Cyber Security at the District Level

Are you ready to prevent unlawful, unauthorized or simply misguided use of your technology? by Scott LaFee

In California, a high-school junior hacks into his school district’s computer network and copies students’ Social Security numbers and other confidential information. District officials have no choice but to send letters to all families advising them to take measures to protect their children’s records from possible fraud.

In Ohio, a 13-year-old deletes student records from a school district’s electronic reading program. School officials find themselves in trouble as well when it’s revealed the district had failed to back up the files onto a separate server.

And in Florida, two students steal a password from a teacher’s computer, break into the school’s server and start charging $5 to change other students’ grades.

These are real high-tech horror stories, and while the culprits were all caught and punished, the damage was done — both in actual loss or abuse of school data and in damage to the reputation of the school district and their leadership.

Tempting Targets

The latter point cannot be overstated. In an era of digital technologies, school districts find themselves on a cutting edge, one that slices both ways. Technological tools like the Internet, e-mail, networked computers and such have revolutionized the way children are taught and schools are run, but they also have created new management challenges and ethical issues that many school systems are only beginning to recognize and address.

For example, a tech-savvy district these days has the ability to collect, analyze and disseminate reams of data on everything from neighborhood demographics to individual student histories. That’s useful stuff for administrators seeking to find the biggest bang for their budget or for a teacher trying to understand why a particular pupil isn’t doing well academically.

But what happens if that information gets into the wrong hands or is used for unlawful, unauthorized or simply misguided purposes? These are questions that keep some educators up late at night. The problem, according to several authorities, is that these questions don’t keep enough educators up late at night.

“The only thing protecting most school districts right now is that they’re not as tempting a target for electronic abuse and criminal acts as business,” says Steven Miller, director of the Cyber Security for the Digital District, a project of the Consortium for School Networking, a national nonprofit organization that promotes the effective use of technology in K-12 education.

“On a scale of zero to 10, with 10 being districts that have done a good job of protecting their networks and databases, I’d say the general score nationwide is close to zero, maybe 1 to be generous,” Miller adds. “I’m not just talking about small districts, but most medium-sized ones too. School districts tend not to have specialized staff for information technology until they get very large or very wealthy. A middle-sized district might have a person or two. A small district might have a principal or other administrator handle IT just another part of their job.

“Unfortunately, the world has gotten messed up enough, and will stay messed up enough, that districts that don’t deal with cyber security issues now or soon are eventually going to find themselves without a functioning system.”

Perhaps because he often deals with or hears about the most extreme abuses, Miller is more pessimistic than others who say most school administrators at least know there’s a problem, even if they don’t know exactly how to resolve it.

“I think cyber security awareness is high (around the country),” says David Richards, director of education technology for Rochester Community Schools in Rochester, Mich. “I do a lot of work with groups like CoSN [Consortium of School Networks], and most districts seem to know the dangers and their needs.”

Those dangers and needs, though, are daunting and myriad. It’s not just misguided students. They tend to be the least of a school district’s cyber security worries. The really troubling threats are serious hackers, criminals and the ongoing, seemingly endless plague of electronic viruses and worms.

In 2004, for example, the number of known computer viruses reportedly topped 100,000. It’s estimated that at any moment, day and night, there are at least 2,000 programs on the Internet poking and probing for security holes in computer networks. Some are harmless, but others can cost damage in the thousands and millions of dollars. The typical virus attack, according to a resent International Customer Service Association survey, cost $11,000 and 11 person-days to repair.

Perhaps more troubling are less visible abuses and unwanted intrusions into cyberspace. Spyware are subversive, invasive programs that burrow into unprotected computers, troll for data and send it to a third party. “Phishing” is the often-criminal act of sending e-mails that falsely claim to offer something in return for personal data, such as credit cards or bank accounts. And then there’s server hijacking, in which an outside party surreptitiously and often remotely takes control of a server — a computer or device on a network that manages the network’s resources, everything from files and printers to network traffic.

Miller says he recently heard about a server hijacking case in Louisiana where a school district’s server had been unknowingly usurped to disseminate pornography in China.

Irresistible Force

Despite these kinds of problems, few districts have refrained from investing heavily in technology. Indeed, more than $7 billion will be spent this year alone in K-12 schools on new technology. According to a study by Quality Education Data, a market research firm in Denver, the typical school in 2005 will spend $53.72 per student on technology hardware — approximately 38 percent of the average total per-pupil technology expenditure.

Most of this technology, as in the past, will be ramped into service very quickly, Miller says. Perhaps too quickly.

“Technology has become indispensable to the business and administration systems of school districts,” he says. “How many administrators now can imagine doing schedules, keeping track of buses or lunch programs without computers?”

Julio Velasquez can’t. Or rather, he shudders at the memory of those earlier paleo-technological days. The director of instructional technology for the Somerset, Pa., Area School District, a 2,800-student suburban system southeast of Pittsburgh, Velasquez says it was only three years ago that his district could be described as a sort of digital Stonehenge.

We faced a situation in which our technology was completely obsolete,” he says. “We had computers that were 15 years old. Some were ancient IBMs; others were Macs running on personal software. Office 95 was our most sophisticated program. Some of the networking structure we were using had been invented in the ’80s or earlier. Very few computers in the district were linked to the Internet and some of those were connected directly with no firewall at all.”

Back then, Velasquez adds, computers were more of an oddity than an effective tool. “Schools couldn’t communicate effectively because most of the buildings weren’t even cabled for computers. Typewriters were still the main way of creating documents. Information was shared by a secretary typing a bulletin, then faxing it to other buildings so that copies could be made for individuals.”

In 2002, the Somerset school board and administration decided to upgrade big time, launching a $1.8 million initiative that included computers for every teacher, more than 400 new computers in student labs, extensive rewiring, and numerous online curricula and administration tools.

Velasquez, who previously had worked in private industry, made sure that some of the money and effort went to cyber security. “I’d say our district compares favorably now to most businesses. Most of our services are done by computer now, and we have all of the virus and spam protections.”

Overreaction Common

In some ways, Somerset may be the exception to the rule, experts say. Most districts pay more attention to what technology can do in terms of educating students or running a district than in how to protect it. That may be natural and reasonable, but it’s also problematic.

“The biggest difficulty is staffing in the district,” says Richards, the technology director in Rochester, Mich., a district with more than 14,300 students. “In order to be aggressive and proactive, you really have to have resources, which includes having bodies available to handle problems. You need people who can monitor and respond to anything that gets through the filters and systems protections.

“Whether it’s inappropriate e-mails, websites, pop-ups, whatever. You’re not going to be able to be as aggressive unless you have trained staff to handle the problem. A lot of districts don’t and what happens is something happens and those districts panic. They simply shut down everything until the problem can be fixed. That’s not really a good solution.”

Miller agrees, but says the urge to over-react is common because most senior school administrators have little, if any, technical expertise. “People tend to feel overwhelmed because there’s usually no easy answer. They’re frustrated because good answers take ongoing, careful attention,” he says.

“Most superintendents probably wish someone else would deal with the whole subject. The best superintendents understand that technology is now just one more thing on their plate, that they need to pull together a leadership team that can deal with it. The superintendent doesn’t have to handle it directly, but he or she should have a team in place with the training and authority to not only deal with problems but try to prevent them.”

That’s not to say, of course, that administrators should simply turn over the responsibility of cyber security to technical staff.

“The last thing you want to do is tell a tech person that they’re in charge and that you don’t want anything bad to happen,” Miller says. “Their instinct is going to be to lock things down. That might work in business, but it doesn’t work in schools where the reason for existence is exploration, discovery, the free flow of information. Technology and security should be implemented in ways that follow a district’s values and procedures.”

First Steps

CoSN, in conjunction with Mass Networks Education Partnership in Allston, Mass., has produced the Cyber Security for a Digital District program ( securedistrict.cosn.org). Among the features is a list of questions every administrator asks about cyber security, a security self-assessment checklist and eight questions every superintendent should direct toward his or her chief technology officer or director of information technology. They are: How are we doing so far? Do we have a security plan? Do we have adequate security and privacy policies in place? Are our network security procedures and tools up-to-date? Is our network perimeter secured against intrusion? Is our network physically secure? Have we made our users part of the solution? Are we prepared to survive a security crisis?

Getting answers to those questions usually points the way to first or additional steps. One big step is doing a more thorough security self-assessment, but that’s usually just a prelude to ordering an external security audit, says Bob Moore, executive director of instructional technology services for the Blue Valley Unified School District in Overland Park, Kan.

“Audits are expensive. It’s not something you can buy for a couple of hundred dollars, but the bottom line is the value of the assets you’re trying to protect, not the cost of the audit,” he says.

A good external security audit analyzes risks and identifies vulnerabilities in district’s computer system. Just as important, it suggests remedies. Among the aspects an audit should evaluate: security policies and processes; privacy policies; privacy data handling; security controls; technology infrastructure; physical site security; authentification systems; Internet vulnerability assessment; policies and controls for wireless deployment, and unauthorized access points.

“We had a security assessment conducted,” says Moore of his 20,000-student district. “I can’t describe the results, of course, but out of it, we took a look at our priorities, what the different layers of security were, how people accessed information, who had access to what kinds of information and how to make that process work better.”

One simple but stunning realization, he and others say, is how often cyber security is breached not by determined hackers with ill intent, but by simple negligence or ignorance. “It can be as simple as not keeping up with software patches,” Moore says

Or not making sure that everyone who uses school computers is fully cognizant of the security rules and ethics.

“I remember one incident where students loaded some software onto a computer while the teacher was out of the room,” says Charles Garten, director of information support services for the 33,000-student Poway Unified School District, north of San Diego, Calif.

“Teachers can be too trusting. They’ll tell a kid a password or have them input grades. Two kids once got a copy key to a teacher’s classroom and the password to the teacher’s webpage. They had other kids paying them money to change grades posted on the webpage.

“Unfortunately for them, they didn’t realize they weren’t getting into the real grade book program,” says Garten. “When the quarter ended and report cards went home, the kids who had purchased better grades got their real grades. There were a lot of unhappy students and a lot of unhappy parents when the students told their parents what had happened.”

An Ethical Emphasis

As for ethics, the basic rules are pretty simple, according to the Computer Ethics Institute: Don’t use computers to harm other people. Don’t interfere with others’ computer work. Don’t snoop around without permission. Don’t use a computer to steal or bear false witness. Don’t use or copy software you haven’t paid for. Think about the consequences of any program you write or use.

“Some cyber security issues are more ethical in nature than legal, stuff like not using someone else’s user name and password,” says Moore of the Blue Valley Unified Schools in Overland Park, Kan. “Whether the subject is cyber security, copyright infringement, fair use or something else, we incorporate ethics into virtually all technology training. We’re always hitting that message, partly because of staff turnover, partly because you know that the message won’t be received by everybody every time and partly because of liability. If something comes up, the district needs to be able to show that it had a deliberate campaign to teach and promote computer ethics.”

When it comes to cyber security, paranoia isn’t necessarily a bad thing, said Garten in Poway.

“Districts shouldn’t necessarily trust their vendors. They shouldn’t assume that the company providing them with software or services is completely secure, even if they insist they are. We had a vendor whose software had a hole in it. A kid found the hole and got into our file servers. He didn’t do anything malicious, just partitioned off one of the hard drives and was selling space on it to other students. We caught him completely by accident.

“I guess you could say we were doing our job,” Garten says. “The kid really understood computers, but it was embarrassing.”

Marie Scigliano, director of educational technology for the 10,000-student Palo Alto Unified School District, agrees. “Sometimes people have no clue about security. They talk about what they want to do, but security isn’t given any consideration,” she says. “For example, we have had the experience where vendors do demonstrations of their product using live data from other districts. When we’ve asked the vendor about this practice, it was not seen as a security risk nor were the districts aware of the use."

A New World

The more districts embrace and exploit the wonders of the digital age, the greater their vulnerability. A school district with little or no access to the World Wide Web, for example, doesn’t have to worry about Internet-borne viruses.

Something similar applies to wireless technologies, which allow greater freedom of use. Nearly 67 percent of school districts in one national study said they would be buying wireless laptops for student use this year, posing an entirely different security risk.

“People really feel secure with a firewall,” a hardware or software system that prevents unauthorized access to or from a private computer network, Garten says. “But if they use wireless technologies, that firewall can be jumped over. A firewall is not the ultimate protection. Then, there are the internal threats: disgruntled employees, kids with too much time in the library, whatever. The first line of defense is always going to be the teacher or staff member. You need to teach them how to effectively use the system and how to spot problems.”

All of this prevention takes money, and quite a lot of it. There is no typical or average cost, of course. It varies with the needs and expenses of a district, not to mention the degree of security desired or demanded.

But one thing is universal: Cyber security costs are rising fast.

“There’s been a marked increase in the past few years,” says Moore. “Some of it is attributable to greater awareness; some of it is because of issues and problems that didn’t exist in the past. Five years ago, for example, spam was a moot point. Now it’s a big problem. (Eighty-eight percent of e-mail globally is unwanted, according to industry experts.) Five years ago, people didn’t worry about spyware.”

Moore estimates his district’s cyber security budget “is in the six figures for just hard, direct costs.” That doesn’t include the biggest expense: the people and time required to maintain the technology and fix any problems.

“You really have to have some financial resources,” says John Q. Porter, deputy superintendent of Montgomery County Public Schools in Rockville, Md. “You have to have access to the expertise that makes this technology work and meet its potential. For example, my district is big enough to have a chief security officer whose job it is to think about these issues, to work on planning, to look for best practices and policies. There’s a group of us who focus a lot of time on this subject and yet, I’m not sure it’s enough. We have 45,000 computers in the district; 180,000 users of all kinds. That’s a lot of ground to cover.”

It’s all expensive. A full-time cyber security officer, says Garten, the director of information support services at Poway, can demand a salary approaching $100,000 a year. External security audits, which should be done every 12 to 18 months, can exceed $50,000 for a month’s work. Then there’s the actual security software and services sold by numerous companies to protect district computers and systems.

“Software manufacturers get a pretty nice penny for their products,” says Richards, the technology administrator at Rochester Community Schools, “but it’s not an option anymore to simply say, ‘No thanks.’ The programs are essential. A school district has to have some sort of system filter. Paying for it simply has to be built into the operations budget. It’s a part of doing business.”

CoSN’s Miller tells a story about a superintendent who boasts of getting a new, high-tech bike. But when asked how it operated, the superintendent admitted he’d never been on the thing. No time, he explained.

“Cyber security is like that bike. You’ve got to get on it. Do the studies. Hire the staff. Make security a priority,” says Miller.

“Most school administrators get depressed when talk turns to costs. They say they don’t have any available money. But the fact is, increasing security is going to cost something, though in many cases it won’t cost as much as they fear and in all cases, the cost will be much less than repairing the consequences.”

Inevitable Breakdowns

Miller says all good cyber security programs in a school district should cover three basic elements:

  • Back-up systems. Any data that’s important is backed up onsite in a different location. If it’s really important, it’s backed up offsite too.

  • Redundancy and more redundancy. This is particularly true of critical systems, such as those maintaining student records. Redundant systems don’t necessarily have to be as robust as the main system, but they should be sufficient to allow school district business to go on while repairs are made.

  • Practice crises. Everybody needs to know what has to be done in a real emergency and that the emergency plans actually work.

Pursue all three avenues to the letter, says Miller, and things still will go wrong. Hackers will continue to find ways to break in. Viruses will still infect. Programs and systems will fail. That’s the nature of technology, sighs Miller. “It happens.”

Scott LaFee covers science and health at the San Diego Union-Tribune. E-mail: scott.lafee@uniontrib.com

Basic Tips on Cyber Security

The technology may be daunting — even akin to magic for some users — but effective cyber security starts with simple steps and caveats, say security experts.

Here are 10 tips for anyone who relies upon computers from the National Cyber Security Alliance ( www.staysafeonline.info), a Washington, D.C.-based public-private partnership of institutions and technology companies.

  • Use anti-virus software.

  • Don’t open e-mails or attachments from unknown sources. Be suspicious of any e-mail attachments that are unexpected, even if they come from a known source.

  • Protect your computer from Internet intruders

  • Regularly download security updates and patches for operating systems and other software.

  • Use hard-to-guess passwords. Mix upper case, lower case, numbers and other characters not easily found in the dictionary. Make sure your password is at least eight characters long.

  • Back-up your computer data on disks or CDs regularly.

  • Don’t share access to your computer with strangers. Learn about file-sharing risks.

  • Disconnect from the Internet when not in use.

  • Check your security on a regular basis.

  • Make sure all employees know what to do if a computer or system is believed to be infected or corrupted.