The Privacy of 100+ Million Children, Families, and Young Adults Is Unprotected
4:06PM Aug 2, 2020
Get local district to the State Department of Ed. Our teacher certifications tracked via the local district. About previous employees and their dependents. You can see that 100 million is actually kind of conservative. Although, a bit of clarification. Not all districts are expected to go it alone in states like mine there are educational service districts or esds. These serve the collective needs of many districts by hiring for roles that would otherwise be too expensive for the districts to fund themselves. Districts pool funds through various mechanisms and use that aggregated money to provide for centralized support.
All of this is on the premise that key trove of information security and privacy protections are important. There are three main justifications for that. The first reason is, it's the law student information is protected purely by FERPA or the Family Educational Rights and Privacy Act, a piece of legislation over 40 years old. For bu was one of the first pieces of legislation, though, that introduced the concept that rights to the data belong to a subject, rather than the data holder educational performance information cannot be shared unless permission is granted to do so. An important caveat is that of education officials which is basically anyone that district determines to have an educational interest in the data. They can access it to aid the district in the education of the subject.
This includes third parties.
There's also the concept of directory information. Think of this like Jonathan's mailing you cap and gown ordering information. Families can opt out of this though. Finally, there's PII thanks to a 2008 amendment and educational institution must apply reasonable measures to limit disclosure. But, in an industry that is reputed for its lack of funding and staffing reasonable is anything but, and far lower than the standard of due care and other industries, a scary but little known fact is that FERPA Trumps HIPAA, and I wish it didn't. But when we were looking at student data, and there is medical information somehow attached perhaps in the form of an accommodation or medical schedule for applies and HIPAA does not take over for the average student, there isn't a lot in that student record grades from teacher comments attendance data, but for the more vulnerable students, there could be a lot of information there reports on suspicion of abuse, suicide attempts police investigations medications discipline data compromising the privacy of these already high risk students may be damaging to them in a permanent fashion. In any case, ethics needs to take a front row seat, school districts are in possession of data that they are ethically and legally bound to defend. The second reason k 12 infosec is important, is sensitive staff information. This data is the basic information that are maintained on employees in any organization. Social Security numbers for tax purposes, bank routing and account numbers dependents social security numbers home addresses etc. This room contains information that is HIPAA protected as well. Consider the teacher who may have experienced on the job trauma. They may file complex reforms requiring sensitive information for leave of absence approval. Teachers can also be mobile moving from district to district in a metro area, meaning that a breach likely affects for more teachers than just the current teaching staff. The third reason, and perhaps the most significant in terms of motive, school districts sit on piles of cash. According to the American Association of School Administrators 85% of a district's budget is expensive such as salaries, in many cases transferred into district accounts at the beginning of the fiscal year, business email compromised attacks are on the rise because school staff often have minimal security awareness and 10s of millions have been lost in the fashion. Further facilities improvements can sometimes run into the hundreds of millions, so multi million dollar transfers of funds are not uncommon. The public in district administrators would be correct to state that district technology budgets have generally increased as a proportion of overall operating budgets. So why are improvements to security posture stagnant. Starting in 2010 districts in the United States started making large pushes into digital conversion, in an attempt to avoid human error ease teacher burden and leverage efficiencies by delivering curriculum digitally by 2011 94% of 1000 teachers surveyed made use of a student information system for the recording of grades, attendance and discipline. By 2017 50% of all teachers surveyed made use of one to one computing, which is a ratio of computing devices where every student has access to a device that percentage is expected to have increased into the 80s by 2022. The simple fact is that money has poured into K 12 technology departments, but only so it can be poured right back into the classroom. Technology footprints have dramatically increased while please proportionately increase staffing information security tools and addressing technical debt have gone ignored. Following my doctoral work I decided to interview a series of K 12 IT leaders to understand their perspective on what I had presented. 90% expressed a reluctance to force the issue of data privacy and Information Security budgets. At the risk of being perceived as not being student focused.
These things will always help. How about an FBI warning.
On September, 13 2018, they released the warning titled education technologies data collection and unsecured systems could pose risks to students. As I was in the midst of writing my dissertation, the FBI released this. I think we've all seen the pins or private industry notifications, but that isn't what this is. Look at the picture. This was a public service announcement, they weren't warning education IT leaders of an attack vector. They were warning the public that schools were likely being attacked and to hold those leaders accountable. This warning was made with the intent of increasing public awareness of unsecured systems in the K 12 environment. To be fair, many seem to be configured to leak data off the shelf or, if not, by the time you get them to exchange information they do. You know, it's really threw me for a loop though. Was this the watershed moment that would lead to sweeping legislation was my dissertation going to be published just after the world was made aware of the issue, and get drowned out in the noise was like pointing up after the asteroid hit. But in the end, fixing the problem with weak security and privacy protections is the goal and surely, this would help that. Right.
According to K 12 cybersecure reported attacks were triple in 2019 but they were in 2018, an interview with the site's proprietor Doug Levin, said incidents were on pace in the first quarter to double in 2019, of course, COVID has had a profound impact on reported incidents and skewed the attack service significantly. Of course, just in time for this talk, there was another one. On June 23 2020 ransomware targeting of K 12 schools likely to increase during the covid 19 pandemic. But a quote from this sums it up. k 12 institutions have limited resources to dedicate to network defense leaving them vulnerable to cyber attacks. I couldn't think of a better way to sum up the problem definition, thank you agent Lewis. k 12 information security and privacy is a problem in the nation schools are a huge soft target for my study, I decided to speak with information security leaders from around the United States. Using a semi structured interview format, which is an interview with probing sub questions I attempt to learn what made each successful. The questions were designed to discover what strategies may be available to those leaders who had each suffered from a subjectively significant breach, and were able to recover from them. I asked questions regarding fiscal constraints, such as the proportion of IT budget to overall budget, and the infosec budget as a proportion of it. I also asked about the regulatory environment and regulations or standards that the subject organization was obligated to comply with. I asked about the culture of the organization is the organization, open to altering practice to improve security posture, or is that viewed as information security is problem. I asked about the use of audits and auditors, does the leader approach the audit findings as a tool or a criticism. What frameworks do they use to define their security efforts. And finally, what is the configuration and scope of the security team, for instance, is antivirus being handled by desktop, or the security group or firewall rules being managed by security or networking, the sorts of operational duties that can really grow the team size.
The first and most prevalent theme that emerged from the study was very surprising. The need for prescriptive laws, regulations and standards was cited 91 times as a supporting strategy that made subject information security programs effectively more effective. 100% of the respondents cited that regulatory compliance is one of the key drivers they leverage for improving information security posture within their organizations from the table, you can see that HIPAA was cited the most, followed by PCI DSS and Sarbanes Oxley. I honestly expected the number one spot to be budget. Looking more qualitatively though, the subjects indicated that the compliance requirements drove budget allocations. One participant stated that there's a lot of power behind it, telling your boss. I need a budget uplift of X percent or we will be breaking the law
budget was very close though at 88 mentions the thing was identified as the need for proper budget and staffing allocations. I think the most consistent spread was in the infosec budget as a percentage of total IT budget. This ranges from 3.25% to 10% of the total IT budget. There was one interesting outlier, which was an organization that did Information Security contracting. so it had a small internal spend, because they simply use workday and Oh 365, and literally almost all of their staff was an information security subject matter expert. There were strong indications that subjects that had information security teams, 4% or smaller of it size used outsource security and deputized a fair portion of their information security field work.
The final theme I will talk about before getting into the implications, is the need for a culture of security. This was defined as a baseline technical competency, along with a willingness and personal ownership for performing tests securely participants reported that they would not have accepted the role, were not for the strong support of executives to change practice. Additionally, participants reported that organizations that lacked a culture of security meant that creating that culture must take place first. Others defined that building the culture is a steep hill to climb, another subject stated that you can simply not spend your way at a bad practice those top three were only separated by seven mentions the rest are in the table here,
or stated differently, a pyramid,
in which you need the foundation of a base of laws, regulations and standards, the next layer of appropriate staffing and funding and a culture of security. On top of this, the organization should follow a security framework NIST was popular, and many were crosswalking nift to sis to HIPAA and others, to make sure compliance efforts, didn't miss requirements, yet we're not beyond what was necessary augmenting security teams talked about how security teams may be small, but there may be deputies and other departments such as desktop technicians and network, as well as employing managed service, managed security service providers to handle the monitoring of alert, allowing infosec to focus on more deeply technical and strategic security and privacy work. And finally, the cyclical use of auditors to test the whole process, point out defects and use that to drive the next period of the security groups focus and spending. The best quote was that there is no sliding scale of responsibility based on your size. If you have the data you have the obligation to protect it. This was by se so who identified HIPAA as their primary regulatory obligation, and it's great. I often encounter one of two mindsets. The first is that I'm small, I'm not a target. The quote goes the spider doesn't target a fly, any fly will do. The other is that I'm small, but I know I have this obligation, but I just can't. The accept the risk model. This one is harder to swallow, there is a risk and rewards assessment taking place here. The idea is, I'm small so I can't afford it, the data is sensitive but no harm no foul. So really, I can survive the lawsuit, assuming there even is one, and I have cyber insurance. Meanwhile, the loss of privacy is a bill that cannot be unrung healthcare providers get it. Why can't education.
So, we've established that districts are stores of sensitive information, and that they have large sums of electronically managed funds. If nothing else, think of the federally funded bandwidth needed to support thousands of endpoints. Imagine the denial of service you could launch. As I mentioned earlier, after I was done with a doctoral work, I followed up with a group of education technology leaders to get their assessment of my findings. One gave me an excellent quote. We are at the same point that healthcare was before HIPAA, there is no requirement to protect data, and no penalty for failing to.
But what about FERPA.
The American Enterprise Institute called it the joke with no punch line. This is referring to its lack of enforcement capabilities. Also, its lack of offering civil recourse for families. The ultimate consequence of FERPA is to lose federal funding, but the Department of Education has never taken this option. In 2015, the student privacy protection act hr 3157 attempted to amend FERPA to allow for fines and restitution to victims, but it never made it much further than the introduction. Also, we have a set of circumstances where the reality is that technology spend is increasing tremendously. But in a way that has only increased the pressure on overtax technology departments, not decreased it again this goes back to the ease with which districts can buy things, but the gap between owning things and being able to support, or even use them as real. This has led to critical levels of technical debt and increased the amount of support burden so that there is little time to devote to less visible but equally critical security and privacy tasks.
What school districts need.
My first recommendation was that there must be prescriptive laws governing k 12 information security and privacy. I would recommend that FERPA amendments be made to define legitimate educational interest. Additionally, a revisit of the student privacy protection act should take place, establishing fines and civil recourse for victims. This is important, if the value calculation can be redefined so that leaders can assess the cost of staff and tools, versus the fines. infosec leaders can push information security and privacy posture forward. Going further though all districts should be made to comply with an annual audit that comprises of financial and Information Security elements. This way, the information about poor security posture, can be put on display and elected board officials can be held accountable for lack of action. This one still gets me. You can get a fine in the millions of dollars for losing data about a clinical trial for hair loss medication or due time for misstating how many Twinkies you sold. but by lack of action you can literally ruin somebody's life, and your worst case scenario is five years of credit monitoring and a week of bad press funding staff appropriately. One thing I have found in public sector is this incredible propensity to buy stuff and avoid hiring people. It's unfortunate because no matter how much a security company is going to say otherwise security tools require a human to configure tune and monitor them. Or at the very least to respond to the alerts they produce. I was made aware of an anecdote where a school district had purchased a $200,000 intrusion prevention system that had sat on the shelf for so long that by the time it could be installed. There was no useful life left on it. District struggled to spend unused dollars at the end of fiscal years rather than take a holistic look at the needs of their department, and make permanent budget adjustments in the following fiscal year. k 12 needs to stop acting like it's not beholden to the same standards of due care as other industries. If the cost of securing your technology footprint is x. You are beholden to spend x three education leaders need to foster a culture of security in their organizations, leading from the top, educational organizations need to be willing to take on user security awareness training, more secure practices and holding everyone accountable for basic security and privacy protection literacy. Use that literacy to teach students as well so the next generation can start thinking about privacy before they need to and not after four follow a security framework NIST says it doesn't matter. Having a security framework goes from thinking about a security project here and there to planning a, an effective, security and privacy program. Five augment your security teams. Having the security team stare at a console or reimage an infected desktop doesn't leverage their skill. Use a managed security services provider to augment from the outside, use security enthusiasts within it.
And no matter what, track what isn't getting done
six use audits. Get nessus an audit yourself, hire external auditors, but have a formal process of auditing and reporting on your security posture. Seven. Investigate partnerships. Look at the State Department of Education level partner with neighboring districts. Make use of educational service districts that they're available to you. We should also develop federal funding for information security interns. No matter what, though, find some way to leverage the power of aggregate need and funding to help move your security posture forward. Districts don't have to go it alone, or settle for ambiguous advice from peer groups. What you can do your local school board will have regular meetings, and most of them, allow the public to make brief public comments, sign up to speak and question them on how they are addressing their security posture. Are they performing annual audits are they reporting on audit results and reporting on remediation plans. What is their patching policy. Ask if any of the board is aware of the guide data security for schools by the National School Boards Association. All of these are part of basic security hygiene and likely something that should be readily answered, meet with your school board representative and talk to them about the importance of security and privacy. Better yet, Run for your school board. But if nothing else, vote. Also, write your senator or Congressman, and let them know about the importance of adding penalties and enforcement to FERPA meet with your state representatives and talk about the importance of requiring annual security audits, in addition to financial audits. Finally, information security literacy is starting to make its way into business leadership programs, the same needs to happen for school leadership programs. If you're going to lead a school, or eventually a collection of schools, basic security literacy needs to be a part of the skill set for licensure, contact your state professional education Standards Board and tell them it's time to update their program.
Keep in mind that this talk was put together before the covid crisis. Right now, schools that have never had fully operational distance learning platforms are attempting to create them from scratch in months, rather than the years they usually take administrators are attempting to solve for combinations of on prem learning computer based distance learning and trying to solve from for everything from COVID positive cohort isolation to socially distant woodshop. This is something I call shouting during a hurricane. This is important and it needs to be said but in the context of the thousands of other things. Does it get drowned out. Is this the right time to say it. Is this the time to demand action. It would be easy to say that this is the time to focus elsewhere. We know how ineffective, it is to bolt on security as an afterthought though, it just sits somewhere in the middle of a stack of technical debt. We know about it, but we never get to it, which becomes self reinforcing since we have not done. Nothing has gone wrong, isn't that important. The implications of all the other pressing needs I just mentioned, though, is an even bigger technology footprint, even more to protect even more to go wrong. What's more, I believe this is exactly how we got here in the first place. There will always be a more pressing need or program that has merit, something that needs the cycles or the money, or the focus of district leaders. We need to impress upon lawmakers and district officials that the cost of having sensitive data is the obligation to protect it, regardless of size schedule, or budget.
This brings to mind the complacency problem. There have been numerous districts that have had very public battles with the issue of complacency. This is largely due to insufficient resources, eventually muting the alarm bells rung by those aware of serious issues at some districts. This took the form of lead in the water. Measurements had been high, but repair costs significant and the direction unclear. After years of being met with rolled eyes, those with knowledge of the problem go silent. At present, percent of the K 12 leaders interviewed felt that senior leadership was unaware of the state of information security in their organizations. 70% felt that they did not care, which brings up a final recommendation, all school boards should have a form of anonymous reporting to the board, a way to ensure that known problems become solve problems and not scandals.
So in the end, who is responsible. I wish I could say I found some bad guy but really it's no one and it's everyone. Is it the superintendent who is doing what is legally required of them. Is it the school board members who joined with the idea of making things better, but they don't get some grant onboarding that tells them about the state of infosec, and every other back office issue in the organization. Isn't the technology professional, the hackers need for talking about it. In the end, people are doing what is required of them, and it's time for us to require more as parents, as students as voters as taxpayers. The burden for improving k 12 information security and privacy posture falls to all of us. We must vote for the candidates that respect our privacy and believe that it must be protected. We must demand answers and hold leaders accountable for their actions or more importantly their inactions. And we must be willing to fund what it takes to pay for such requirements. Don't assume that your district is secure. It may score very poorly on an audit. Instead, assume that it needs that audit, and after that it needs to act. It needs to act to ensure that our teachers can worry about teaching, and our children can enter the world with a clean slate. I would like to thank my original study participants and the subsequent interviewees for their contributions in time and insight. I'd also like to thank you for your time, and I would be happy to take any questions you may have.
Is the privacy of 100 plus million children, families and young adults is unprotected. And we are here with Dr. Travis Paki hi Travis.
Now I hope attendees are invited to ask Dr Travis Paki their questions, please add your questions to the session q&a channel in our matrix server, and they will be relayed here. Our first question from the audience. This is interesting our member of the audience asks our schools and especially entire districts accepting of qualified IT. And especially infosec volunteers.
You know, I would say ask the. The problem is that you're going to have to pass a background check, there's going to have to be some way to absorb that work some way for that team to be able to make use of that but I would certainly be accepting of that help I think others would too. And in the state of Oregon, they've actually tried to get a co op sock put together to aid smaller small, small nonprofits to be able to make use of those resources.
Thank you. Another question from the audience what actions can be taken by non parent, former students. This person said they want to affect change in my local schools for the privacy of students, but I fear I will be screaming into a void as someone who is not a parent business owner or politician.
I would say talk to that politician, talk to your school board representative, even if you don't have a child in school you are still a stakeholder in what they do in that school board. Talk to them about your concerns, and have them take that to their board meeting so that they can be asking that of the of the professionals within that organization.
Did we have a couple of interesting comments from our matrix chat. One person says. Damn, I don't have just, I just, I don't have any questions just frustrations, why secure it when the football field needs to astroturf, you know,
and this was one of the, one of the bigger problems is that you know if you look at a school district, it typically says, you know I need, I need this much money, or I have this much money, and this is how much I need, and there's always that delta there between what it has and what it what it needs. It's, it's a constant choice between what what we should do and what we're being asked to do it. There just isn't enough to support everything and. And that's one of the things to advocate for. We do need to fund schools at the cost, it takes to operate them. We can't just say you know what, yeah I know you said you need, you know 60 million but here's 50 million do your best. I mean, that's, that's, that gives us what we got
another audience question How could or should we advocate to get help from students in the schools.
You know that's one thing that I'm, I'm really focused on is can we can we develop a national program that just earmarks funds to have a student led cybersecurity intern program stood up. And the reason why I say it at the federal level is because if you don't earmark that funds, it can turn into CTE programs that turns into Java programming that turns into something else really your market for federal funds for that for that type of intern. I think that there is a lot of a lot of work there there's also a lot of resources there. Nice RC has been out developing infosec curriculum that is appropriate at the K 12 level, and they've been doing that for years.
And yet it's the K to 12 kids that seemed to be, you know, surprisingly knowledgeable in these areas, whereas the adults in charge of them aren't. Another question from the audience says students reporting security problems might get attention and recrimination any advice for this.
Yeah, again, I would say go to that school board member, I mean, the main issue that you're going to have there is that somebody's being called out for pointing out a flaw. That's, that's not a bad thing. Thank you. Please do. And if we're taking that attitude that it's a criticism rather than a rather than a help. That's the wrong, that's the wrong perspective to take
an audience member who has a child getting ready to start school asks, any tips or suggestions or warning signs to look for as an almost pre k parent looking for a school district in the near future.
You know the thing that I would say is ask if, ask if your local district has run a security audit. A lot of, a lot of them are doing it voluntarily just so they have something to to justify their position and their spend and their process. So, see what that is, see if they've done one see if that's moving forward.
Another member of the audience asks, Are there any examples, you can think of bad consequences of breaches.
You know, the biggest piece here and this has been a really interesting conversation among peers is what is the impact of a data breach what is the impact of a student data breach. And to me that's privacy, that is that is the bill that can't be unrung. The other type of impact the ones that usually make headlines though are. What happens when somebody gets into the system and starts starts really doing damage in terms of finances. And that can be the loss of paychecks. We managed to fish people's passwords and we get the paychecks redirected to another bank account. You know 30,000 here. million there. I mean it's in the grand scheme of cybersecurity theft losses in the course of a year yeah it's not massive, but these are school districts that already didn't have enough money to begin with. So, losing even more doesn't doesn't really help them.
Yeah. Questions keep rolling in on the matrix chat and we continue to invite you, those of you who are in the matrix chat to keep asking questions. here's another one. If you're building an education technology tool for school district, what's the best way to work with IT departments and district infosec staff to help them feel secure about deploying it. Are there particular standards that education tech tools should be built to
a particular standard, I would say doesn't really doesn't really exist but should you be able to sit down with that IT department and ask them what they're looking for. Absolutely. Are we looking for certain guarantees of data protection, or are we looking for basics, how do you get data in and out of the system are you extracting by CSV and then FTP it or doing some kind of file transfer or are you actually taking in encrypted API call and transferring that between systems. One thing about the education ecosystem is that there's enough software out there so that you almost don't have to write anything. But what you do have to write as the interfaces between them. And what we find is a lot of education technology, software, doesn't doesn't recognize itself as a part of an ecosystem. It doesn't say I need to, I need to create an API so that system X can come in, grab my data and securely exchange it to them. I need to extract it, put it on a file system wait for it to get picked up, and then I move it over. If you're lucky, via SFTP, I mean that I would, I would say look at those transfer mechanism mechanisms more than anything that's going to be where, where a lot of the vulnerabilities come in.
The member of the audience asks as a network admin at a K through eight I do whatever I can to educate kids about security and being cautious online. However, new student data is stored locally, what are your thoughts on PowerSchool and other cloud based information systems are they secure.
Oh yeah. So one of the things about PowerSchool and the other cloud hosted student information systems or systems. Those are great you're, you're transferring that risk out until you do what I just said, which is you take a download and you CSV, take a CSV download and store it on your desktop, it gets to the point where there's just a lot of data exchange and there's a lot of insecure data storage, and it's not it's not in the major technology solutions, it's in the data interchange. It's in that, hey, we have to store information somewhere, is that storage place secure once they download it and they manipulate it are they putting it on a laptop and leaving it in the back of their car while they walk into Costco or whatever. That's, that's where we lose records.
Another question, what requests or suggestions do you have specifically for the whole audience for how they might help to address the challenges you've been discussing.
Please talk to your school board. I would, I would say go there and and try to understand, get a few minutes and just ask what is your, what is your cybersecurity posture. Try it. Try and make sure that your local district is doing what they can to push this conversation forward.
It still lots of good questions coming in, we've got some, we've got time for more questions so keep getting your questions in on the livestream session Q and A channel on matrix, a member of the audience asks, am I correct to understand that disturbingly vulnerabilities underfunding inadequate privacy education and infosec is far more prevalent in low income communities and districts.
You know, I would say most districts are, are underfunded in terms of being able to secure themselves from a cybersecurity stance. But yes i would i would i don't have data on that and my presumption would be yes.
What are some of the next steps for you, in your effort to tackle the challenges you shared with us today.
I'm going to be working with my state state leaders I want to I want to talk to them about putting teeth back into phurba. You know if we've got a if we've got a privacy law, that doesn't have any penalties. I'm not, I'm not thinking that that situation is going to improve for us. Once we create the penalties, then we create the motive. Then we create the funding mechanisms then we create the solution.
The. There was some discussion earlier in the channel about the point that the kids. The kids in school, there are still schools and this seems like an antiquated point of view for a school like maybe maybe from my day. As a student, about 100, years ago, but there there are still schools that find that when one of their students comes up to them with reports of some vulnerability that they found the reaction is to punish the child, rather than celebrate them thank them for, and maybe put them to work.
You know, one, one thing I would recommend is not just approaching the school, but also being cognizant of the vendor that they found the vulnerability and yeah if it's the school's network fat, you know, approach the school but if you're talking about vulnerability with the student information system, contact the vendor, the vendor is going to be far more receptive to that and maybe even contact the school back and say, by the way, you know your students such and such pointed this out and we're really grateful for it.
Another question came in from the audience what types of anonymous suggestion, have you seen that were effective to report problems to school higher ups.
No, it's, it's as simple as the, the suggestion box. You know, something, something that gives somebody the ability to report anonymously and say, Look, somebody needs to take a look at that lead in the water report somebody needs to take a look at you know the fact that the roof is caving in in the back, classrooms at, you know, high school x. Those are the kinds of things that people raise the alarm bells about over and over again. And they, they get they get silence not because they're told Hey, be quiet, they get silence because it's just not changing there, the funding, isn't there to resolve the problem, but you know like I mentioned, that's how that's how problems become scandals, it's, it's not that anybody set out to not solve it. It's because we just didn't think it could be solved. So, getting the attention of an elected official getting them getting them on notice Hey, this is a problem, what are you going to do about it. At least it gets that decision made as an official level
that you spoke a little bit about the consequences of a data breach, which, you know, just seems to be sort of a slap on the wrist when you consider that if the info, with the personal intro of a child in school is, is breached. That's something that the child will have to deal with throughout the rest of their entire life probably on things like things like misuse of info for credit fraud and and so on. What do you what do you think are the chances of. Maybe, maybe, maybe getting getting some actual consequences with teeth in there for schools that fail to provide the protection they should for the data.
No, that's, that's a really difficult one because who is that person. Is it the, is it the infosec person to the network administrator who didn't have enough money to do the to do the security work, is it the. Is it the highest person in the organization is the superintendent that didn't didn't allocate money as a budget director that denied a request. I mean, there's a lot of places where this could go wrong. I think the biggest thing rather than rather than having it be job related consequence is more more of the. Hey, we need to do something about this, this needs to be this needs corrective action, and the better time to take corrective action is before the problem not after. So how do we how do we get to a point where we are reporting these problems to, to the, to the officials getting them in the public because that's what the school board meetings are for and making sure that those meetings are out there, and that information is out there and people are held accountable for addressing it.
So in looking at moving forward. Someone asks, Are there any model school districts in the US, or abroad, that are being used as a template. Is there anything that we could learn from them.
Um, yeah there are there are many, and I hate to.
I hate to
indicate that there's one that's doing things for a couple of reasons. One, I don't want to jinx it and cause them to have a breach and to the, the other piece of that is their, their models because they have they have followed this practice their models because their state has come in and said you know what you're going to do an audit every year, and you're gonna report on that, and Massachusetts has gotten really good about that but at the same time there's been breaches in Massachusetts so it's the it depends on your metric, I think there needs to be a different metric than has there been a breach at this at this school. because you know breach is also your ability to detect something wrong, it's, it's not just the fact that somebody didn't get breached that makes them good it's the fact that they detected a breach and remediated it. That is important.
I think this will be our last question we're running low on time but remember if the audience asks for schools and districts which still have issues even having internet connectivity and computer access for their students or their resources for implementing good security practice in the baseline tech acquisition.
You know, it depends on how that tech is acquired. If, if we're looking at something like a PTA fundraiser, you know, probably not. If they're doing that through a bond or some other funding mechanism, then yeah, I would say that needs to be a part of that plan as we acquire 10,000 Chromebooks as we acquire 40 Chromebooks, how are we, how are we improving our security posture. that is commensurate with the increase in technology footprint.
One last question for you, how are people who are interested, find out more about your work and how can they get in touch with you
email me at t firstname.lastname@example.org tp a kk, I'd be happy to send you my resources, and the link to my dissertation that is out of my s3 bucket.
Excellent. Dr Travis Paki thank you very much for joining us today. Hope. Thank you. We will just remind hope attendees that at 1500 hours. This afternoon EDT. You are invited to take the stage, you have up to five minutes and up to five slides to share your knowledge of interest, other hope attendees,
go to the help announcements channel on matrix just before they started the session again it's 1500 EDT to get the meeting link and to give your talk, no pre registration is needed.
Dr Travis Paki thank you once again for joining us. We appreciate you very much. Thank you very much ground control.