The early March onset of the coronavirus pandemic in the U.S. forced the majority of the nation's school districts, ready or not, to embrace a fully online learning model.
As buildings closed to help slow the illness' spread, administrators had to confront a number of questions: How do we quickly provide training to do this effectively? What about students who lack home internet access? How should assignments be structured to take pressure off of families also dealing with layoffs or adults now working from home?
And, of course, how do we keep students and sensitive information secure in a fully remote learning environment?
"This is a story that isn't going to be able to be fully written for a while," said Doug Levin, president of EdTech Strategies, a strategic research consultancy. "Like many things about the situation, it continues to evolve. There's always a lag time between when schools experience incidents and when those incidents become public, and that lag time may be greater today, when many people are not physically in schools and they're juggling many other priorities."
What risks might be higher in remote learning?
Perhaps the biggest concern in such a dramatic and quick shift to an entirely new model of learning is the potential deployment of tech that hasn't been fully vetted, and which educators and students haven't been fully prepared to use.
"If they didn't already have a set of tools they were using, in many cases they needed to find, or just essentially deputized their teachers to find, whatever they can ... to deploy," Levin said, adding that with cost often being one of the main criteria alongside ease of deployment, the use of consumer apps and tools that weren't designed for education can complicate security concerns.
"Free is a great price, and anything above free creates a lot of friction in that process" for some districts, he said, adding that while there are many free tools and services online, they may be riddled with inappropriate advertising and user tracking, insufficient privacy controls and even malware. Thus, the potential risks of running afoul of student privacy laws like the Family Educational Rights and Privacy Act make being aware of these risks and taking time to vet a tool or service all the more critical.
Additionally, Levin said that there is risk in situations where students or educators, in particular, might be using a personal home device, which he said are more likely to be unpatched and unprotected, running the risk of introducing things to school networks and systems as a result — especially as protections in place on school networks might be lowered to better allow for remote access.
"The more sophisticated school districts will have a VPN app to encrypt the traffic from a person's machine at home to the school district," he said. "Some may not have that. One of the more recent threats that people have been alerted to is the hijacking of home routers, which are notoriously insecure."
If a malicious party were to hijack a home router, he said, they can introduce malware to that person's system, and that malware could potentially find its way to the school network and get past filters or firewall protections that are in place.
Zoombombing and other video vulnerabilities
In Pennsylvania's Quakertown Community School District, located about an hour from both Philadelphia and New York City, Director of Technology Joe Kuzo isn't particularly concerned about the standard cybersecurity risks. The district was well prepared with a 1:1 Chromebook program in place for several years and the capacity to expand access to students who needed it.
"To my knowledge, I really have not seen exploited Chromebooks out there. It’s just not a big target for people," he said, also noting that all district devices have antivirus software on them.
But in a remote learning environment, where teachers and students are doing work through video sessions and message exchanges, Kuzo has concerns that identifiable student information might somehow leak unintentionally. Users being more careful in this environment, particularly as it relates to information they send or share, is critical, he said.
Many districts using the Zoom videoconferencing app for lessons have fallen victim to "Zoombombing," in which an unauthorized user gains access via credentials gained elsewhere online, or perhaps even by chance, and bombards other users with disruptions that range from profanity to pornographic images.
A number of districts, including the New York City Department of Education, have banned the use of Zoom as a result, though others have worked around it by adjusting the app's security settings.
Levin suggested that some Zoombombing may also be solicited by bored students acting out. "So, literally, they will go on to social media or Discord or wherever, and they will post the credentials for their course and say, 'This is the biology course. It's this time in this time zone. Here's your meeting ID and the meeting password.' Or even, 'Say your name is X or say your name is Y, or the teacher doesn't know how to kick people off.'"
In Quakertown, Kuzo has only used Zoom for board meetings, and said he "luckily" learned from the mistakes of other districts that used the software before he did, tightening security measures before its use. Students and teachers, meanwhile, are using Google Meet for virtual lessons.
"Those [meetings] are typically not published," Kuzo said. "They’re going to be sent directly to the students through the web portal, whether it’s Seesaw or Canvas."
No matter what platform is used for lessons, however, it remains crucial that educators think before posting photos of their students in online classes and things of a similar nature to social media, as it could constitute a FERPA violation in addition to leading to harassment from online trolls or other malicious actors, Levin said.
End user is greatest potential vulnerability
Ultimately, as in normal circumstances, the end user remains the greatest potential cybersecurity threat. Training students and educators to identify phishing attempts in emails, suspicious websites and other scams is the foundation of any strong cybersecurity plan.
Kuzo said he's been using KnowBe4 in Quakertown for two years to conduct simulated phishing attacks. "I’ve seen a pretty large decline in the number of clicks we get," he said of the security tests, which are designed to try to trick students, teachers and others on school devices and networks to gauge security. He added that every three months, he does a deeper dive to try to get credentials and still sees those numbers declining as well.
Levin noted that it will be crucial to ensure vigilance remains high when educators and students return to buildings, as he tends to see an uptick in incidents at the beginning of the school year when people might not be as careful while trying to clear a backlog of emails.
"I've been kind of waiting for a shoe to drop, and I just haven't really seen it outside of Zoom," he said. "I think it's just a matter of when, and that back-to-school timeframe may be the when."