In a virtual panel during the annual ISTE conference last week, Nathaniel Evans, cyber analysis and research lead for Argonne National Laboratory, led a group of educators through a discussion of the importance of cybersecurity awareness in K-12 and also where the subject can fit in curriculum.

Cybersecurity has grown as a concern for school districts in recent years, with K-12 among the most popular targets for ransomware, and it typically fits into one of three categories for school districts: traditional information technology, digital citizenship or cybersecurity workforce.

Traditional IT

Since 2016, there have been around 1,110 publicly reported cybersecurity incidents in K-12, according to The K-12 Cybersecurity Resource Center. These have involved disclosure of personal data, ransomware, phishing, denial-of-service and other types of incidents that led to school disruptions and unauthorized disclosures.

"Obviously things have changed dramatically," said Kenneth Kass, executive vice president for technology at Endeavor Schools, a growing family of private schools based in Florida. Around 15 years ago, he said, personally identifiable information was on everything from checks to certifications and more. But the expectations have changed in a digital world.

"Once upon a time, schools were left alone, right?" Kass continued. "You didn't attack a school because it wasn't education [hackers] were after. [It was] businesses. Hackers were trying to monetize. Now, schools and even governments are victims of attacks."

But there are a lot of tools available for deployment in schools, like firewalls and scanning technologies, so administrators don't have to be constantly on alert about their data. "You should always be focused on being secure," Kass said, "but some of these technologies help us to kind of say, 'Oh, I have a link scanner, so it pops up and says if this link's legitimate.'"

Remote learning has been a huge challenge, as well. "Sometimes you have to give a little bit on the security side to get things going, but you try and give in places where it's not risky," he said. It might be OK to join a Zoom meeting from whatever device you're on, but you want to keep student info in a secure system. The need to roll things out quickly has to be balanced with enough care to not expose undue risks, he added.

Other ongoing cybersecurity concerns in K-12 IT this year have included remote support issues, the rush to adopt tools and resources without potentially vetting them to the extent needed, and the potential for devices to become infected with malware while they're beyond the safety of school networks.

Digital citizenship

Teaching students how to stay safe online is the second pillar of what Evans called K-12's "tri-fold approach" to cybersecurity. This includes lessons on information literacy, cyberbullying prevention and awareness, online safety, digital responsibility, and health and wellness in the digital world.

Basically, students have to understand the types of data out there, the data they put out, and what types are good, bad or should be more protected or controlled. 

Noting that she has felt a bit of unpreparedness in the past, Sara Gonzalez, an EL resource teacher at Maya Angelou Elementary School in Harvey, Illinois, said, "Because of my own interests, I brought into my teaching things like digital citizenship, coding, computer safety and things like that into classrooms on my own."

One thing Gonzalez said she incorporates is Google's Be Internet Awesome curriculum, which is available free online. "When I was a classroom teacher in 3rd and 4th grades, we would use our time in the computer lab to explore Google's online Interlab and discuss the different scenarios presented and what we would do as a response to that."

She now sees small groups of students throughout the school day as a resource teacher, and incorporates these materials more on an as-needed basis.

Among topic areas she likes to cover are:

• Sharing information with care.
• How to not "fall for the fake."
• Making sure secrets are secure while being "internet secure."
• The importance of remaining kind online.
• Talking things out when you have any doubts.
• Coming up with a plan (usually talking to an adult) if you run into any trouble.

One area of concern for her in a remote environment is the practical use of this learning by students, as well as the potential lack of awareness among teachers that resources like Be Internet Awesome exist.

Cybersecurity workforce

There's a considerable and growing hole in the cybersecurity field, which is estimated to grow to 3.5 million unfilled positions in 2021. "There needs to be more and more people interested in tackling careers within this field," Evans said, noting that there has to be an increase in the high school and collegiate graduates interested in cybersecurity.

Part of that involves expanding the cybersecurity engagement pipeline to include not just educators and curriculum specialists, but also career and technical education programming, cybersecurity competition organizers, ed tech vendors and nonprofit organizations. All of these are important, Evans said, to boost engagement with the field.

Getting kids interested early is increasingly important. Jessica Boersma, a 2nd grade teacher also at Maya Angelou Elementary School, said rather than focusing too much on the negative aspects of the cyber world, educators must focus on the positives.

"With job shortages in cyber that are only growing, it is our job as educators to show the positive side and get kids excited about the cyber world" so they get excited and hopefully pursue careers in the field, she said. This begins by exposing them early, in the K-5 space, where she noted there isn't very much material available.

"If we start young with them and get them interested early on, it will just keep growing and growing and growing," Boersma said, adding that educators must still keep in mind that not all students may be on the level yet to grasp some concepts, and not all schools may have the same resources to incorporate these topics at the age-appropriate level. "We don't want to make the activities too difficult because if the students get frustrated, they're just going to tap out," and it's hard to get them back in at that point.

When she initially looked through K-5 lesson plans, she said she could immediately tell they weren't written by educators, as the activities were "way above level" and had resources out of some schools' ability to provide. This can also be a deterrent for educators to get involved.

As a result, Boersma suggested the cybersecurity world needs to work with educators to develop curriculum and resources that work to get students hooked and build interest.

"If we work hand-in-hand, we can spark a whole new conversation about a K-5 cyber curriculum," she said. "With the younger kids, we can start small [with things like digital citizenship and basic coding]. We don't need to overwhelm them."