On cybersecurity, educational institutions have a people problem
For decades, bad actors have exploited computer systems by finding vulnerabilities in the systems themselves, but now, in a vast world of connected devices, users have become the soft underbelly of each organization, especially in educational communities.
The dichotomy of maintaining network security while also preserving communication and the free exchange of information — a keystone of educational philosophy — has presented IT leaders with a unique obstacle. Meanwhile, challenges such as IT talent shortages and insufficient funding for cybersecurity projects have educational institutions searching for solutions to secure their environments in the face of new risks.
“It has become much more evident that [cybersecurity] is something that they have to move forward on,” said Amelia Vance, director of education privacy for the Future of Privacy Forum, a think tank based in Washington D.C.
Education IT leaders and administrators are responding. According to two leading industry associations, Educause and the Consortium for School Networking, IT leaders in education named security as their top priority last year.
The University of Montana, for example, overhauled its research network in 2018 to increase its security while also improving the efficiency and ease of communication across campus. The state of North Dakota is building a unified, robust security framework as it consolidates the cybersecurity efforts of more than 400 organizations across the state under one department, including K-12 districts and the university system. Meanwhile, two small colleges in Pennsylvania that have been sharing a chief information security officer since 2013 in an effort to improve cybersecurity and cut costs underscore a widespread funding challenge.
However, as institutions invest in solutions, many grow complacent, said Greg Falco, a cybersecurity researcher at the Manhattan Institute of Technology. There’s a growing assumption that “it’s not going to be me — it’s my vendor who is going to get attacked,” he said. “That’s the growth cap. People don’t want to admit they are at fault.”
Education is challenged by the facts that cybersecurity systems need to be maintained indefinitely and that what it takes to maintain security has continued to evolve over the years.
“The challenge to the cyberthreat landscape is it changes. Constantly. It never stops changing,” said Stacy Wright, a cybersecurity expert at the Center for Internet Security.
Vance likened the effort to keep up with new vulnerabilities to a game of “whack-a-mole.” The cycle of new vulnerabilities being introduced and IT teams subsequently patching those holes is endless.
It wasn’t always this way. When the first computers arrived around the 1940s, it was physical security, not cybersecurity, at the center of keeping computers and data secure. Often kept under lock and key, the first computers were non-networked machines that required physical manipulation of switches and cables to program them, making hacking improbable.
In the 1940s, the first general-purpose computer, the Electronic Numerical Integrator and Computer, or ENIAC, was stored on the first floor of the engineering building at the University of Pennsylvania and could only be accessed by authorized personnel. In fact, Jean Jennings Bartik, a member of the all-woman team that first coded the ENIAC, noted in a 2011 interview that she and her peers were not even allowed to see the machine they would be programming before they each received security clearance.
Today, computer security goes beyond the device itself, Falco said. Networking means that physical access to a computer is no longer necessary to interfere with these machines, opening them up to exploits from outsiders.
The ARPANET, an early network of computers that expanded through the 1970s and eventually gave rise to today’s internet, shifted the cyber threat landscape away from the physical domain. In 1971, the first computer worm, called Creeper, moved through the ARPANET, replicating itself from one system to another, causing the infected computers to print the message, “I’M THE CREEPER: CATCH ME IF YOU CAN.” The virus, considered benign by today’s standards, was a harbinger of more dangerous network vulnerability exploits to come.
The current computer systems in schools are met with a barrage of cyberattacks, including ransomware, phishing email and denial of service attacks. According to Verizon’s Data breach investigations report, the education industry experienced 292 cyber incidents in 2018 resulting in 101 system breaches. Cyberattacks have exposed sensitive information about students’ applications and medical histories, altered grades and attendance records, and jeopardized payroll funds.
Creeper and other early cyberattacks were possible because ARPANET was insecure by design. In the ARPANET, the university researchers who primarily used the network often knew and trusted each other. The early internet was small and so security was not a major concern, Falco said.
“The internet was designed in order to just facilitate information sharing,” he said. “You don’t really think you need security if only a small number of people are going to have access.”
In 2019, technology and its associated threat landscape are radically different than they were even 10 or 15 years ago. In the 1994 book, Secrets of a Super Hacker, a hacker monikered “The Knightmare” provides a detailed look at the best hacking methods of the era and though nearly the entire manual is now out of date, there’s one technique that never went out of style: social engineering.
In the current cyber landscape, there is a huge social element to cybersecurity, but restricting users as a means to secure a network is at odds with the collaborative nature of higher education institutions.
“The biggest vulnerability that exists in cybersecurity isn’t an outside person coming in. It’s human error,” said Joanna Grama, a consultant for Vantage Technology Consulting Group and former cybersecurity director at Educause.
According to a 2018 report published by the consultancy EdTech Strategies, 54 percent of all digital data breach incidents experienced by K-12 schools were directly carried out or caused by members of the affected school community. In higher education, IT administrators say internal threats are on the rise and 48 percent report believing that the greatest security risks come from within the campus, according to a 2018 survey conducted by managed network services provider Infoblox.
Having a weak password, attaching sensitive data to an email, not using encryption, or accessing public Wi-Fi are all user-generated vulnerabilities that could threaten the cybersecurity of educational institutions, said Vance. “If you can cut down human error, you can cut down on a huge percentage of these potential breaches,” she said.
Further frustrating schools’ cybersecurity, the open nature of many educational networks make user-based vulnerabilities more difficult to secure, Wright said. “Because of the way schools are designed with open networks so students and teachers can connect,” he said, “everyone having laptops, tablets, or smartphones, and the ability for all those devices to get to social media websites, the malware and scams in a school environment are more likely to be spread.”
Some institutions have taken on this issue by overhauling their networks with new technologies, like Montana State University, which rebuilt its research network with this unique dilemma in mind. Fancy new technology isn’t enough, though. Cybersecurity solutions often require huge investments in third-party network support, enough on-site IT staff to keep up with evolving threats and staff who won’t click on malicious links that give intruders easy entrance.
Money, manpower and more
There simply aren’t enough qualified cybersecurity professionals to help protect schools. On top of that, many schools don’t have enough money to even higher a cybersecurity administrator or to invest in new software or network infrastructure to improve cybersecurity.
Educational institutions, especially rural districts and small colleges, Vance said, don’t have the personnel, knowledge or funding to implement security and privacy solutions in their schools.
Grama, the Vantage consultant, noted that “campus IT resources and funding do tend to be on the small side.” As a result, she added, small IT teams are can be overwhelmed by the wide scope of a campus’ IT needs.
Meanwhile, many staff and administrators remain unaware of the risks they face in continuing to use outmoded technologies and practices. Top administrators at California State Polytechnic University and University of Chicago Law School recently exposed sensitive student data while passing around emails containing unencrypted spreadsheets.
Many more in higher education continue to fall for phishing scams, clicking on fraudulent links and unknowingly handing over their credentials to attackers.
“We train our children not to take candy from strangers, so why not train them not to click on a link or attachment from strangers?” asked Wright.
Many institutions do train their staff, but unfortunately, Falco said, there is a disconnect between cybersecurity education and its actual practice in personal and professional environments. He said training is made more engaging and effective by eliminating this disconnect. “Cybersecurity education is important, but frankly, it’s kind of boring to talk about,” he said.
Evolving threats are continuing to present institutions with new challenges while they still struggle to solve old ones. There is not yet a single solution that will work for everyone, but Vance says there is a clear starting point.
“We need to ask questions if we really want to improve cybersecurity in the education sector,” she said.