Earlier this week, an unknown person or persons launched a short-lived, but clever cyber attack against Google Docs’ users. While apparently not targeted toward schools, it very quickly found its way to K-12 classrooms nationwide, resulting in alarm and confusion.
Here is Google’s description of the incident and their response: “Protecting you against phishing.”
As I’ve investigated the exploit, I wanted to share the three lessons I believe those of us in K-12 education should take from this incident:
First, the exploit vector employed by the attacker, the potential level of access to user accounts it granted, and the speed with which it spread should be deeply concerning to those who work in K-12 education. In some ways, it reminds me of the 2010 flash crash of the stock market caused by a computer algorithm gone awry. From the time the exploit was launched until it was addressed, users’ Google accounts – including student accounts – could have been
fully [h/t Jim Siegel] accessible by the attacker. Given the popularity of these tools within the K-12 sector, I’d hazard that anywhere from a third to half of all U.S. K-12 students and teachers were probably at risk of being exploited here. Had it gone unaddressed for a day or more, the numbers could ultimately have been even higher than that.
Second, the speed with which Google, its partners, and savvy technology staff in school districts responded – and successfully so – was truly amazing. Less than an hour passed from the discovery of this specific exploit in the wild to it being completely shut down. That is nothing less than astounding, particularly given the scope and complexity of Google’s operations. This is how everyone should want companies to respond – in education and beyond – when presented with evidence of a potential security incident.
Third, there are pros and cons for K-12 schools in centralizing their IT operations on a single vendor’s technology platform or service, whether that be Apple, Google, Microsoft or a competitor. On the one hand, centralization addresses a real pain point for schools: interoperability. Standardization of IT makes it easier to manage the implementation of large numbers of student and teacher devices and the myriad educational and general purpose software applications they rely on. It is a rational choice.
On the other hand, however, are the costs of vendor/ecosystem lock-in. While these costs may not be immediately apparent or quantifiable, they are nonetheless very real. Consider: Microsoft’s new education-focused Windows 10 S devices will be limited to running apps in the Windows store and will be locked to Microsoft’s own web browser and search engine.** Consider, too, that as educational institutions and individuals participating in these ecosystems, we need to trust that they are being operated now and into the future in a way consistent with schools’ and students’ interests. Yet, Apple did not enforce its own policies when it found that Uber flagrantly violated them in ways decidedly hostile to users on its App Store. Which brings us full circle to Google and this phishing attack. There are many aspects to this story that reflect well on Google. After all, all software has bugs and can be exploited, and one test of the mettle of a technology company is how well it monitors and responds to incidents. Yet, consider that this was no zero-day attack. Apparently, the potential of this exploit had been well-understood and documented since at least 2011. And, in 2014, Google itself gave a less than heartening response to direct warnings of this specific vulnerability:
And, yet another write-up of the exploit was published online in February of this year. Perhaps the reason Google was able to respond so quickly to this exploit was that they were already well aware of the vulnerability?
The nature of the Google Docs phishing attack remains a concern, and it is reasonable to expect that other similar exploits will be directed toward Google users (and competitors) in the future, including those users in education. Some are even calling the cyber attack a game-changer (though time will tell whether that moniker is deserved). If you are working in or on behalf of a school district, educate yourself about the incident and take steps to limit your future exposure.
** To be fair, the pointed criticism being directed to Microsoft for these (primarily) marketing decisions could also be pointed in varying degrees at both Apple (and its App Store) and Google (and its Chrome Web Store). This then begs the larger question for me of whether and the degree to which – as schools increasingly shift to the digital delivery of instructional materials and resources – that they are merely swapping disproportionate (even exploitative) control of learning materials from the big three textbook publishers to the big three technology companies.