In my experience working with education officials around the world over the past two decades, the confidence of senior leadership in an education system's approach to computer and data security is often inversely proportional to how much time, energy and expense have been devoted to considering security issues, to say nothing of the robustness and comprehensiveness of related approaches being deployed.
As part of my job at the World Bank, I help ministries of education think through issues related to the use of new technologies in education. Along the way, there has been, in my experience and generally speaking, comparatively little attention, energy and resources paid to issues of computer and data security as part of the rollout of digital technologies in education in many parts of the world, and especially in middle and low income countries, where I spend the bulk of my time.
At a basic level, this should not be too surprising. Resources are often quite scare, as is related know-how. Most initiatives focus first on introducing computers (and later tablets and other gadgets) into schools, and on rolling out and improving connectivity. Many countries new to the use of computers in schools are challenged to adequately handle some of the most basic security-related tasks, like installing (and keeping updated) anti-virus packages on individual devices. And to be honest: The initial stakes are often quite low. Only over time, once a critical mass of infrastructure is in place -- and is being used -- do thoughts turn to any significant extent to issues of computer and data security. But still: Unlike passing out shiny new tablets to schoolchildren or cutting the ribbon on a new educational makerspace, strengthening an education system's security practices typically doesn't make for compelling photo opportunities. For education ministers who typically enjoy short tenures in their jobs, it's often quite logical to leave such issues for the next lady (or guy) to handle.
That said, as connectivity spreads and improves, and as education systems move beyond a patchwork of often small and uncoordinated pilot projects to become more dependent on their ICT infrastructure at the classroom, school and system level, 'security' is gradually added to the list of responsibilities of a few staff, related budget line items are established, and sometimes small units are formed inside education bureaucracies.
Even then, though, digital security concerns usually tend not to be prioritized by ministries of education, and much of what is done is reactive in nature. In my experience, only when one of two types things take place do computer security issues get real attention: (1) when there is a move to computerized, especially online, testing; and/or (2) when something important is 'hacked'. (There is a third catalyst for action -- government regulation -- but that typically occurs only after one or both of these first two things have occurred.)
During dialogues with government around 'edtech issues', it's been my standard practice to try to insert a bullet point related to 'security' onto the formal agenda. For the most part, this has been tolerated ("of course we think security is important!"), but (if I am being honest) not always particularly welcome, and it is often the last agenda item, the kind of thing where the related discussion gets cut short and people close by saying, "We wish we had more time to discuss this."
In the past two years, however, things have begun to change a bit. While still never the focus of our discussions, people from a number of ministries of education with which I have worked have begun to bring up this issue proactively. Often, related exchanges begin with some form of the question, "We are thinking about introducing online testing but are wondering if we might get hacked -- how worried should we be, and what can we do to prevent this from happening?"
My response to this sort of question is usually is something along the lines of, "You are right to be worried, and there are a lot of things you can and should be doing as a result." (Whether or not online testing is actually a good idea is a separate question, and discussion.) We then quickly talk through a number of the standard high level issues, topics and concerns, touch on the feasibility and cost of a number of related first (and second, and third, and fourth ...) steps that need to be taken, and at the end draw up a list of names and organizations for potential follow-up. Before the discussion 'ends' (a discussion about computer security never actually 'ends', of course; once opened, Pandora's Box can never be fully closed), I make sure to make the following statement, and pose a related question:
Prevention is important. Obviously! I am glad to see that this is increasingly prominent on your agenda. If you have a checklist of things you are concerned about, and a list of how you are addressing them, we can take a look at it and talk through some potential related issues, to the extent that this might be useful. We can also talk about some other countries where some bad things have happened, in case any of those stories might be of interest.
But, no matter how successful you are when it comes to protecting your digital infrastructure and your data, if you are using connected digital technologies in your education system, at some point in the future:
You. Will. Be. Hacked.
- Data or intellectual property will be stolen (like personal information about students, teachers or administrators); and/or
- The integrity of data or a service will be called into question (through cheating on a test, for example, or by changing grades after the fact); and/or
- Online testing, or access to a web site, online service or database, will be disrupted (as a result of a DDoS attack, for example, or the use of ransomware).
etc. etc. etc.
For many education systems, when it comes to be being hacked, it's not a question of if, but rather, when, what, and to what extent?
What are you going to do once this happens?
(When I say this sort of thing in meetings with ministries of education, the room often gets increasingly quiet, and a few people throw me dirty looks for 'focusing on the negative'. In such instances, I'm often trying to be deliberately provocative, as a way to help force attention, if only transiently, to issues that are not being prioritized, or even considered.)
Actually: You probably already have been hacked. Possibly many times.
- Maybe this made the headlines.
- Maybe you 'successfully' covered it up.
- Maybe you (accurately or not) invoked the spectre of unnamed 'hackers' or blasted 'incompetent vendors' in an attempt to assign blame outside the ministry.
- Maybe you didn't even know it happened. (Maybe ... it's still happening?)
There is no shortage of potential threats or 'attack vectors'. You need to identify potential threats, prioritize them, and figure out ways to prevent them from happening. That's pretty straightforward to understand -- and good practice.
However, let's imagine for the moment that you do a good job with all of this. (In my experience, this is almost never the case when it comes to ministries of education, but perhaps your ministry is an outlier in this regard.) Despite your best efforts:
You. Have. Been. Hacked.
During a recent conversation of this sort, a very senior education official remained quiet for a while and then exclaimed, "We need a law so we can go after the hackers!"
Indeed, I responded, it is quite possible that you do need a law. And it is certainly important to go after the folks responsible for whatever happened. Maybe there is no law against what was done, or existing laws are not good fits. (In which case: You have one pretty clear item on your to-do list.) Maybe there are relevant laws on the books, and someone can figure out who did whatever was done (and how they did it) and prosecute them. (If so: I wish you the best of luck with this.) You'll of course need to communicate with different stakeholder groups about what happened. That said, in addition to your related messaging, and (potentially) the activities of law enforcement, you need to get things moving again -- and fast!
How do you plan to do this?
Even where appropriate, relevant preventative measure are in place (some of these will be explored in upcoming companion EduTech blog posts), in most of the places where I have worked, comparatively little thinking or action has taken place related to what to do after something has gone wrong.
In considering a set of potential related scenarios and implementing a set of concrete actions, you may end up saving yourself from a lot of grief, aggravation, damage, downtime and loss of stakeholder trust. Or maybe you won't: No one is perfect, after all. Technologies change. The bad guys can be quite good at what they do. But in planning for how you might get back on your feet after you are knocked down, you may also come to have a better understanding of where some of your most critical security vulnerabilities may lie. This may not only help you to respond if and when they are exploited, but also might just help you better protect yourself and stay on your feet in the first place.
You may also be interested in the following posts from the EduTech blog:
- The Chief Information Officer position at the Ministry of Education (A CIO in the MOE?)
- Who owns the content and data produced in schools?
- Crowdsourcing, collaborative learning or cheating?
- Worst practice in ICT use in education
Note: The image used at the top of this blog post ("Help! I've been hacked!") comes from Andy Dingley via Wikimedia Commons and is used according to the terms of its Creative Commons Attribution-Share Alike 3.0 Unported license.
Michael, Excellent article! This is a true depiction of the current state of affairs and even the most forward-looking school systems are myopic with regards to data security and its consequences due to a lackadaisical attitude.