During the past few years data security has moved out of the shadows and basements of IT departments and into the global conversation. Today’s news cycle is littered with reports of high-profile hacks on credit reporting bureaus, ransomware attacks against schools and individuals and sensitive data stolen from brands like Target and LinkedIn. In the first half of last year there were more than 2,000 disclosed data breaches involving more than 6 billion records, according to the cyberanalytics firm Risk Based Security.
The key to better online security—as with other social problems and malaise—is better education, argues one education entrepreneur who believes that schools are in a unique position to reach both tomorrow’s consumer and potential security expert.
“Pretty much every week you'll hear about a major hack in the news,” says Jeremy Keeshin, the CEO of CodeHS. “And most people don't know even the ABCs of how to create a secure password.”
Keeshin’s company is perhaps best known for a series of introductory coding courses it offers on programming languages such as Javascript and Python. But starting this fall it’s adding something new to its roster: a cybersecurity course for high schoolers.
The course is so new it hasn’t even entered beta testing yet (it will this spring), but it’s set to include modules on common vulnerabilities, phishing attacks and cryptography, all of which challenge students to get hands-on as they complete controlled experiments in each of these areas.
“We don't want students to be reading an article and writing up a reflection to it,” says Evelyn Hunter, a former math teacher who helped design the course as CodeHS’s curriculum lead. “We're really focusing on having them create things. For example with cryptography, they're going to be making their own cyphers and encrypting their own information.”
Like other CodeHS offerings, the year-long cybersecurity course is designed for schools without robust computer science departments and expert faculty. To that end, the company offers comprehensive curriculum, training for inexperienced teachers and the online platform where students practice their exercises. Students should have at least a semester’s worth of programming knowledge, according to the company.
Less robust courses, scaling down the curriculum to just a semester or nine weeks, are also on tap, and a simplified version will be tailored especially for middle-school classrooms.
All students will get a grounding in what the company calls “cyber hygiene,” or staying safe online, and in the ethical implications of hacking. The goal is to create students who can discourse on cybersecurity topics in an intelligent way, says Keeshin, who points to online discussions he saw on the FBI-Apple encryption debates over accessing crime suspects’ smartphones. “People were trying to say all sorts of things that didn't make sense,” he recalls. “Like, if you could code it to lock it, why can't you just unlock it? One-way encryption can't go the other way. That's how it works, that's the math of it.”
Another objective is to give students a taste of career opportunities that could be waiting for them if they pursue the subject after high school, Hunter says, adding that many of today’s unfilled jobs involve cybersecurity in some capacity. The hands-on activities are critical for helping students discover whether students are interested in the topic, although some care is given to how the subject is approached, and students learn early on the difference between white-hat and black-hat hacking—the terms for good and malicious hacking respectively.
“There is a difference between good hacking and bad hacking,” Hunter says. “It is really important that students actually go and exploit vulnerabilities to understand what those those vulnerabilities are.”
That approach has both supporters and detractors. Troy Hunt, a well-known security and data breach expert, has written about the importance of education in preventing data lapses, calling it cheap and effective. “I’d like to push education as far back in the pipeline as possible,” says Hunt in an email to EdSurge. “If we can get school students thinking about writing secure code at the same time as they’re learning to code in the first place, that’d be a big step in the right direction.”
However, teaching kids viable hacking skills can also be a risky proposition, according to Ryan Cloutier, a systems architect at TIES, an edtech group owned by 48 school districts in Minnesota. Cloutier spends much of his time in school technology departments and says he often sees passwords scribbled on Post-It notes and overworked technology staff unprepared for students who may be itching to try out their new technical chops.
Schools without strong computer science professionals are exactly the ones CodeHS is trying to reach. Yet they are also the most at risk, according to Cloutier.
“I have yet to meet a school that has the proper lab environment to support that type of learning, where the kids wouldn't be able to use that knowledge and tools against their schools,” he says. “To clarify, the only difference between a white-hat hacker and a black-hat hacker is intention.”
Before investing in comprehensive cybersecurity courses, districts should make an effort to “up their cyber posture,” Cloutier says, starting with the superintendent and a competent instructor and perhaps a managed security partner—similar to how TIES serves its districts.
“Tech directors are overstretched already, to add this to their plate I feel is a disaster waiting to happen,” Cloutier says. “I'm incredibly passionate about the fact that I do believe kids need to learn these skills. So it’s kind of a Catch-22.”
