As we modernise education, we can’t allow hackers to target our kids’ future
Schools operate in a world where parents don’t sign physical sick letters or have mailed report cards, but if this digital system is held to ransom, students’ grades and even university entry could be at risk, writes Rosie Beacon.
It is a rule in politics almost as old as time that when a threat does not feel immediate or tangible, it is consistently deprioritised in the cut and thrust of politics, but then quickly sees a climax when a threat does materialise. By this point, it is usually too late. We saw it with pandemic preparedness. Cybersecurity is in the early stages of a similar reckoning.
I recently discovered that my old school had been struck by a ransomware attack. And for the entirety of the first academic term, the school systems were essentially paralysed by a hack to the school infrastructure.
Ransomware is a particular type of malicious software that not only hacks into an infrastructure but encrypts all of the servers until the ransom is paid (in this case, £500,000). So aside from the obvious financial and privacy threats, it also makes the systems totally unworkable. The hackers were able to steal data from the school’s servers, including home addresses, bank details, medical records and students’ psychological reviews.
The hackers threatened to make the stolen data public if the school fails to pay the ransom, “all of your child’s private information will be online for everyone and for free”.
It is safe to say that upon hearing this, I no longer viewed cybersecurity as the essential but intangible provision I had flippantly started to view it as. Evidently, not only does effective cybersecurity protect the privacy and safety of both students and teachers, it also prevents unnecessary disruption to students’ valuable education.
The real-life ramifications of such disruptions could translate into the grades students leave school with or the university they get accepted into. The monumental scale of the disruption is hard to predict or overstate: three years down the line as students try to enter a saturated graduate labour market, the effects of cybersecurity neglect could still be felt. And if it were not a school but a hospital, what is the equivalent level of disruption? Crucial scans lost, operation schedules unobtainable? A life-threatening delay to treatment?
The problem is that schools, parents and students believe they are now benefiting from digitisation. There is no more signing slips of paper for school trips, school reports go straight to inboxes and there is access to numerous educational tools. But without matching that rapid digitalisation with security then the school is exposed.
Thus schools, and many other public service institutions, have fallen victim to what Dr Melanie Garson, Associate Professor of International Security at UCL (and my colleague at the Tony Blair Institute) has titled “the attacker’s arbitrage”. This is when digital systems mature much faster than security systems, leaving a gap for opportunistic hackers to exploit.
My old school is also not alone in its cyber vulnerabilities. The UK’s education sector has been experiencing a significant increase in these types of incidents – the National Cyber Security Centre highlighted an increase in August 2020, and again in February 2021. It is not just happening in the UK either. LA Unified School District – America’s second largest school district – suffered significant disruption in September due to a cyber attack.
The problem with cybersecurity as a policy priority is that it feels both improbable to happen and impossible to fix. Not only is it uniquely technical, it is also constantly evolving in sophistication.
Pandemic resilience (or lack thereof) is a useful analogy for cyber resilience. During the pandemic, which many wanted to believe would never happen, any and all vulnerabilities in our public services were ruthlessly exposed. And, three years down the line, any weaknesses exacerbated by the pandemic are now causing unprecedented chaos in virtually all our public services. It is the same with cybersecurity.
It is ultimately a good thing that public services are digitising. Schools can be both digital and secure – it is not a trade off. But the government needs to start investing in national critical infrastructure, especially education, and not see it as a costly or burdensome afterthought. As in the pandemic, it comes down to prevention and resilience, not reactive firefighting.