
19:31 – 23:34
Yeah. And I I did a wonderful job of, articulating a lot of doom and gloom. So, hopefully, I can I can turn the page for them all? But, you know, but it it these are sobering realities that we're dealing with. You know, there there's a lot of great best practices that are out there. That is that is sort of one good, you know, turning the page and talking about the good news. School districts do not need to reinvent the wheel on this. And even if you have limited technology staff, you can turn the best practices and immediately identify, steps that you can take to reduce the chances of getting attacked and and improve the chances of recovering quickly. But in terms of what we've done in Connecticut, we've provided free training to school and town employees, passed through some partners, in the, the, information security, partners that we have at the local, regional, and federal level. So, you know, that's there. Obviously, when you say here's some free training and free resources, that that has to be accepted and deployed if if town leaders don't pay attention to that. There's there's only so much we can do for them. You know, and and there's a lot of dialogue that we facilitate within the state with local and regional leaders about these best practices. So that's sort of the the behavior side of it. At the, higher level, sort of really barring the gates and and making sure that bad actors are helping to prevent bad actors from coming in, we put in place a number of protections, and one of them is a distributed denial of service, which is a mouthful, but, distributed denial of service or DDoS as we lovingly refer to it is, a protection, against a certain kind of attack. And I would try to paint a picture of this. Imagine the amount of, car traffic from the Los Angeles free Los Angeles Freeway, parked in front of your school when you're looking to drop off or pick up kids. And that's essentially what a DDoS attack is. It's dumping a bunch of Internet traffic onto a network, and the effect of that is essentially shutting it down. So to Cody's point earlier, if you don't have protection against this kind of attack, it will literally grind your network to a halt, which may seem like a a a techie concern. But what that means is you can't take attendance, you can't pull in, your your, student information system. You can't access student and staff records. Your security cameras may not work properly because they're based on the Internet. You may not even be able to control your heating and air conditioning because those are tied to the Internet, and you can't access your bussing routes because those are all online. So you, you know, on and on and on, it's this expanded footprint we talked about and a DDoS attack can really grind, a school district to a halt to the point where, you know, as Cody said, worst case scenario is you just can't have a school and you've got to wait in for that attack to abate or you're paying off the perpetrators. That's the bad news. And the good news is in Connecticut, we have done a really good job through Connecticut's education network or the CEN to put a statewide protection against those kinds of attacks. I won't, share some of the confidential numbers, but it's a a significant number of attacks that we've been able to identify and mitigate almost to the point where this kind of attack, is much less of a concern in our state than it is in others. And it's not to tell, how great Connecticut is, although I'm very proud to be part of that. It's more of a an indicator that there are regional and state solutions that can be extremely cost effective and have a tremendous, as in tens of millions of dollars, return on investment with a very modest investment.
Speaker 2
23:35 – 23:51
So I I wanna Cody, I wanna kick this to you first, and and Doug, so, of course, feel free to chime in. But what steps should federal and state governments be taking to help protect k through 12 networks, especially as they and we work to close to close the digital divide?
Speaker 3
23:51 – 27:18
That that's a great question, Jamal. And just like cybersecurity is a multifaceted problem, the the solutions are multifaceted as well. And so I'll I'll give the top line takeaway, and then we can dig in a little bit deeper. But some of the big blocks that can be helpful in supporting k 12 school cybersecurity is providing more resources and more funding, increasing coordination among the entities and stakeholders that are involved in k 12 cybersecurity, avoiding unintended consequences from various pieces of legislation and efforts to to bolster k 12 cybersecurity, and creating more transparency and information sharing among the the different entities that are helping k 12 schools. And we're seeing progress on each of those fronts. It's something that, congress is taking note of, that various executive agencies have taken note of, and, of course, that k 12 institutions are all too aware of because they are really on the front lines in this effort. But on the funding front, for example, the infrastructure act that was passed this past fall includes funds for state and local governments to help bolster their cybersecurity efforts. And that fund those funding grants include critical provisions that require coordinating councils at the state level that can include k 12 institutions. Now that's a fairly limited amount of funding that's going to a lot of different uses, and providing more cybersecurity support could be useful. And so CDT has been advocating for various k 12 programs like the FCC's e rate program to help provide more flexible funding for for k 12 cybersecurity. There's similarly been an interest in increased coordination. The government accountability office released a report last year on k 12 cybersecurity, and its main takeaway was that there's not a lot of communication right now between the US Department of Education, which obviously k 12 schools are intimately familiar with, and the cybersecurity and infrastructure security agency, which is a branch of US Department of Homeland Security. That's actually the primary cybersecurity agency in this country. And those two entities weren't particularly talking to one another according to the GAO's report. And so we're seeing interest not only in congress, but in those two agencies to help ensure that there's coordination and collaboration in providing resources and support to k 12 institutions. And on that last front, information sharing and transparency. As I said, the infrastructure act as part of its funding provisions does a good job of ensuring that there is some coordination at the state level among the many entities receiving funds under the infrastructure act. And there's also renewed interest in congress in establishing specific coordination requirements between the US Department of Education, the Department of Homeland Security, and getting state and local education institutions involved in that coordination as well. Because as we mentioned earlier, education is a multi government project. It involves local government, state level entities, as well as the federal government. It's important that communication is happening between all three of those levels of government.
Speaker 1
27:18 – 28:36
Yeah. Those are good points, Cody. And I would just say, I would underscore looking at ways to incentivize coordination and inefficiencies is absolutely key. And and I speak from the point of view of, as a state leader in looking at what we're doing and the coordination the the positive outcomes that have come about from coordination both through our state network as well as entities, like the, multistate information sharing and analysis center or MS ISAC. You know, again, these are resources that, everybody in our state can take advantage of. Finding ways to incentivize a a sort of safe place to report on and learn about, current and expected threats so that everybody becomes smarter. There's a lot of good information out there. I think the key for us and, you know, just to echo what Cody was really getting at is the importance of the federal level, state level, and local level just for coordination and efficiencies. Because I really do believe that that together these, these resources and and entities can, take a significant bite out of that cybersecurity, threat that we're facing right now.
Speaker 2
28:37 – 28:45
So to close this out, I just wanna hear Doug, starting with you and then, of course, following up with Cody. Just any any final thoughts?
Speaker 1
28:46 – 31:16
Absolutely. We've talked a lot about some risks and the resources that are needed to be in place and, catching up with what seems like a tidal wave of of risks. I would flip this around and just say that let's not let perfect be the enemy of great or even good. I would encourage school districts to start off with some of the resources that are freely available now. Cody mentioned the cybersecurity and infrastructure security agency. School leaders can go to cisa.gov and look for the k through 12 school security guide, some great self assessment tools. I would encourage school leaders and community members who are interested in this and wanna help their schools out. You will be surprised that you are probably doing some things really, really well in terms of having, firewalls in place and doing good training. But you're also gonna discover some gaps and that's okay too. This is, it may seem like a negative statement, but I mean this encouragingly, is that you're never done. It's a practice. You're not looking at expecting perfection. You're going to be practicing cybersecurity, and, good hygiene and learning about new threats and new actors and, vying against those. So and I also think, you know, it's really important to communicate with stakeholders. Even when the news isn't good, if there's been a breach, something like that, getting the word out and letting stakeholders know about, a, potential risks or negative events that have happened is going to elevate your level of trust with, with the community and really foster a dialogue so that everybody feels like they're they're partners. I would say if it's not already obvious, partner with your legal counsel. Your your legal team is there, whether they're internal or external to to help and guide. And when something happens, and it inevitably will, if you are following best practices, you're gonna have a much better story to tell, and you're gonna have much stronger relationships to have in place so that you've got the partners and the community supports to come around you, help resolve the situation, move on, and hopefully prevent it from happening again. I would just echo what Doug is saying about
Speaker 3
31:17 – 31:57
building trust in the community. We we've touched on how k twelve education has so many stakeholders. And any efforts to address k twelve cybersecurity that leaves some portion of those stakeholders out of the the consideration is likely to hit some roadblock. So it's important that we provide training and support for students and families and educators as well as improve coordination between school boards, private vendors, state level agencies, and and federal agencies as well. And it's only by incorporating each of those stakeholders into the cyber security process that we can really move the ball on this issue.
Speaker 2
32:02 – 32:22
Well, Doug and Cody, I wanna thank you both so much for being here today and really appreciate your time in talking about this very important issue. My pleasure, Jamal. Thanks for having me. Thank you, Jamal. Of course. And to our listeners, if you'd like to find out more about CDT's work, please feel free to visit us at cdt.org. I'm Jamal Magdi, and thank you for talking tech.
Speaker 0
32:26 – 32:56
Hi. I'm Devon Hankerson Madrigal. I'm the research manager at CDT. You may not realize, but as a nonprofit, CDT relies on the generosity of donors like you. If you enjoyed this episode of Tech Talk, you can support it and our work at CDT by going to cdt.0rg/techtalk. If you have already donated, thank you. If you have not, we would love your support. Thank you for enhancing civil rights and civil liberties in the digital age.