Sunday, 29 November 2020

Psychology, Cybersecurity and Collaboration in Educational Technology

We were beta testing Field Effect's state of the art Cyber Range online cybersecurity training system this week in our grade 10 TEJ introduction to computer technology course.  Our skill levels in that open class range from two students who are top ten in Canada in the CyberTitan student cybersecurity competition in their respective disciplines, to students who have never owned a personal computer at home because their parents thought a series of gaming consoles would adequately prepare them for life in the Twenty-First Century.

The challenges of keeping students with such diverse skillsets engaged in a single classroom aside, I'd agreed to beta-test this software because it offers a way past one of the biggest blocks to schools entering the Cyberpatriot/CyberTitan competition.  To participate in the competition you need a desktop or powerful enough laptop computer being run by an operating system that can do more than just browse webpages through a single corporation's lensVirtual machines are whole computers that can be simulated in a single window, and they offer a valuable tool in examining cybersecurity issues without putting your school network or computers in peril (installing a virus to see what it does on a school computer would produce obvious headaches).  If things go wrong in a virtual machine you just shut the window.

The Field Effect remote software ran fantastically well on our DIY student built classroom desktops and would work equally well on something as simple as a Chromebook,though trying to do this through a single, tiny 1366 pixel wide monitor would be a headache.

Once we got everything up and running I reminded students that they were manipulating a remote, virtual computer stored on a server in Ottawa.  When you're aware of what's happening behind the screen, seeing what we can do on networks with enough bandwidth, like the one we now have at school, is mind blowing.

The cybersecurity gurus at Field Effect didn't muck about when they set up this virtual online image.  When you first boot up the compromised Windows 10 image you're met with a full screen warning with flashing lights and a locked screen telling you that you've been ransomwared.

Even though students had been repeatedly prepared for this and I'd explained what a virtual machine was and how whatever happens in it doesn't hurt anything, this threw half of them into a panic.  The responses ranged from randomly mashing buttons to giving up, sitting back and loudly commenting on how stupid everything was.  That's in an optional course full of students who have demonstrated an interest and willingness to learn computer technology.  The vast majority of students (and staff) in education don't get nearly that much training, yet they're all still increasingly depended on digital technology in every class they're in.

The psychology of the attack was interesting.  The flashing warnings and countdown timer did what it was supposed to do with anyone lacking in digital skills (which is a startlingly large number of people in Canada in 2020).  Cybercriminals depend on this technical illiteracy.  My CyberTitans and many of the other digitally savvy kids in the room right clicked on the flashing screen and exited 'full screen' mode, which brought them back to a desktop, which some then got lost in:


This 'geek prank' fake WindowsXP desktop was also on 'full screen' behind the ransomware fullscreen warning, but even when others showed students trapped by the ransomware screen the same F11/exit full screen way out of it, many had already succumbed to frustration and had given up (again).  Several spent long minutes in the fake XP desktop trying to do things even when it said 'fake XP simulator' right on the screen.  Being unresponsive to what a computer is telling you when things aren't working right is a common response in weak users.

The digitally skilled CyberTitans were past the two blocks in seconds and were figuring out how to secure this hacked Windows 10 laptop and restore control for the proper user on it.  More than 70% of the class were stuck in two hacks that were so easily resolved that I was left wondering how we could back things up and restore their mangled pride.  Many of them, only a few days before, had done "my-experience-with-technology" presentations where they'd described themselves as digitally savvy, on Thursday morning this was in tatters.

The actual work of a cybersecurity operator in a case like this is not just to return things to normal but also to diagnose and identify the attack vector.  In an administrative user account that shouldn't have been on the machine there were files and instructions for how to run the malware, and even some background in downloads and browser histories that explained why this other employee had done what they did, but many of the students - including the quick movers, quickly deleted the evidence instead of forensically examining it.

This brought up the opportunity to talk about how much of what information security professionals do in our very networked world is more like a detective than a traffic cop.  It isn't just a matter of making sure every user complies with expectations, it's also vital to understand how the system was compromised because this will guide future security defensive settings.  It's things like this that have me wondering why there are no cybersecurity courses running in any Ontario high school, or no mention of cybersecurity in Ontario computer technology curriculum.  Any mention of security in the curriculum is rooted in 20th Century ideas of passwords or at best wifi encryption, the world has moved on.  The cloud-based networked world we're all leveraging in every classroom in Ontario goes unmentioned.

Once we got past the opening chaos, many students got into the detail work of repairing settings deep inside Windows, restoring control to the correct user and locking down firewalls that the ransomware had opened up.  If this all sounds greek to you it shouldn't, you're using all those things right now to read this.  And you and your students are using them every time you have them login to a cloud based service.  We're all offering an 'attack surface' to cybercriminals whenever we go into the cloud, but pretty much everyone is blissfully unaware of it.  People (users) are part of that cyberattack surface.  Not addressing cyber-illiteracy means you've just opened up opportunities for bad actors.

The problem then became all the wounded male pride in the room.  The students who struggled and gave up were also the ones who adamantly refused to get up and collaborate with the other people in our mono-gendered morning cohort.  Fragile male pride means you can't be asking for help - or collaborating, especially in a subject where you've convinced yourself you're an expert.  The more gender balanced afternoon cohort was constantly communicating and hive-minded their way through the infected image so effectively that most of them actually finished it with a perfect score.

The opening hacks were a source of laughter rather than long faces in the afternoon group.  The lack of collaboration in the morning cohort and then the negativity that descended was something I'm thinking about as we proceed into our violently crushed quadmester.  I've encouraged collaboration in face to face computer tech classes as no one works alone in modern tech jobs, yet the boys seem at a distinct advantage when it comes to creating or engaging in collaborative work, though even a small population of girls changes this dynamic.

This is an even bigger problem in my conservative country school where girls are peer and system pressured out of taking technology courses.  I'm lucky to have 10% female participation in my junior computer technology courses.  In senior courses we're lucky to have a single girl in any of the classes of up to thirty-one students.  The is problematic beyond our classroom.  Women are least engaged in engineering and computer science where the most lucrative careers currently are.

At the end of the day many students got their first glimpse into cybersecurity and a number of them are curious, which is good because we need to open up this pathway to students.  My original intent in giving this a try was to give students an opportunity to demonstrate their technical skills, but a surprisingly large chunk of the class, including students I thought would dig through it more effectively, were startlingly quick to give up and get pwned by some pretty simple hacks.  This is making me wonder how Ontario students are doing in our half elearning face to face and fully remote learning courses during this pandemic.  I fear our level of technical fluency is so shallow that unless online teachers are all doing simplistic, repetitive tasks that require no actual digital fluency, they and their students are unable to effectively engage.  This goes a long way to explain poor online engagement.

From the latest attempt to encourage Ontario
Educators to integrate cybersecurity into their
practice, especially if they're putting children
on hackable online devices.
I realize that cybersecurity scares the daylights out of most people (I've spent the past 3 years trying to engage Ontario educators in it to poor effect), but if we're going to be putting more and more of our education system into digital spaces then we're all responsible for raising digital fluency to the point where everyone can demonstrate resiliency in the face of unexpected outcomes.  At the moment, throwing up your hands in the air and giving up seems to be the solution for too many people.  Hopefully things like ICTC's work with Field Effect will help spread a deeper and more resilient tool for improving cyber-fluency.  Everyone working in the cloud needs this.