In suburban Chicago, four high school students hacked into their school’s computer network in October and tampered with their grades.
That same month, an 18-year-old in Sacramento, Calif., was arraigned on 89 felony counts for hacking into his school district’s network.
And in Massillon, Ohio, three high school students cost their district at least $400,000 after they penetrated school computers last summer to raise grades for themselves and others.
| Staff writer Rhea R. Borja interviews Keith R. Krueger, the executive director of the Consortium for School Networking, on the issue of cyber security for school districts. (Windows Media file: 6.18)|
While schools rightly fear break-ins to their computer systems by professional criminals, students are increasingly giving educators almost as much to worry about. Reports of students’ gaining access to school networks to change grades, delete teachers’ files, or steal data are becoming more common, experts say, and many districts remain highly vulnerable to costly and disruptive attacks.
“School districts should be the most fearful of the way organized crime has taken over the hacker industry,” said Steven E. Miller, the executive director of Cyber Security for the Digital District, an online project to help school leaders safeguard their networks. “But administrators’ biggest [technology] problems come from within their own system.”
There are several reasons why. Cyber security is a full-time job, and many districts, especially smaller ones, don’t have enough staff or money to adequately secure their networks against all potential threats, Mr. Miller said.
The “anywhere, anytime” accessibility of many networks can be tempting to students, who can penetrate them from both their school and home computers.
Unlike 10 years ago, moreover, people don’t have to be true computer geeks to become hackers. Online chat rooms, listservs, and Web sites that give step-by-step directions on how to hack make it easy for students—and anyone else—to tap into networks rich with confidential data.
“If you have the slightest amount of [computer] knowledge, it takes less than five minutes to put together an attack code,” Mr. Miller said.
In addition, as more districts centralize academic and other information to make data-driven decisions—as encouraged under the federal No Child Left Behind Act—they may leave themselves even more open to cyber criminals if they don’t also build strong virtual fences around their networks.
“School districts are moving from silos of information to data warehouses. So they are much more inviting targets,” said Keith R. Krueger, the executive director of the Consortium for School Networking, a Washington-based nonprofit group that co-sponsored the Cyber Security project with Mass Networks Education Partnership in Allston, Mass.
Or, as Mr. Miller put it: “We’re creating all of these honey pots, waiting for the bears to come.”
Hackers Change Scores
So-called e-crimes are rising in general, according to the CERT Coordination Center, part of the Software Engineering Institute at Carnegie Mellon University in Pittsburgh.
A project on cyber security for school districts recommends that technology officials follow a process of careful planning to keep computer systems safe.
Phase 1: Set Security Goals
Outcome: Security-Project Description: Craft a project description with goals, processes, resources, and decisionmaking standards.
Phase 2: Risk Analysis
Outcome: Prioritized Risk-Assessment Report: List and rank vulnerabilities in a report that will guide risk-reduction efforts.
Phase 3: Risk Reduction
Outcome: Implemented Security Plan: Regularly repeat risk-analysis and risk-reduction process to ensure effectiveness.
Phase 4: Crisis Management
Outcome: Crisis-Management Plan: Develop a blueprint for organizational continuity.
SOURCE: Cyber Security for the Digital District
E-crimes include installing computer viruses or spyware—software that illegally records personal data such as credit card numbers—as well as “phishing,” a term used for tricking someone into electronically sharing personal data such as a Social Security or credit card number.
Thirty-five percent of the 819 respondents to CERTs 2005 e-crime survey, for example, reported an increase in cyber crime targeting their organizations, and 68 percent said that least one e-crime was committed against their employers in 2004.
But despite e-crime’s growth, 31 percent of respondents said their organizations lacked a formal system to track e-crime attempts, and almost 40 percent said their employers lacked a formal plan for responding to cyber crimes. The respondents were security or law-enforcement personnel who work in education, finance, and other fields.
Michael Riordan, the principal of the 1,770-student Oak Lawn High School in Oak Lawn, Ill., knows the threat from experience. In late September, three juniors and one senior hacked into Parent Portal, a software program that allows parents to see their children’s grades. They did not break into the district’s larger network, which contains student test data, grades, and other confidential information.
The students raised their homework and quiz scores by a few points in several subjects, just enough to bump up their grades. It wasn’t until Oct. 26—after the students had unauthorized access for a month—that a math teacher noticed that one student’s grades online didn’t match those in her gradebook.
District information-technology employees disabled Parent Portal for two days to fix the problem and to install more online barriers. Then officials handed out 10-day suspensions to the boys, who also received zeros for the affected quizzes and assignments, and were barred from using school computers for the remainder of their high school careers.
“[Parent Portal] is a wonderful resource, but unfortunately there was a flaw in the operations of the program,” Mr. Riordan said. “The logon procedure is supposed to go through a series of checks and balances. But one checks-and-balances process did not take place.”
Ensuring a secure network is a district responsibility, said Joseph M. Shearn, the president of Century Consultants Ltd., the student-information-software company that created Parent Portal. The Lakewood, N.J.-based company works with more than 2,000 schools nationwide. Mr. Shearn said that as far as he knew, none of his other clients had experienced a similar hacking incident.
“We as an applications company supply the application, and we put in software to allow logins and passwords,” he said. “Where do you lock down the security? That’s up to the school district.”
A Dynamic Tension
And therein lies the cyber-security conundrum, say some technology experts. Unlike banks or the Pentagon, which must safeguard their information under many layers of security, schools tend to share information among teachers, students, and parents.
Experts advise superintendents to get answers on basic security questions from their chief technology officers.
1: How are we doing so far?*
2: Do we have a security plan?
3: Do we have adequate security and privacy policies in place?
4: Are our network-security procedures and tools up to date?
5: Is our network perimeter secured against intrusion?
6: Is our network physically secure?
7: Have we made our users part of the solution?
8: Are we prepared to survive a security crisis?
* For example, have security breaches occured, and if so, what caused them?
SOURCE: Cyber Security for the Digital District
“A school by definition should be a relatively open environment. The best way to learn is to take a risk, to explore,” said Mr. Miller of the Cyber Security project. “But there’s a tension between that and preventing kids from doing the wrong thing.”
So how do you have a collaborative technology network that’s also safe from attack?
Prepare for the unexpected, Mr. Miller advised. Have a Plan B that accounts for the network’s strengths and weaknesses. And make sure that school administrators understand a network’s possible security risks.
“At some point, a security problem is going to occur in every school system in every network in the world. It’s unavoidable,” Mr. Miller said. “So assume that something is going to happen.”
Bob Blackney, the technology director of the 27,000-student Placentia-Yorba Linda school system in Orange County, Calif., agrees that no system is 100 percent secure.
“The best computer is one that’s locked in a vault and unplugged,” he said. “But [teachers and students] want the Wild, Wild West. They want access 24/7.”
In addition, district networks tend to be “hard on the outside and soft in the middle,” Mr. Blackney said. He means that networks may have firewalls to dissuade outsiders from breaking in. But they don’t tend to have barriers on the inside to block users from accessing certain types of information they shouldn’t see.
Mr. Blackney also knows that from experience. He was the technology director of neighboring Chino Valley Unified district in the spring of 2003. That’s when a high school junior hacked into his school’s database and changed grades for himself and a friend. He also viewed some of the 1,744 Social Security numbers of the school’s students.
District officials rushed letters to parents informing them of the incident, and encouraged them to let credit-reporting agencies know to place a fraud alert on their children’s files. Mr. Blackney said district officials expelled the boy and filed a civil lawsuit.
The district, he said, received some $20,000 from the student’s family to better secure the district network. That upgrade cost the district about $200,000.
Chino Valley’s technology network was “better than most,” Mr. Blackney said. But it couldn’t prevent the student from accessing sensitive data. That’s because a school employee, not thinking that the boy would use the password illicitly, gave the student the employee’s personal password.
Educating employees as well as students on cyber responsibility could go a long way toward making networks safer, say technology experts such as Marie L. Scigliano. She’s the technology director for the 10,000-student Palo Alto, Calif., school district. She got her own wake-up call two years ago, when a local reporter viewed a confidential student report by easily tapping into an unsecured middle school wireless-computer system, which allowed her to get onto the school network.
So Ms. Scigliano and her technology team refashioned the wireless system to make it harder for outsiders to get in. They also released a six-page report detailing the legal responsibilities of school employees to protect student privacy and the appropriate use of school e-mail and other online programs.
“It was an open environment, no doubt about it,” Ms. Scigliano said of the wireless system. “We were bringing new [technology] tools to the schools. But we didn’t realize the challenges they had.”