There remains much folklore about the practice, promise, and potential of using technology in K-12 education. With our eyes trained to the digital heavens, it can be easy to gloss over the more profane and earthly issues of budgets, implementation, and tradeoffs (intended or otherwise) in increasingly embracing technology for teaching, learning, assessment, and school operations. Indeed, I think many (both inside and outside of the K-12 sector) do not yet appreciate the scope and pace of the embrace of digital tools and services that is underway.
While there are many and varied aspects to schools’ embrace of technology, I have become increasingly interested in how the K-12 sector is navigating issues of privacy and security of student-, educator-, and school-related data. While there has been no shortage of proverbial ink spilled in writing about these topics in recent years, it has becoming increasingly apparent to me that virtually all of it is absent data and evidence. Consider the following questions:
- How prevalent are unauthorized digital data breaches and disclosures of sensitive information by schools? What is the nature of these breaches and disclosures?
- How prevalent are cyberattacks on school networks and on school vendors? What is the nature of these attacks? How significant are they?
- To what degree are cyber incidents directed or initiated by the actions of school staff and students vs. actors external to the school?
- What costs are borne by schools in preventing and responding to cyber incidents involving malware, hacks, and breaches?
- What are best practices in preventing and responding to cyber incidents? How many schools are implementing these best practices?
- Are these threats increasing or decreasing over time? Are schools managing these threats better or worse than in the past?
We neither have the answers to these questions, nor is there a mechanism at present to get them. In general, neither schools, nor school vendors are compelled to publicly report all such incidents. Indeed, one could argue that is in their self-interest to minimize public disclosure or not to do so at all. As such, it is nearly impossible to have a concrete conversation about the state privacy and security in the K-12 world as it is. For all the data and evidence we have about K-12 school-related privacy and security incidents, we might as well be having arguments about whether the Earth is flat or round.
For that reason, today I am pleased to introduce and launch the K-12 Cyber Incident Map.
It is a visualization of cybersecurity-related incidents reported about U.S. K-12 public schools and districts from 2016 to the present. ‘Cyber’ incidents tracked on the map, include: (a) phishing attacks resulting in the disclosure of personal data; (b) other unauthorized disclosures, breaches or hacks resulting in the disclosure of personal data; (c) ransomware attacks; (d) denial-of-service attacks; and (e) other cyber incidents resulting in school disruptions and unauthorized disclosures.
Painstakingly assembled from public reports, it was created to begin to build a data-based awareness of the scope and variety of digital security and privacy threats facing K-12 public schools and districts, as well as to shed a light on the need for uniform standards for disclosing cyber incidents affecting schools, students, and educators.
While I believe the K-12 Cyber Incident Map is an important contribution to our collective understanding, it is but a modest gesture toward answering the important questions that face the K-12 sector as it increasingly relies on digital tools, apps and services. Much work remains to be done. I look forward to the dialogue it spurs and welcome contributions and enhancements to this and any related efforts.