I was thinking about this challenging situation after attempting to convince school board IT departments from coast to coast about the technical requirements of the CyberTitan/CyberPatriot competition. I've been told again and again by people struggling to provide IT support in schools that they won't run VMWare or Cisco's Packet Tracer simulator because they:
1) are viruses (they aren't, though they are a great tool for safely examining them)
2) pose a threat to their systems. They don't - they actually do the opposite, but training people in the arcane cyber arts scares many of the people managing IT in education.
Virtual machines are used in cybersecurity (and network building) to test software and network environments. By examining a virtual machine cyber operators can explore how a machine has been compromised and what they might try to repair it in a safe (virtual) environment. VMWare is one of the biggest players in this field, and cleaned up at last year's cybersecurity awards, yet many board IT departments declared it a hazard. I suspect the hazard is in teaching ICT and cybersecurity best practices, and isn't that a tragedy?
I sympathize with the IT departments I've communicated with. They are responsible for running complex enterprise systems that support hundreds or even thousands of users with varying levels of system access (administrators, office staff, teaching staff, building maintenance, and more). That's more than many IT departments manage in other industries, but educational IT also has to serve tens of thousands of vulnerable sector clients (students), all of whom are coming at them with a staggering array of hardware and software without any real training on it. To make it even worse, most of them will be connecting to these systems using out of date and possibly compromised machines.
An attack surface is a concept that helps cybersecurity types better understand how a bad actor might exploit their network. The software you're using, the hardware it runs on, the network you're logging in from, other software installed on your device, the operating systems you're using, and the systems that connect it all together along with all the cloud based stuff you depend on are all components of a modern attack surface, and the education one is particularly complicated.One of the last big network installs I did before I went into teaching was at Glaxosmithkline in the early zeroes. This was a network of hundreds of desktops, hard wired via ethernet into an onsite server that provided all the 'cloud' they needed. The desktops all ran the same operating system and software on identical hardware. No one on this network had internet access, closing down a massive headache in terms of attack surface (internet access in a world experiencing a digital skills crisis is a nightmare!). This kind of simplicity is a distant memory in 2023. With our rush to the cloud, attack surfaces now include all the online managed systems we so gleefully replaced our secure networks with. BYOD and off-site work only pile more complexity on.
Comparing that GSK network to any modern education network is an apples to fruit salad comparison. On any day at dozens of school and administrative sites across a board you've got a nearly infinite number of different devices logging in, from phones with varying software packages (most of which are probably out of date and may well contain malware) to other personal technology (tablets, laptops, etc) all peppering your network with requests that may be school related or (more often) not.
To try and mitigate this complexity inflation, many boards have dumped computers that do onsite computing (like desktops and laptops) in favour of an easier to manage (because it can't do much) chromebooks. These simple machines can't get infected like a fully interactive operating system can, but you're still susceptible to fake browser extensions and compromised websites. This is usually solved by preventing users from customizing their chromebooks with extensions, further reducing what they can do.
With all this in mind, I was struck the other day by the idea that educational IT departments are missing a key component: a department focused on enabling technology empowered pedagogy (the reason we have schools... remember?). Early on in the edtech revolution we had OSAPAC in Ontario, which vetted software and created a provincial bank of safe to use software for learning digital skills in classrooms. With the rush to cloud based systems, OSAPAC evaporated and most school systems fell in with multi-nationals offering 'walled gardens' such as GAFE (Google Apps for Education) or the Microsoft equivalent. As this migration happened, teachers and students lost access to essential digital media literacy opportunities, especially when it comes to advanced digital skills such as 3d modelling, game design or cybersecurity.
A way to combat this skills deflation would be to create local IT support units dedicated to providing teachers with digitally enhanced student learning opportunities instead of starving us of them. I'd go a step further and suggest that the messy enterprise side of things that is such a headache should become the responsibility of the Ministry. Many cost savings and security enhancements could occur from centralizing these systems. It would also mean that students and staff moving between boards would be able to migrate more easily because everyone would be on the same systems. There would also be opportunities to collect provincial data more easily that would support better education policy, not that we like to collect data before making education policies in Ontario.
This does not mean the end of regional school board IT departments. Instead of chasing the tail of impossible enterprise expectations with insufficient funding, they would be provided by a central provincial authority with the secure standards and proper support. Imagine how much we might save if every board in Ontario isn't reinventing the wheel over and over again with varying degrees of success.
Local school board IT departments would be entirely focused on working with their teachers to find the best hardware, software and cloud based learning opportunities based on the needs of the programs they are running. Instead of saying no and reducing technology access to enhanced pedagogical learning opportunities in our classrooms, our local IT departments would become sources of local technical expertise focused on helping public education close an ongoing digital skills crisis.
I'm writing this in a hotel room in the north end of Toronto the night before attending the Ontario Public Sector Cybersecurity conference. I want to believe that the people at this event are taking the challenges of technology enhanced education, including the tremendously difficult task of engaging with cybersecurity learning, seriously in 2023, but I fear it's going to be all cartoons and platitudes. Here's hoping.