Why is K-12 Different?

The most important mission of a school is to facilitate learning. Creating a “ready to learn” environment requires paying attention to things like people, property, supplies, and, increasingly, security. By all measures, schools are a safe place. Still, minimizing risks is always advisable when children are involved. We don’t allow strangers to wander our hallways. We set up programs to deal with bullying. And we practice fire drills.

Similarly, as digital tools expand the learning process into virtual space, we need to manage the risks faced by our students and staff in their new environment. In addition to the personal safety issues faced by users, we need to protect our systems and data from accidental or deliberate mishaps that come from inside as well as outside, from normal use as well as hostility, from lack of resources as well as inherent weaknesses. We need to prevent trouble-makers from taking remote control of our equipment for use as a launching pad for attacks on other systems. We need to protect our schools from having its learning goals blocked, its operations disrupted, or its public support undermined because of disruptions or failures of its IT system. Taking care of security is one of the foundations for keeping our organizations operational, able to pay bills, order supplies, send out report cards, support student research and communications, conduct professional development. In addition, we need to protect ourselves from the potential liability of being the “weakest link” in an online chain of national emergency response networks whose collapse occurred because of our negligence.

Educators must take leadership of this effort because it is vital that schools do not pursue increased security in ways that undermine their ability to facilitate learning through communication, collaboration, exploration, research, creation, sharing, publishing, making mistakes, and simply fooling around.
In schools, as in most organizations, an appropriate approach to security will combine technology, policy, and people-oriented activity. Technology is a powerful tool that we need to fully utilize. Equally important is examining and updating the policies and procedures followed by system administrators and everyday users. But most important is working with the people – everyone -- to create a “community of trust” in which everyone has a shared understanding of the value of our technology resources and the proper way to use those tools to support everyone’s efforts to accomplish educational goals.

However, as we go forward, it is important to remember that security can never be absolute. We can manage the risks we face; we can not eliminate them. So we must also prepare to maintain “business continuity” when the inevitable problem occurs. To pretend otherwise is a set-up for failure and recrimination.

Risk Can Be Reduced

As technology becomes more ubiquitous and complex, the number and variety of its vulnerabilities also increases.. And when people, from within or without, have hostile intentions the problems just get worse. In Massachusetts, the FBI office announced that about three-quarters of all hacking cases involve disaffected employees seeking revenge.

The key aspect of these attacks, however, is that almost all are preventable. The Gartner Inc. market research group points out that at least through 2005, 90% of computer attacks will use known security flaws for which a solution is available but not installed or implemented. The profound implication is that security is more a result of high quality day-to-day operations than a one-time burst of heroics.

Protecting the Core Mission: Learning

Schools exist to facilitate student learning. This is their primary purpose. Security is a necessary precondition, but not an end in itself. Therefore, it is vital that security strategies be designed in ways that don’t significantly undermine the learning process.

The most powerful learning comes from doing – trying something, noticing what happens, correcting your mistakes, and trying again. The deepest learning comes from exploration, from experimentation, from trying new things and getting excited about new possibilities. Schools have to provide a learning environment that supports the creative use of a “teachable moment,” that encourages teachers to share their enthusiasms. A totally controlled network can stifle the very thing that school networks are created to encourage:

Firewalls and filters can prevent staff and students from accessing on-line tools or information they need.
Desktop lock-down prevents teachers from trying new software.
The technology pioneers are the ones who pave the way for others to follow; if they are restricted, the whole district's ability to move forward will be impaired
Teachers don't always have the luxury of planning ahead: the "teachable moment" often requires a "right now" need to find a Web site or to load some software or adjust a student's desktop; there is no time to wait for the network staff to get around to setting things up.
The chance to explore and experiment is what allows teachers and students to move from beginner to advanced, a must if districts want to move forward in implementing good models of teaching with technology

Furthermore, in our anxiety to protect our data, we have to avoid creating “data tombs” of totally private but totally unusable piles of information that never contribute to the insights that will allow us to improve our instructional strategies and individualize our efforts.

Of course, technology controls play a vital role in any security system. But even here, controls are only as successful as the policies that they are used to enforce. And at a deeper level, policies are only as effective as the people implementing them. An effective security program must include repeated training and frequent discussions not only about the policies and procedures that people need to obey but the reasons that those rules were created in the first place. We have to help people understand that it is their own safety and civil liberties that are at risk, their own learning opportunities that we are creating. On-line (and real world) ethics have to be an explicit part of any program, presented in an age-appropriate manner.

People are the bottom line. The people creating the security policy have to deeply believe that students and staff are not just part of the problem, they’re also key to the solution! It is not enough to wait for the legal system to tell us what we are required to do. We must start by building trust and cohesion with our learning community. And then when the inevitable crisis does occur, we have allies we can rely on during the difficult moments.

The K-12 Technology Environment

Several characteristics of the K-12 environment make the nation’s school systems particularly vulnerable to cyber risks and in need of assistance to deal with the problem. This need is of growing concern because the push towards data informed decision making and performance based reporting is encouraging schools to develop big, centralized data warehouses. At their best, this allows for careful analysis of longitudinal trends that lead to system reform and more personalized instruction. But these expanding data banks also contain large quantities of sensitive data, from medical records to social security numbers to home addresses, grades, personnel records, and much more. How will districts ensure that the incoming data is accurate? That their systems transmit and store it with integrity? If not secure these are “low hanging fruit” for those interested in malicious – or criminal – behavior.

Furthermore, the high degree of student mobility in many districts will require extensive data sharing, which creates new opportunities for interception and misuse.

As tax cuts, growing expenditures, and lowering revenues create enormous deficits in government budgets, spending on education technology is one of the items in the center of the chopping block. Elected School leaders are faced with tighter budgets, which just reinforces their general attitude towards technology – as with school buildings, taxpayers assume that once they’ve bought the asset with capital or incidental money, then the big expense is done. Of course, just as over reliance on capital spending leads to problems with long-term building maintenance it also leads to problems with long-term network administration – including security.

Cyber security also suffers in the K-12 environment because it has not received sustained and full attention from education leaders. In the late 1990s the national emphasis was on expanding access – increasing the number of Internet-connected computers. As the decade progressed, increasing emphasis was placed on helping teachers learn how to use the new tools. And more recently, there has been heavy pressure to demonstrate the learning impact of the use of these technologies. At the same time, the new Children’s Internet Protection Act forced educators to install filters in order to prevent students from being exposed to “inappropriate” images and words. And periodic virus attacks prompted many schools to install firewall and virus protection software. But none of this provides a systematic approach to overall cyber security.

And, of course, the technology keeps changing.

Technology Trends That Will Create Additional Risks

One of the challenges facing all users of Information and Communication Technologies is its rapid evolution. Even if the pace of technological development slows down, technologies already on the market are beginning to change the context for K-12 cyber security.

The growing use of broadband makes it possible to give students access to more multi-media content for a richer learning environment; but it will also increase the level of sophistication needed by already over-burdened local technology staff to manage the infrastructure that carries this material.
New wireless and power-line transmission methods may greatly expand access but will also create new risks for data interception and new “openings” for hostile penetration of school systems.
Outsourcing data storage or system operations or using an ASP for application hosting can save money and reduce staffing needs, but raises issues around who owns student work and school data that is stored off-site; who is responsible for long-term, legally mandated data retention and elimination; and what happens if vendor goes bankrupt or gets bought out.
The increasing use of peer-to-peer data sharing, the push for application interactions, and the demand for equipment plug-and-play compatibility all make technology more transparent, and all blur the boundaries making it ever harder to know who to keep away from what – and how to do it.
The expanding use of laptops and handheld computers brings us closer to one-to-one ratios and extends learning activities from the classroom into the world thereby creating more authentic and active learning. At the same time, this makes it harder to know exactly what data is located where and who has access to it. In addition, it is likely that some of this equipment will be misplaced or fall into undesirable hands that will then have an entryway into the larger system.

Education is Different

Education is a special field of activity. Students learn through inquiry and exploration. Teachers often have to take advantage of unforeseen "teachable moments." Learning is often motivated by students' desire to deal with dramatic, meaningful, contemporary issues that require access to an incredibly broad variety of information and an enormous amount of communication among people all around the world. It is vital that K-12 leaders be concerned and careful in protecting their student's safety and their system's security. It would be a disaster if we became paranoid and defensive. The last thing we need in schools is a "culture of security" that sees a terrorist hiding behind every electron. We can't be stupid or unprotected; but neither can we over-react in ways that undermine our primary mission of encouraging student learning and growth.