Background
As the year 2019 drew to a close, the Pew Research Center reported on November 15, 2019 that “63% of Americans say they understand very little or nothing at all about the laws and regulations that are currently in place to protect their data privacy” (Brooke Auxier et al., 2019, 2 section). Only four months thereafter, most K-12 public schools rushed headlong into the digital classroom option, finding it to be the only panacea for the lockdowns which imposed mandatory social distancing to mitigate the spread of the Covid-19 global pandemic. Some Public-School Districts remained open for in-person learning, but in so doing they risked that in future, their legal stakeholders might judge them harshly. As K-12 educators, students and their families settled into the new reality of long hours within digital interfaces, rising doubts rankled both cybersecurity experts and community stakeholders alike, regarding just how secure is using Zoom and other digital meeting platforms for the instruction of nearly 50 million children in the United States from a cybersecurity standpoint?
You do not have to Google very extensively to find a litany of articles detailing security breaches which have occurred nationwide in online U.S. classrooms during the twelve months following the Covid-19 lockdowns of March 2020. There are but a few vocal cybersecurity experts writing public articles about the inherent vulnerabilities for personal data security in the mostly unregulated digital educational frenzy. Fewer still address the inevitable legal questions regarding liability and administrative duty of care which K-12 digital instructional practices precipitate. Most striking is the silence regarding this important issue from public school systems’ leadership, and their state and federal regulators.
The FBI has reported that cybersecurity breaches such as those experienced during the much-publicized incidents of “Zoom-bombing” in 2020 (CISA.gov, n.d.) have been widespread in both public and private, digital, K-12, virtual learning spaces. It would seem logical that cybersecurity is a high priority for government regulators to protect the data privacy of the many students and teachers now reliant upon digital platforms. In actuality, however, redressing cybersecurity breaches found in distance learning is not an openly discussed imperative, even at the local school board level. Indeed, most educators, whether they be administrators, teachers or paraprofessionals, do not usually possess highly specialized knowledge about cyber vigilance, digital technologies, or software design. For many school principals, the specialized realm of cybersecurity is all but alien to them, and yet they are now placed in the precarious position of overseeing an interdependent operational infrastructure of teachers deploying online pedagogy that can no longer function safely without system-wide, cybersecurity oversight.
Likewise, most K-12 schools do not have the funds to invest in expensive, in-house IT personnel acquainted with cutting edge cybersecurity practices; as a result, schools tend to outsource the IT role to consultants or independent contractors who are often located across the state, country or on the other side of the world. Many of these service providers also do not possess the level of expertise needed to remain one step ahead of the latest cyber hacking tactics. This de-centralized approach to cybersecurity support might have sufficed before schools became distance learning hubs in early 2020, but it cannot hope to survive the new virtual security minefield in which school systems find themselves today. The chosen cybersecurity expert for this research paper’s interview is one of the more vocal advocates for urgent action to protect online education practices.
Legal Leader’s Profile
The leader interviewed to gain insights for my research has more than 25 years of experience working in cybersecurity in both the public and private sectors. She will be addressed by the pseudonym of “CE”, in order to protect her confidentiality. CE has worked in Europe, the Middle East and the United States as a Chief Information Security Officer for several Fortune 500 companies, consulted with CEOs of numerous multinational corporations worldwide, and advised both domestic and international government leaders, including several assignments advising The White House, the Department of Homeland Security, and the United States Trade Representative during three different presidential administrations.
Born in Northern California, she is a Caucasian woman in her early 60's, and resides on the East Coast of the US. She has a PhD in Computer Science from a top U.S. graduate school program renowned for its specialization in cybersecurity research. CE is widely recognized as an international expert in the field of cybersecurity and cryptography and is a sought-after speaker who extols the urgent need for more comprehensive regulation and standardization of digital security protocols in the U.S. to (a) protect individual privacy rights, (b) to promote cyber ethics, and (c) to protect essential infrastructure. She is also an enthusiastic advocate for the constant improvement of educational technologies and the development of international, public-private partnerships focusing solely upon cybercrime (Williamson, 2021)
Review of Literature and CE’s Insights
In February of 2014, the National Institute of Standards and Technology (“NIST”) introduced a “Framework for Improving Critical Infrastructure Cybersecurity”. Subsequently, on December 4, 2020, Congress enacted the Internet of Things Cybersecurity Improvement Act of 2020 (the “IoT Act”) which “mandates cybersecurity standards and guidelines for the acquisition and use by the federal government of IoT devices capable of connecting to the Internet. The IoT Act, and the accompanying standards and guidance being developed by the NIST will directly affect government contractors who manufacture IoT devices for federal government use, or who provide services, software or information systems using IoT devices to the federal government” (Brian G. Cesaratto & Alexander J. Franchilli, n.d., p. 1).
There will be significant spillover effects for the private sector which were intended by Congress to disseminate best practices formulated within the IoT Act into the wider digital marketplace. Corporations will ultimately need to decide whether to purchase and use IoT devices, software and systems that meet the IoT standards for federal use, versus relying upon insecure or less secure IoT devices and systems which do not comply with the federal standards promulgated by the IoT Act.
NIST’s summary framework for securing digital networks works in tandem with the IoT Act's security model. The schematic on the following page illustrates the five functionalities required per NIST to establish a cycle of adaptive vigilance to foster and maintain stakeholders’ trust in the viability of a given digital network. Organizations must proceed meticulously through each of the five action steps to remain adaptive to new cyber threats which inevitably present themselves. The NIST maintains that application of this vigilance paradigm will allow organizations to secure the trust of all their stakeholder groups; any vulnerability assessment should incorporate this cyclical methodology designed to assess and address security risks as they arise. The metric deployed in the IoT Act’s protocol compares the organization’s current, baseline state of cybersecurity vigilance to the ideal standard set forth per the IoT Act and measured by the NIST metrology parameters. The NIST measurement system thus furnishes a benchmark regarding the degree to which the overall resiliency of an individual organization’s cybersecurity system aligns with NIST’s optimal standard for security resiliency.
The five key pillars which form the core of any effective cybersecurity program are:
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover
CE strongly asserts that stakeholder trust forms the crux of any legal discussion surrounding the state of digital education practices within public K-12 education in this country. The current lack of clear legal oversight within this evolving digital education domain means that in order for school districts conducting remote instruction to maintain legal compliance with relevant laws they must utilize a hodgepodge of federal, state and district guidelines which do not provide a definitive blueprint for best digital practices. Trust, or the lack of it, also constitutes the potential for harm to students, their parents or guardians, and the teachers who inhabit this stressful, unregulated education frontier. The fulcrum of this regulatory legal mosaic is the California Consumer Privacy Act (“CCPA”) of 2018, which came into force in January of 2020. This California state law, according to CE, will likely provide a template for other states to follow, as they inevitably navigate a path to regulatory control of the ubiquitous cyber vulnerabilities laid bare by remote learning during the Covid-19 pandemic. Although the CCPA applies to for-profit businesses operating within the state of California, “much like the European GDPR security law, the CCPA expands the definition of personal information to include things like IP addresses, geolocation information, and inferences drawn from personal data to create a data profile of a consumer” (Katie Onstad, n.d.-b, p. 1).
Prior to the CCPA’s enactment in California, the federal government had already begun to address the increasing menace to children’s data privacy. The Family Educational Rights and Privacy Act (“FERPA”) was enacted in 1974 to protect the privacy of students’ educational records in both public and private, elementary, secondary and post-secondary schools, and in any state or local educational agency that receives federal funding from the Federal Department of Education. Congress then passed the Children’s Online Privacy Protection Act (“COPPA”) in 1998 to give the Federal Trade Commission (“FTC”) more power to protect children's privacy (Fruhlinger, n.d.). The FTC’s original COPPA Rule only became effective on April 21, 2000 and had, as its primary goal, “to place parents in control over what information is collected from their young children online. This Rule was designed to protect children under age 13, while accounting for the dynamic nature of the Internet” (FTC.gov, 2020, p. 1). COPPA specifically regulates businesses, not schools, but according to the FTC COPPA Rule schools are permitted to provide consent to businesses on behalf of parents when the operator of a website, online service, or internet application is specific to “the educational context” and is providing a service that is “solely for the benefit of students and the school system” (Complying with Coppa: Frequently Asked Questions, 2020, p. 1). CE expresses that educational leadership exposing students to an unregulated digital network should be held to a higher standard of care. Clearly, this implicit consent given to schools by the FTC is now being exercised widely by public school districts who engage students daily in remote instruction via just such unregulated web applications.
Another major law in California relevant to K-12 student data privacy enacted prior to the ratification of the CCPA in 2018 was the 2014 California Student Online Personal Information Protection Act (“SOPIPA”). This Act became an addendum to the state’s educational statutes, effective as of January 2016. SOPIPA further strengthens the privacy regulations dealing with businesses’ collection of student data in the expanding marketplace of education technology. In California, education technology vendors servicing K-12 students cannot (a) create and/or maintain a profile of an individual student, (b) sell a student’s personally identifiable information (“PII”) and (c) disclose any of the aforementioned student information. This legislation made California the first state to actively address the issue of protecting elementary and secondary student data privacy by requiring digital application websites and vendors to strictly safeguard
the privacy of students’ personal information (Katie Onstad, n.d.-b). CE acknowledges that legislative initiatives like SOPIPA distinguish California as an example of state leadership for the protection of student data privacy.
Despite California’s progressive legislative stance on cybersecurity, its public-school districts seeking regulatory compliance still face an ambiguous amalgam of federal and state laws stipulating appropriate data security practices. The new CCPA, however, goes further than protections found in any alignment of the older federal and state laws discussed within this paper, because this latest California legislation “applies to data collected by non-education apps that teachers might use during the pandemic, such as Zoom. The law extends requirements for collecting, selling and deleting personal information to companies providing all types of services — not just those that are aimed at children. It also requires those companies to obtain a parent’s permission before selling personal data of a child under 13. Teens between the ages of 13 and 16 can give consent themselves” (Johnson, 2020, para. 4).
If historic patterns are a predictor of future regulatory developments in the domain of student data privacy laws, EC believes California’s CCPA constitutes a watershed moment in the movement toward formation of more comprehensive data privacy laws in the United States. If this trend toward increased regulation continues, she credits California with having led the charge to align U.S. standards with those of the European Community (“EC”). The EC began its march toward better cybersecurity vigilance in 1995, when its members ratified the European Data Protection Directive; in 2018, it created a global template for the gold standard in international data protection with the General Data Protection Regulation (“GDPR”) (European Union, n.d.). CE advocates for the United States’ federal government to undergo a reckoning similar to that of its EC counterparts, hopefully spurring it to assume a larger leadership role among other developed nations which is long overdue. Her assessment is that the only productive route toward creation of an ethical digital marketplace worldwide is through collaborative cybersecurity federation which creates a cooperative, NATO-like coalition of nations to effectively police digital bad actors. Today’s cybercriminals demonstrate a level of hacktivist sophistication which disregards international, cultural and legal boundaries (Williamson, 2021).
Closing Takeaways
The creation of international standardization in rules of conduct for cyberspace is challenging and complex. For many in the educational realm, it appears the stuff of science fiction and software geeks, not educators. The last year has made such excuses for ignoring the myriad threats to privacy inherent within digital learning spaces no longer tenable. Discussion of esoteric cybersecurity terminology such as “Zero Trust Architecture” (NIST Technical Series Publications, 2020) may become household terms, if the steady spate of cyber incidents continues to threaten, not only individual privacy, but national and international security. As cybersecurity expert Dmitri Alperovitch opined in his article in Lawfare last month: “By responding forcefully to the Microsoft Exchange attack, the U.S. would not only be standing up for the security of its networks and the well-being of its citizens; it would also be taking a critical first step toward realizing a set of international norms that could make cyberspace safer for everyone” (Dmitri Alperovitch & Ian Ward, 2021, p. 1). It seems that CE is in good company in her calls for the promulgation of an international codification of ethical cyber conduct.
The Information and Communications Technology (“ICT”) Supply Chain Risk Management (“SCRM”) Task Force at the Federal Cybersecurity & Infrastructure Security Agency provides a great example of how public and private-sector partners can work together to complement one another’s strengths and facilitate better mutual access to real-time information. CE is friends with most of the task force, and wholeheartedly endorses their public/private, hybrid model for collaboration. Representatives from the technology and communication sectors participate with a shared focus upon securing the supply chain for their respective sectors. The goal of the ICT SCRM Task Force is to develop strategic and operational recommendations for risk reduction. EC stresses that cybersecurity experts like those manning the task force have suggested since 2020 that the United States’ educational sector should adopt a “Zero Trust Model” (Clarity Innovations, Inc, 2020, p. 1) for its digital networks. Finding a superintendent at even one of the largest, urban school districts who is informed and acting upon such recommendations would prove fruitless. If such informed leadership in education exists, it appears to operate with zero transparency.
The avoidance of cybersecurity realities in K-12 public education is nowhere more inexcusable than in the California public school system. The state which is home to Silicon Valley should take the lead in combatting cyber vulnerabilities for its over 300,000 teachers and nearly 7 million students. “Districts must be hyper-aware of phishing, ransomware, and malware campaigns that could put both school administration and students at risk and train students, teachers, and administrators to stay vigilant against them. Without the proper training and security in place, school district infrastructure is at risk of compromise. Login credentials of teachers and administrators could be captured by mobile phishing, potentially exposing sensitive data such as employee information and student records” (Bob Stevens, 2020, p. 1). Given what is known about the hack of the Microsoft Exchange in early 2021, it is suspected that the hackers possessed Proof-of-Concept (PoC) attack code that Microsoft shared with antivirus companies as part of its Microsoft Active Protections Program (Mapp). The average California public schoolstudent uses this same functionality for their email inbox and calendar on their standard-issue Chromebook. Will California districts breached by the Mapp incident ever disclose the extent of the data infringement experienced within their digital networks?
2020 brought many sweeping new privacy laws into effect and enactment. It appears that the legislative and judicial pendulums are swinging nationally in the direction of increased codification of data privacy best practices, just as CE would have it. The specific impacts this upswell of legal changes pivoting towards a more regulated internet will have upon K-12 public education remains to be seen. The onus is on administrators to prevent the digital divide from isolating and unduly shortchanging its most vulnerable student populations. The cost of cyber- insecurity is already too high” (Raicu, 2021, p. 1). The consensus of leaders in the cybersecurity community is clear: data privacy vulnerabilities must be speedily addressed. Senior school district officials may assume they are immune from liability based upon past court failures to prosecute cybersecurity infractions, but due process in right to privacy regulations involving the internet has and will continue to evolve. A close review of legal precedents surrounding cybersecurity in education should give educational authorities pause.
i. Might privacy law decisions such as the Supreme Court ruling in Van Buren v. United States make school leadership liable for their misuse of or failure to safeguard student data?
ii. The same agency involved in enforcement of the best cybersecurity practices stemming from the IoT Act, the FTC, also enforces federal privacy policy. Could every public-school student’s digital learning device issued by the district soon fall under the FTC’s extended purview?
iii. Or would the FTC seek to enforce the Computer Fraud and Abuse Act’s federal statute that prohibits unauthorized use of protected internet devices without formal prior consent?
iv. Could teachers, students and their families seek relief for invasion of their privacy by arguing that privacy should include personal data, based upon the Ninth Amendment precedent which uses the Bill of Rights to extend privacy protections?
v. Could school administrations be liable under the Federal Education Records and Privacy Act (“FERPA”), or under the Civil Rights Act of 1964 wherein the Supreme Court has previously held in favor of a student’s recovery of monetary damages due to the district’s violation of Title IX in Franklin v. Gwinnett County Public Schools?
Conclusion
Prudent leadership within public education must address the ‘Elephant in the Classroom” which increased use of digital technology has allowed into digital instructional spaces. The California Department of Education and school systems must rapidly incorporate vital cybersecurity vigilance into each school’s organizational culture, pedagogy, and social responsibility. In order to remain true to its stated vision that “All California students of the 21st century will attain the highest level of academic knowledge, applied learning and performance skills to ensure fulfilling personal lives and careers and contribute to civic and economic progress in our diverse and changing democratic society” (California Department of Education, 2021, p. 1), senior education leaders must create urgent reforms which prioritize teaching all stakeholders how to become informed participants in a transparent, resilient cybersecurity ecosystem.
References
Alperovitch, D., & Ward, I. (2021, March 12). How should the u.s. respond to the solarwinds and microsoft exchange hacks? Lawfare. https://www.lawfareblog.com/how-should-us- respond-solarwinds-and-microsoft-exchange-hacks
Benjamin Dean. (2016, April 28). More money doesn't guarantee success in cyber security race - the conversation au. The Cyber Security Place. https://thecybersecurityplace.com/more- money-doesnt-guarantee-success-in-cyber-security-race-the-conversation-au/
Bob Stevens. (2020, November 30). Get schooled in cybersecurity - eschool news guides. eSchool News Guides. https://guides.eschoolnews.com/2020/12/01/get-schooled-in- cybersecurity/
Brian G. Cesaratto & Alexander J. Franchilli. (n.d.). New internet of things (iot) cybersecurity law’s far reaching impacts. The National Law Review. https://www.natlawreview.com/article/new-internet-things-iot-cybersecurity-law-s-far- reaching-impacts
Brooke Auxier, Rainie, L., & Anderson, ,. (2019, November 25). https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned- confused-and-feeling-lack-of-control-over-their-personal-information/
California Department of Education. (2021, April 9). Vision, mission, and goals - state board of education (ca dept of education). cde.ca.gov. https://www.cde.ca.gov/be/ag/ag/vmgoals.asp
Christina De Jong. (2019, May 21). A quick reference guide for ccpa compliance. Deloitte United States. https://www2.deloitte.com/us/en/pages/advisory/articles/ccpa-compliance- readiness.html
CISA. (n.d.). Ict scrm task force | cisa. CISA.gov. Retrieved April 9, 2021, from https://www.cisa.gov/ict-scrm-task-force
CISA.gov. (n.d.). Fbi releases guidance on defending against vtc hijacking and zoom-bombing | cisa. https://us-cert.cisa.gov/ncas/current-activity/2020/04/02/fbi-releases-guidance- defending-against-vtc-hijacking-and-zoom
Clarity Innovations, Inc. (2020). Establishing a zero trust ecosystem [PDF]. K12blueprint.com. Retrieved December 31, 2020, from https://www.k12blueprint.com/sites/default/files/K12- Building_Zero_Trust_Ecosystem.pdf
Complying with Coppa: Frequently Asked Questions. (2020, July 20). Complying with Coppa: Frequently Asked Questions. Federal Trade Commission. Retrieved April 9, 2021, from https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently- asked-questions-0
European Union. (n.d.). The History of the General Data Protection Regulation. edps.europa.eu.https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data- protection-regulation_en
FPF.org. (2016). Microsoft word - release version_full release_nov2016.docx [PDF]. https://fpf.org/wp-content/uploads/2016/11/SOPIPA-Guide_Nov-4-2016.pdf
Framework for Improving Critical Infrastructure Cybersecurity [PDF]. (2018, April 16). NIST.gov. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Fruhlinger, J. (n.d.). Coppa explained: How this law protects children's privacy. CSO Online.https://www.csoonline.com/article/3605113/coppa-explained-how-this-law-protects- childrens-privacy.html
Gloria Tam & Diana El-Azar. (2020, March 13). 3 ways the coronavirus pandemic could reshape education. World Economic Forum. https://www.weforum.org/agenda/2020/03/3-ways-coronavirus-is-reshaping-education- and-what-changes-might-be-here-to-stay/
H.r.1668 - 116th congress (2019-2020): Iot cybersecurity improvement act of 2020. (n.d.). Congress.gov. https://www.congress.gov/bill/116th-congress/house-bill/1668
https://www.securitymagazine.com/articles/94140-cyber-actors-target-k-12-distance-learning- education-to-cause-disruptions-and-steal-data. (2020). SecurityMagazine.com. https://doi.org/https://thecybersecurityplace.com/more-money-doesnt-guarantee-success- in-cyber-security-race-the-conversation-au/
IC3.gov. (n.d.). Internet crime complaint center (ic3) | cyber actors take advantage of covid-19 pandemic to exploit increased use of virtual environments. https://www.ic3.gov/Media/Y2020/PSA200401
Jenner & Block LLP. (2020, December 11). Why the supreme court’s decision in van buren may be felt beyond criminal law | lexology. Lexology.com. https://www.lexology.com/library/detail.aspx?g=0b9144dc-812c-4f4d-8862- 397464715ce0
Johnson, S. (2020, April 29). Quick Guide: How to protect a student’s privacy online. EdSource.org. https://edsource.org/2020/how-to-protect-a-students-privacy-online-a- quick-guide/630037
Jude McColgan. (2018, May 31). The “don’t ask, don’t tell” problem with data privacy in tech. The Cyber Security Place. https://thecybersecurityplace.com/the-dont-ask-dont-tell- problem-with-data-privacy-in-tech/
Katie Onstad. (n.d.-a). Blog: Student data privacy articles | compliance best practices.https://educationframework.com/resources/blog?Category=compliance-best-practices
Katie Onstad. (n.d.-b). The california consumer privacy act bolstering student data privacy goes into effect. https://educationframework.com/resources/blog/ccpa-the-california-consumer- privacy-act-bolstering-student-data-privacy-goes-into-effect
Naveen Goud. (2021, January 6). Joe biden appoints new cybersecurity chief for white house - cybersecurity insiders. Cybersecurity Insiders. https://www.cybersecurity- insiders.com/joe-biden-appoints-new-cybersecurity-chief-for-white-house/
NIST Technical Series Publications [PDF]. (2020, August). NIST.gov. https://doi.org/10.6028/NIST.SP.800-207
OECD Policy Responses to Coronavirus (COVID-19). (2020, November 19). The impact of covid-19 on student equity and inclusion: Supporting vulnerable students during school closures and school re-openings. OECD. https://www.oecd.org/coronavirus/policy- responses/the-impact-of-covid-19-on-student-equity-and-inclusion-supporting- vulnerable-students-during-school-closures-and-school-re-openings-d593b5c8/
Office the Attorney General. (2018, October 15). California consumer privacy act (ccpa). State of California - Department of Justice - Office of the Attorney General. https://www.oag.ca.gov/privacy/ccpa
Raicu, I. (2021, March 23). On cyber-insecurity and the common good. www.scu.edu/ethics/internet-ethics-blog. https://www.scu.edu/ethics/internet-ethics- blog/on-cyber-insecurity-and-the-common-good/
State of CA Civil Code. (n.d.). Law section. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV
The-great-cyber-surrender [PDF]. (2020). Demos.co,uk. https://demos.co.uk/wp- content/uploads/2020/11/The-Great-Cyber-Surrender.pdf
USCourts.gov. (n.d.). Supreme court landmarks. United States Courts. https://www.uscourts.gov/about-federal-courts/educational-resources/supreme-court- landmarks
William E. Ronald J. and Mariano Cohen & Mariano, W. E. (n.d.). Legal guidebook in mental health. Free Press.
Williamson, G. (2021, April 9). Gigi Williamson's Notes From Interview with "CE". Google.https://docs.google.com/document/d/16ZbCe0Fpe- 6HrntBBUHeLbivUleWwZn3fuI1wJbJEV8/edit?usp=sharing
World Economic Forum 2021. (2021, February 4). Wef_the_global_risks_report_2021 [PDF]. WEF The Global Risks Report 2021. http://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2021.pdf
Appendix
Notes from Interview of Expert with pseudonym "CE":
CE's Brief Bio:
CE has more than 25 years of experience working in cybersecurity in both the public and private sectors. She has worked both in Europe, the Middle East and the United States as a Chief Information Security Officer for several Fortune 500 companies, consulted with CEOs of multinational corporations, and advised both domestic and international government leaders, including several assignments advising The White House in two administrations. Born in Northern California, she is a Caucasian woman in her early 60's, and resides on the East Coast of the US. She has a PhD in Computer Science from a top U.S. graduate school program renowned for cybersecurity research.
Question 1.
Gigi: What is the major legal issue, relative to your position, that is emerging in the coming year for Cybersecurity Regulatory Practices Within K-12 Public Education in California and the U.S?
CE: Well, that is a very large nut to crack, but let me try to summarize the gist of what concerns me most in its implications for public schools wading deep into digital instruction...The lack of adequate cybersecurity implementation and regulation, ... which demands an urgent priority for leaders to establish protocols to be used educational systems to increase educational systems' vigilance to adapt to new, emerging data vulnerabilities within school systems' digital networks.
Question 2.
Gigi: What outcome do you anticipate to be the most likely in next couple of years?
CE: Hacking and data loss will steadily increase as deployment of digital tools for education continues to increase. Unfortunately, the legislation and international cooperation between the major industrialized countries of the world lags far behind the level of real and ongoing threats to student and teacher data privacy. This is a monumental issue.
Question 3.
Gigi: What is your aspirational outcome for this situation?
CE: That educational administrative leaders will begin to realize the enormity of the threat and the necessity to create a culture which aspires to adaptiveness and vigilance. Educational institutions worldwide need to form consortiums with their international counterparts to teach and actively reinforce dynamic best practices. The only way to deal with cyber threats is through cooperative resiliency and an international commitment to cyber ethics protocols.
Question 4.
Gigi: Why is there such a difference between your anticipated outcome and your aspirational scenario?
CE: Because cybersecurity in education is still a taboo subject, from what we have seen. It is not acknowledged with regard to its ubiquity and implications for the students' ... and the teachers' personal, as well as educational welfare.
We are creating an unsound delivery system that is not transparent about its inherent, systemic security flaws. That does not bode well for learning outcomes within public education because it will undoubtedly result in service and delivery disruptions for the new mode of instruction education finds itself in!
Question 5.
Gigi: What do you think the role of the Courts/Congress/Executive branches of a state or federal government is in addressing the cybersecurity conundrum in digital learning issues?
CE: Governments must collaborate, kind of like how NATO has a supportive network that is interdependent, but also interconnected and mutually reinforcing. NATO keeps the peace in the industrialized world and cybersecurity is simply an extension of that goal. All of the governmental essential services like education and infrastructure of all types are beholden to a secure digital world. Without it, it is only a matter of time before we have cataclysmic system failures and security breaches in all the essential sectors of governmental responsibility.
Legislators at the state and federal level need to assign the requisite amount of urgency to cybersecurity regulation. California, as usual, is at the forefront of pushing through ground- breaking legislation, but it needs to have a rapid domino effect. Biden, thank goodness, has appointed an experienced Cyber Czar in Anne Neuberger from the NSA, but we do not hear it being pushed into the public eye. Since VP Harris states that she will help spearhead cybersecurity efforts, I would like to see her conducting on full court press on public education as to the urgency of cyber vigilance and preparedness. So far, that has not happened.
Question 6.
Gigi: It seems to me that there are huge social justice considerations for cybersecurity problems in digital education. Don't you think that more wealthy school districts will have the funds to pay expensive cybersecurity experts, like you, to reinforce their delivery systems for remote teaching, while underserved communities with underfunded school districts will be left wide open to security breaches and hackers?
CE: Absolutely, without question, if the status quo continues, and we handle this problem on a local, case-by-case basis, rather than with a global perspective. It will not work to have every school district, or even every country doing its own thing when it comes to creating standards for an ethical digital marketplace. If ever there were a role that only governments can effectively play, it is this one.
Question 7:
Gigi: What role should the private sector be playing in this? I can only imagine the pushback that more conservative politicians and their base will have to proposals of more regulation?
CE: That may well be, but that aversion is illogical and unsustainable for us as a country, and as an interconnected planet. The fact that we have an unregulated internet is what has led us to this impasse, where digital problems have outstripped the existing legal framework we have in place, both domestically and internationally. We have seen that major tech companies wantonly take advantage of vulnerabilities in data privacy, if those very weaknesses allow them to make a heftier profit. Without regulation, there is no incentive for huge tech concerns or any corporations to self-regulate, or even use their knowledge base to help stop cybercrime in the broader marketplace.
Having said all of that, the governing body which sets standards and protocols will need to incorporate leaders from both the public and private sectors to make international cooperation for improved cybersecurity fly.
