Until a few years ago, most people thought of hackers as bright but maladjusted teenagers who mainly broke into networks for the fun of it. But now that hacking has gone big time, you're more likely to associate hacking with organized crime groups or "state actors."
But student hackers haven't gone away, which makes protecting student privacy a real and ongoing security challenge for K–12 schools. After all, school networks hold a wealth of personal identifying information (PII) about their students, and many schools are stretched thin when it comes to resources for managing and safeguarding their networks. To make matters more complicated, schools are also full of students who have grown up with computers and therefore know more about this technology than most adults. And these students may hack into school networks, whether maliciously or for the sheer fun of it.
Back to the Future
The 1983 movie WarGames introduced many Americans to the personal computing age. But the technology shown in the film is so ancient (eight-inch floppy disks!) that many IT professionals today may not even know that it ever existed. In fact, while the movie is all about hacking, the words "hacking" and "hacker" are never used. As Scott Brown points out in Wired, no one had yet heard of these terms, at least outside of geekdom.
The movie revolves around a teenager (played by Matthew Broderick), who inadvertently hacks into a military computer and starts playing what he takes for a game: Global Thermonuclear War. Scary hilarity ensues. But in one early scene he seeks to impress a girl (Ally Sheedy) by hacking into their high school network and changing her grade. Fast forward to last fall when, as ABC News reports, three New York area high school seniors were arrested for hacking into their school network and changing grades.
From Changing Grades to Identity Theft
Clever students may no longer dominate the public image of hackerdom, but student hacking is thus alive and well. This means that student privacy is a real and ongoing risk. According to the ABC News article, the real-life student hackers were able to gain access to information including student ID numbers as well as names, addresses and contact information. The potential for serious harm is obvious here. Cyberbullying using social media has become a national issue, and malicious hacking could give online bullies another weapon against their victims. Even without malicious intent, revealing students' PII could all too easily pave the way to identity theft and other crimes. (And schools might well be hacked by professionals, not just technically proficient students!)
Part of the challenge lies in the fact that the industry doesn't know how often school hacking occurs. Schools resemble the healthcare sector in that they're highly fragmented. The United States has thousands of separate public school districts, plus thousands more private schools.
Most of these schools and districts face budget challenges, making them reluctant to pay for full-time, professional sysadmins. And a coach or math teacher who once played around with computers is no match for a sophisticated, up-to-date hacker. It's impossible to know how many breaches go undetected.
The good news, according to Fedscoop, is that there are some simple but effective measures that K–12 schools and districts are taking to protect their networks against hackers, whether "rogue" students or conventional cybercriminals. Two such measures are investing in a robust firewall and talking to third-party vendors about security concerns and requirements. Another measure is to educate students, teachers and staff in how to create and use strong passwords. This lesson will also be useful to students long after their graduation day.
Protecting student privacy ought to be everyone's concern. Whatever time of day you are reading this, do you know where your children's school network data is?