The Kansas State Department of Education suspended the administration of state exams on Wednesday after its testing vendor was overwhelmed by attacks from unidentified hackers.
While the cyber strikes scuttled the testing schedules of hundreds of schools across the state and left state officials scrambling to upgrade their security infrastructure, the full fallout is not yet known.
“We’re still in ‘fix-it mode’ right now,” said Marianne Perie, the director of the Center for Educational Testing and Evaluation, or CETE, which develops and administers the exams. “We’re putting out the fire before we have a chance to assess the damage.”
Beginning last week, the CETE, based at the University of Kansas in Lawrence, was deluged with traffic from a distributed denial of service (DDoS) attack coordinated by an unknown source. The cyber strike prompted delays and other problems with the administration of new pilot tests, being given to students this year for the first time as part of the state’s rocky transition to new academic standards.
After officials were able to temporarily fend off the attacks, testing occurred without incident Monday.
On Tuesday, however, the organization’s servers were hit with a “huge” new denial-of-service strike that was roughly “100 times larger” than that from the previous week, Perie said in an interview with Education Week.
As a result, administration of the exams was suspended statewide to allow outside contractors to implement a “comprehensive anti-DDoS solution” to combat the denial-of-service disruption, according to a press release from CETE. State officials said student testing is expected to resume Thursday.
The exams in question were originally intended as a one-year bridge to new online tests being developed by the Smarter Balanced Assessment Consortium, one of two multi-state consortia creating new tests aligned to the controversial Common Core State Standards.
Last December, however, the Kansas state school board withdrew from Smarter Balanced and moved to make CETE exams the state’s permanent tests of record. The move has meant the organization, which has developed exams for Kansas schools for roughly three decades, has had to quickly develop new content, new technology for creating the types of interactive online performance tasks already developed by Smarter Balanced, and a new digital testing platform.
This year’s administration of this year’s exams is considered a pilot, and the results will not be used for accountability purposes. The content of this year’s CETE exams covers mathematics and English/language arts in grades 3-8 and 11 and is aligned to the Kansas College and Career Ready standards—the Sunflower State’s rebranded version of the contentious common core.
Prior to being targeted by hackers, administration of the CETE exams was plagued by internal glitches, according to news reports.
The denial-of-service attacks, which seek to crash computer servers by overwhelming them with more data and traffic than they can handle, presented a serious new problem.
No one has yet publicly claimed responsibility for the Kansas attacks, leading state officials and independent experts to say it’s too early to tell if they were politically motivated, the result of criminal mischief, or simply an instance of hackers seeking to test out new disruptive technology.
Robert Siciliano, an online security expert with the Santa Clara, Calif.-based computer security software company McAfee, said in an interview that denial-of-service strikes originate from a “robot network of computers” that “consists of hundreds, thousands, or millions of PC’s that are generally infected by a common virus that allows hackers to remotely access and control all those zombie computers.”
Such attacks require significant technical expertise, he said, but can be purchased for as little as $100 on the black market. Penalties for coordinating such attacks can include “significant jail time,” Siciliano said.
The federal government is constantly being targeted by DDoS attacks, but generally does a good job fending them off, Siciliano said. Local government agencies and education institutions, however, are not nearly as experienced with confronting such attacks or as well-equipped to do so.
Generally, agencies and firms seeking to protect against such attacks do so by purchasing triple or quadruple the amounts of server space and bandwidth they actually need. But such efforts are expensive, Siciliano said.
Perie of CETE said her information-technology staff has been planning to build in “redundancies” and relevant protections this summer. On Wednesday, she said, four Kansas districts volunteered to help test the beefed-up new security system designed to deflect denial-of-service attacks.
Perie stressed that no student data has been compromised or breached as a result of the DDoS attack, which she described as solely “inbound” and not intended to access student records.
Other headaches, though, are likely to linger.
“We don’t know why this is happening,” Perie said. “We just want it to stop.”
A version of this news article first appeared in the Digital Education blog.