Schools seen as data-rich targets by hackers, but also as breeding ground for cyber workforce

In March 2015, a cyberattack confronted officials at the Swedesboro-Woolwich School in New Jersey with a sudden demand for ransom money. The ransomware attack, simplified by the weak credentials of a third-party network maintenance vendor, didn’t succeed. But it wreaked havoc by preventing students at four elementary schools from taking crucial tests and required a two-week network cleanup that prevented teachers, administrators and students from accessing the network.

According to a new report from the Institute for Critical Infrastructure Technology (ICIT), the education sector faces a growing risk of such attacks, due in part to the extensive volume of digital records schools have on hand, including medical, attendance and student profile data, which are valuable for cyber-criminals. At the same time, as the Swedesboro-Woolwich case demonstrated, school IT systems remain inadequately secured, typically because of a lack of resources.

Schools, on the other hand, represent a long term solution against cyberthreats, the report argues, and calls on education leaders to develop curricula to educate K-12 students in all aspects of cybersecurity and, ultimately, help create a cyber workforce that can respond to the crisis.

The report, “Sowing the Seeds of U.S. Cyber Talent: Leveraging K-12 Cyber-Education to Develop the Cyber Workforce and Improve National Security,” was written by James Scott, a senior fellow at ICIT.

To be sure, children’s personally identifiable information (PII) is heavily exploited by cybercriminals, Scott says, citing one study that found that as many as 10 percent of a sample of 40,000 children may have already had their identities or equivalent PII stolen. That rate is 51 times greater than the rate of U.S. adult activity theft.

Moreover, a paucity of training for students makes compromising their omnipresent mobile devices “trivial for an attacker,” according to Scott. In addition, tech-savvy students already employ “free” — and often subtly malicious — proxy or VPN services to circumvent the school filters.

Personal data can be exploited for years

A child’s personal data may be exploitable for years before the victim becomes aware of the breach of their identity, Scott states. And children aren’t likely to learn basic cyber-hygiene or proper online behavior from parents, as they “notoriously avoid parental monitoring of online activities.”

Overall, the nation’s infrastructure is “buckling under the incessant onslaught of cyber attacks,” Scott concludes. Therefore, cybersecurity, cyber hygiene and privacy education “should be ubiquitous and pervasive throughout the nation.”

Given that today’s students are “inseparable from technology and the Internet,” cybersecurity and cyber-safety education for K-12 students is essential to national security and, in the long run, the development of a cyber-workforce, Scott says.

“By teaching students about cybersecurity, cyber-hygiene and digital privacy, educators can break the self-perpetuating chain of generations of cyber-illiterate users,” Scott argues. “In less than a decade, a meaningful investment in national cybersecurity … education can curb domestic cyber-crime and stymie foreign cyber-crime campaigns.”

However, creating meaningful cybersecurity curricula poses a range of challenges, the author says. “Information security cannot be a one-day presentation or one-week activity. Cybersecurity and digital privacy are year-round concerns.”

The hurdles are daunting. Scott notes that:

• Less than 25 percent of U.S. high school seniors have taken a computer science course. Even fewer have any foundation at all in technical subjects such cybersecurity.
• Creating cyber curricula is challenging because the cybersecurity and technology landscapes are dynamic and constantly changing.
• School districts and parents have limited resources and often suffer dwindling budgets.
• Educators are often not proficient enough in cybersecurity and cyber-hygiene to teach best practices to the younger generations.
• A shortage of staff qualified to teach cybersecurity is a major barrier to adopting new curricula.

Scott also contends that lectures, instructional videos and pamphlets are not effective mechanisms for educating students and creating a cyber-workforce.

“Lasting interest in cybersecurity is best incited through interactive mediums such as hands-on lessons, active discussions, digital mechanisms and entertaining literature such as comic books and graphic novels,” he states. Other instruments might include video games, board games and role-playing games to augment the learning experience and improve long-term retention of the material, he adds.

Cybersecurity education must start early — as soon as 1st grade. “The earlier we start teaching, the more educated they will be on cybersecurity as they enter the workforce later in life,” Scott says. By middle school, students can begin to learn preliminary coding so they can understand the nature of sophisticated online threats such as malware.

Later on, in high school, cyber-education can be built into civics and similar courses to give them greater understanding about threats and events when news stories break relating to cybercrime.

Also, the future cyber-posture of the U.S. can be greatly improved by teaching young users best practices on social-media platforms such as Instagram, Snapchat, Twitter and Facebook. “Even seemingly trivial lessons such as navigating the maze of user settings in order to harden privacy controls significantly reduces the likelihood of the malicious exploitation of young users,” Scott says.

Scott concludes in his report that, with a cyber-talent shortage of 1.5 million looming by 2020, “K-12 students are the most prevalent and the most valuable resource the U.S. can utilize in the development of a skilled and formidable cyber-workforce.”