August 27, 2025 • 42 mins
Zac and Stephanie talk with Senior Director for Preparedness and Response at the Institute for Security and Technology, Michael Klein about the importance of cybersecurity for school systems, what families can do to help students, educators roles, and how we can practice our own cyber hygiene.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Zac (00:00):
Hey friends, it's Zac.
Thank you for joining us forthis episode.
What a lot to be covered here.
We have a fantasticconversation with Michael Klein
around the importance ofcybersecurity in schools.
We touch on its importance foreducators.
We talk about how students canlearn about it the most.
We talk about what angles froma parent's perspective we can
(00:21):
start to do to help peoplefigure these things out.
All of it working together.
We hope you enjoy and staytuned for the entire episode
because it's just chock full ofgreat information.
I'm Zac Chase.
Stephanie (00:41):
I'm Stephanie Melville.
Zac (00:43):
And our guest this episode is Michael Klein, the Senior
Director of Preparedness andResponse at the Institute for
Security and Technology and alsojust an all-around good human
being.
Michael, hello.
Michael (00:56):
Hey, it is so wonderful to be here with my fellow
fellows and friends.
Zac (01:01):
Michael, there's a piece in the news that is what led us to
talk to you.
But we're going to talk about abunch of things around
cybersecurity, cyberpreparedness, those kinds of
things.
You're bread and butter, butthere's a sun setting law that
is due to sunset in September.
Can you give us a briefexplanation of what that law is
(01:21):
and what it does?
And the best part about thisepisode for folks who are
listening at home is this isalso an area of expertise that
is not my bread and butter, noris it Stephanie's bread and
butter.
So all the questions youmuggles, can we say muggles?
Like, can we, can we stillreference JK Rowling?
You
Stephanie (01:40):
know, it's fine.
Zac (01:41):
Yeah, she doesn't get any money every time I say it.
So yeah, if you were a muggleto the whole cybersecurity and
preparedness world, Stephanieand I are your proxy for this
one to help make sense of it.
Michael, what is the law thatis...
Because we are muggalicious.
What is the law that's sunsetting in September?
Michael (01:59):
Absolutely.
And by way of introduction,I'll say I am still somewhat of
a muggle to the cybersecuritywork as well.
Because I started as a teacher.
I taught third, fourth, andfifth grade in Brooklyn and
Harlem.
And when I started teaching, wewere using Palm Pilots.
and our students didn't havecomputers.
So it was a long time ago.
He's 80, everybody.
Exactly.
I'm actually 80 years old.
Stephanie (02:22):
That's why we get along so well.
Michael (02:24):
Exactly.
But what I'd say is I came fromteaching and then I got
interested in how tech can behelpful for teaching and
learning, which is really Zac'sbread and butter.
And then from there, I becamean IT director in a school
district during the pandemic.
And from there, I went to workat the Department of Thank you
so much.
(02:54):
and private sectororganizations to share
(03:14):
information with the federalgovernment that would be helpful
for protecting federal networksand just for protecting in
general our internet from cyberthreats.
And it also allows companies toshare information between each
other without fear ofprosecution, right?
And so that is like core toeverything we do in
cybersecurity because threatsare not just to one individual.
(03:36):
All of us are connected on theinternet.
And so this law really enablesus to be able to share quickly
information between differentkinds of organizations to stop
threats from happening in thefirst place or to mitigate them
when they do happen
Zac (03:49):
and is the is the fear on the corporate level like an
antitrust piece like insiderinformation sharing without this
law to like to clearlyarticulate no you can talk about
this kind of informationwithout fear of of Right.
Michael (04:05):
So I think that's part of it.
And I think it's also fear ofprosecution for a number of
other reasons, right?
Because as you are sharinginformation about things that
might be proprietary, you mightbe worried about discovery of
that information in court.
So this provides kind of alegal shield to companies that
are acting in good faith toshare information, to allow them
to do that, to tell thegovernment, here's what's going
(04:27):
on, and to collaborate with eachother on things that have
become really popular, which arecalled information sharing and
analysis.
So this
Zac (04:40):
reminds me of what I talk to my kids when they have done
something that they don't wantme to find out about.
I tell them, it is better foryou to tell me what happened
than for you to try to hide itand me to find out later.
And so this is basically likea, you know, global corporation
technological version of that oflike, we just want to make it
(05:00):
this is a safe space for you totell us something went wrong,
and we will help you.
And we'll deal with what weneed to do afterward.
Is that kind of the gist
Michael (05:09):
of it?
It's a big piece of it.
Yeah.
And it's a safe harbor, right?
It allows organizations toshare this information without
being worried about getting introuble.
And the other important pieceto this is that while the
federal government has a lot ofcontrol in a lot of places, the
internet is mostly owned and runby private institutions.
And so they have way moreinformation about most of the
things going on online than thefederal government does.
(05:31):
And so this allows them toshare that information to be
able to do that collectivedefense work.
Zac (05:36):
Fantastic.
That is what got us curiousabout all this.
Michael (05:40):
One last thing I should say about this is that
literally no one is againstthis.
This is a law that literallyeveryone agrees that at least
this thing should bereauthorized.
There are people who think weshould tweak it in this way or
tweak it in that way, but no onethinks this information should
not be shared.
Everybody who lives in theworld of defending, whether
you're at the federal governmentor in states or in private
(06:02):
companies, everybody Right.
And
Zac (06:06):
what we are seeing is that Congress, not unlike every
student I ever taught, iscontinuing to wait to do its
homework until the night beforeit's due.
And so there are Congresspeople who are saying, you know
what, we will tweak it later.
Right now, we just have to getthe thing reauthorized.
And other people are saying,no, no, let's tweak it now.
And they're saying, no, no, weneed a continuity of coverage
(06:27):
here.
So that's fun.
It's just people's information.
It's not Not like it'svaluable.
Okay, so here's a question foryou.
And we're going to start realbroad.
Cybersecurity.
Why does cybersecurity matterto school districts?
And I know that that may seemsilly to some people who work in
(06:48):
this sector, but I think that,you know, on its face,
cybersecurity is apparent.
Like, I don't care if they seemy kids' essays.
Some people might, but like,why does this matter?
Michael (06:58):
So I would say it's not a silly question, actually.
It's one of the main challengesthat I think we as education
systems and also more broadlycompanies have is this tends to
be thought of as a technicalnerdy thing that only technical
people can understand.
But actually, this is a lotlike other kinds of risk.
Cybersecurity is aboutunderstanding risk and then
(07:20):
managing risk, right?
And it's the same withfinancial risk.
You don't want just anyone tohave access to your finances.
You don't want anyone to beable to make any choices with
your finances.
That's why we have people incharge of finances in every
institution, making sure theright things are happening, and
then we audit it to make surethere's not fraud and other
things like that.
Cybersecurity is similar.
So the kinds of risks that weworry about in schools, I'd say,
(07:42):
are two or three differenttypes.
So the first kind of risk, Ithink, is that schools actually
won't be able to open, right?
So that's one kind of risk thatcomes with cybersecurity.
Stephanie (07:52):
Can I pause you there?
What do you mean?
Why would schools not be ableto open?
Michael (07:55):
In the last five years or so, there's been a rash of
ransomware attacks.
And so at its most basic level,this is when a bad guy gets
control of a school district'snetwork and can shut that
network down.
So basically, you wouldn't beable to do a number of things
that could include you wouldn'thave any internet in the school
building, which means you oftenwouldn't have phones or other
(08:16):
systems that are connected tothe internet.
It might shut down your abilityto do lunch service or school
buses or things like that.
And no school district can openif you can't do those things.
And so if one of the concernswe have is ransomware being able
to stop schools from operating,that becomes a really big
challenge.
So I say that That's the numberone concern is when a school
shuts down, it means thatparents can't go to work.
(08:38):
Kids aren't getting theservices they need.
And it really stops a wholetown or city from functioning.
You've disrupted the
Zac (08:44):
economy.
Exactly.
Right.
Let alone the kids not beingable to get the learning.
Like the ripple effect there ispretty huge.
I'm also thinking about, youknow, there are a lot of
computer operated securitysystems in schools, too.
Right.
So being able to lock the doorsor open the doors, just that
piece could could keep a schoolfrom being able to feel
Michael (09:08):
like they can open.
(09:33):
There's tons of informationabout their learning, including
if they have an individualizededucation plan for special
education, and a lot of reallysensitive data on health and
learning.
And that data should stayprivate.
So that's one really importantpiece of the puzzle as well as
the privacy of that data.
And that's really whatcybersecurity is
Zac (09:55):
about too.
Getting access to data that wedon't want people to have in
general, right?
Like things that should beprivate that maybe we don't
always think about.
Oh, a school district has thaton file.
Our social security numbersbeing one of the pieces.
Michael (10:18):
And then I would say there's one more thing and then
I can tie them all together.
The third way that we'reworried about cybersecurity is
what we call business emailcompromise, but that's really a
fancy name for fraud, right?
This is essentially when youconvince someone to give you
information about like a routingnumber, or you convince them to
pay the wrong person.
And we've seen school districtslose millions and millions of
(10:39):
dollars, which is a huge impactin terms of like, I don't know,
maybe a teacher, right?
Like you can't pay a certainnumber of teachers if you lose
millions of dollars, right?
And so we have challenges withthat combination of ransomware,
the fear of shutting downschools, which has happened in
many school districts.
We have data breaches, right?
So the confidential data thatwe don't want going out into the
(10:59):
world.
And Well, that all soundshorrible.
So cybersecurity
Zac (11:29):
is important to school districts.
You have cleared up A lot ofmisconceptions about
cybersecurity in education.
Is there anything else thatpeople, we muggles, don't know
about that you're like, I wishfamilies knew this.
I wish the regular people knewthis.
I wish educators knew this.
(11:50):
And maybe you've covered thosethree with the height of things
that frustrate you.
Michael (11:56):
I would say there are a couple of things that are
important that I wish morepeople understood.
One is that most schooldistricts in the country are
relying on a few key vendors tomake sure that schools can open
every day.
Those are your vendors forthings like a student
information system that holdsall of that really important
student data, your bus routingsystems that make sure kids get
(12:18):
safely to school, your foodservice systems that make sure
kids get warm lunches every dayat school.
And those systems are notthings that districts are
creating themselves, right?
They all rely on two or threevendors.
So there's a lot of risk andconcentrated risk.
And so even if you as a schooldistrict are doing everything
right for the things that are onyour school district network,
(12:40):
all the computers that you have,the wireless that you run, all
of those things, and you avoidthings like ransomware, there
are huge risks out there fromthese what we call third
parties, these otherorganizations that hold all of
this really importantinformation.
And what we saw in January whenI was at the department still
was the biggest cyber incidentever in the United States, which
(13:01):
was the Power School databreach.
And so this was a situationwhere you had one company that
is in charge of the studentinformation systems for 4,000
school districts.
This is a third of the country.
And so that vendor gotattacked.
Someone was able to log in witha username and a password, and
there wasn't any more protectionon that system.
(13:23):
And from there, the bad guy,who was actually a 19-year-old
student from Massachusetts, wasable to log in and steal the
data of 60 million students and10 Right.
And the school districts inthat context had no control over
what was happening becausethat's all managed by that third
party company.
You could imagine if you're aperson at home that this is like
(13:44):
if Google were hacked.
Right.
You have no control over Googlesecurity systems.
You only control your usernameand password for the system.
Right.
And so I'm not this wasn'tactually Google.
This was PowerSchool.
But it's a similar kind ofchallenge.
And so that's one of thosethings that I think we should
really understand is that.
School districts rely a lot onthese third parties.
(14:06):
And so when these incidentshappen, people get frustrated
and might say, oh, the districtdid this thing wrong.
But in this case, it wasn't thedistrict.
It was actually a vendor thatthe district and every other
district relies on.
So that's a really bigchallenge.
Zac (14:19):
And I will say, and all three of us have worked at the
district level, and we haveprobably been a part of the
procurement, like the buying andcontracting process.
And there are lots of legalprotections that districts put
in place that require companiesto show that they have done you
know as much as required as theycan require to keep those those
(14:41):
data safe right so people arewith power school because power
school is very big and and theydo these things but they're also
with power school becauseeveryone has agreed that these
are the the protections thatwill be put in place we're just
also living in a landscape wherethieves and attackers are just
constantly getting better umthank goodness i watched the
(15:03):
movie hackers when I was a kidand sneakers.
So that I, I maybe, maybe I'mnot a muggle.
Like I've seen Angelina Joliehack into a computer.
I've seen Dan Aykroyd.
You've
Stephanie (15:17):
seen oceans eight.
You've seen Rihanna do it.
You know, that's true.
Yeah.
Zac (15:21):
For Phoenix.
Like, okay, nevermind.
I know everything aboutcybersecurity.
Stephanie (15:25):
We know everything we need to know.
Right.
We're experts.
Yeah.
Zac (15:29):
Also, I know the cheat codes for many NES games.
So, maybe I'm a hacker.
Michael (15:34):
And that is absolutely hacking too.
And I think, you know, all youreally need is a black hoodie
and intense look on your faceand staring at your keyboard
screen or staring at yourkeyboard and being able to say,
I'm in.
And then you're good.
I think that's nice.
Stephanie (15:46):
Sweet.
Okay.
So with the rise of remotelearning and new technologies
like AI, how has that changed,you know, the cybersecurity
challenges for schools?
Michael (15:56):
I think I would answer that kind of in one basic way,
right?
So when we think aboutcybersecurity, we're thinking
about managing risk, right?
And when we think about whatremote learning did, it meant
that we needed a lot moredevices.
So every student could havedevices.
We had a lot more internetaccess, including at school and
at home.
And we had people accessing newsystems in ways they never had
(16:19):
before.
And so that adds risk in awhole bunch of different areas,
right?
Because now you're trying toaddress so many more devices, so
many more systems, and so manydifferent ways of connecting
that sometimes the schooldistrict does not have total
access over, right?
And And so that's one of thosebig things that, you know,
there's a fancy name we callattack surface, which is
essentially just like what isavailable for the bad guy to
(16:41):
attack.
And so what happened is weexpanded the attack surface
quite a lot, right?
Because we have way more thingsto protect.
We have a bigger footprint.
Exactly.
Exactly.
And with AI, I'd say the otherthing, I mean, there are so many
ways that AI can be impactfulhere.
We would be in trouble if wedidn't talk about AI somewhere
in this conversation.
But the thing that I think ismost interesting with respect to
(17:01):
AI on the offensive side isthat for the bad guys, now if
you get a giant data breach, youcan now dump that information
into a large language model orsomething like that and now have
it match up.
Who are these people?
Do some research online.
How do I get in touch withthem?
How do I find this stuff?
And so it will allow you tomuch more rapidly take data that
(17:22):
has gone out the door and useit for nefarious purposes.
So I think it makes thereconnaissance and the ability
to use and exploit that datamuch faster.
But hopefully on the defenderside, over time, AI will also
allow us to patch things morequickly or find vulnerabilities
that are in the systems and dealwith them quickly, right?
(17:42):
So I think there's, anytime yousee kind of technology move
forward, oftentimes you'll seefirst an advantage for the
attacker because the defendersaren't ready yet and the
attackers can use these thingsto exploit.
And then you start to see thedefenders catch up and
eventually have an advantagebecause the technology overall
will allow them to defend thenetwork more effectively.
Zac (18:02):
Well, this is all terrifying
Stephanie (18:05):
yeah but you know what there's got to be like a
way that we can as as parents orcaregivers kind of like be a
little bit more aware of what itis you know that that that we
can do or that our schools ordistricts are doing right like
we've talked about why schoolcyber security is important to
families and caregivers you knowjust from a from a personal
(18:29):
identifiable information leakyou know like where you live
what your kids social securitynumbers are their medical
information who's allowed topick your kids up you know like
all all that good stuff but whatwhat questions can we ask of
our schools cyber securitypolicies or practices like
they're i feel like beinginformed is a good thing yes
Zac (18:54):
premise of podcast
Michael (18:57):
overall for anyone doing stuff for their own their
own cyber security or forothers.
There's one thing likemulti-factor authentication,
right?
So this is like when you aregoing to log into an account,
you're probably familiar withthis in your bank.
Once you put in your usernameand password, you're not in and
good to go.
You either have to receive atext message or use an app on
(19:19):
your phone, or even in thefanciest versions of this, you
have a little thing you pluginto your computer that says,
hey, this is me.
And that really stops a lot ofcyber attacks, right?
Because you can't just get inwith a username and password you
need another thing that islikely on a phone of the person
that you don't have access to.
And so for the systems that wethink about in our schools, one
(19:40):
of the most important questionswe can ask is, are we using
multi-factor authentication inthese systems, right?
Because that will stop a lot ofthe breaches from happening.
And so that's really important.
I think another way thatfamilies can be involved is to
understand how are you teachingstudents about cybersecurity and
(20:00):
how are you teaching teachersabout cybersecurity?
Right.
Because we hope that schooldistricts are doing some kind of
digital citizenship or otherkind of program that's helping
kids understand this is what itmeans to use technology.
Well, these are the risks andalso helping teachers to
understand, wow, you have a lotof data that you have access to.
Do you understand how we'remanaging that risk and how not
(20:22):
to put students data in placesthat it shouldn't be and things
like that?
So I think those are a coupleof things that families can do
to better understand how schooldistricts are doing.
Zac (20:31):
You've got a kid.
Michael (20:32):
I do.
Zac (20:33):
Your kid goes to school.
Michael (20:36):
She does.
Zac (20:37):
So what are the questions you, what do you know about your
kid's school?
Michael (20:40):
So one, in terms of the school district, I knew right
away what are the technologiesthat they're using.
So I can be keeping track ofwhether there's an incident or
whether there are issuesinvolved, right?
So for me, that was like just amajor part of my job because
like I was working incybersecurity in schools.
So I was already thinking aboutthat topic.
But I would say with respect tomy daughter specifically, She
(21:03):
is someone who is incrediblycurious.
And so from a really young age,we have talked about what does
it mean for something to beprivate to you?
And what are things you feelcomfortable sharing, right?
And how do we decide whether wewant to share something or not,
right?
So I think a lot of thesethings can be in much more basic
concepts than the technologicalones that we often use.
(21:24):
A lot of this stuff is justnormal, kind of good parenting
practice.
And then when it does come tothe technology, you know, her
iPad has a passcode.
We talk about why we use apasscode.
And so just getting used tothose kinds of things, I think
is a good and normal part ofkind of growing up with the
internet, right?
Especially for kids today thathave devices all the time.
(21:44):
And so I think from thecybersecurity side, that's one
thing.
Then there's a cyber safetyside, which is kind of
different, which also is superimportant.
Zac (21:52):
My kids are flummoxed that I will not tell them the
passcode to my phone.
And they will say, you know,what secrets do you hide on
there?
All of them.
(22:13):
Our parents never had to talkto us about cybersecurity.
(22:35):
They should have.
I was definitely on AIM or inAOL chat rooms, Prodigy chat
rooms, pretending to be people Iwas not.
Again, I was a hacker.
See?
No, that's not what that means.
Are there books for kids thatfamilies could, for people who
are coming to this conversationnew, that just boil it down to
(22:56):
what you're talking about?
Or does it just have to beworded like, oh, I listened to
this podcast and they weretalking about this?
Is that
Michael (23:07):
how we're going to get this done?
This is a huge cultural shift.
(23:30):
One thing I will recommend ismy favorite book, honestly, on
this topic, which is not reallyfor kids, but it could be, is
called How the Internet ReallyWorks.
I
Zac (23:40):
love that book so much.
Stephanie (23:43):
And it's amazing.
How have I never heard aboutit?
Michael (23:45):
It is the best book.
And it has basically picturesof and like there's a little cat
and the cat is like navigatingthe space.
So it's like incredibledrawings, but it's super, super
well done by like professionals.
And I learned a ton from it aswell.
So that's like one thing Iwould recommend to all the
parents out there because mostpeople don't really understand
(24:06):
how the internet works.
It's really complicated.
And so that one's superhelpful.
And the more I think about it,Zac, and the more I think about
my child growing up and the moreI think about raising...
like an amazing kid has so muchto do with boundaries,
relationships.
So all the things that we thinkabout in the kind of physical
(24:26):
world and physical interactionsand physical safety, which is
something that unfortunately wedo have to think about a lot.
It's like, how do you help yourchild understand how to have
friendships, how to haverelationships, how to set
boundaries and keep thoseboundaries, right?
And the digital world isanother place to do that work.
And it all comes back to trustand it all comes back to your
(24:46):
ability to share things when youfeel comfortable sharing that.
And I think for me, that is themost important piece of the
puzzle.
Back to your kid's questionabout why can't I have your
login or your passcode?
It's because, well, this isprivate to me and I'll share
pieces of it with you when it'simportant and we can have a
shared place where we put that.
And there are different thingsthat I'm always happy to share
(25:07):
with you, but just like you havea journal in your room that I
wouldn't go and read, this is apart of our world that allows
you to see so many differentthings, track your location,
take pictures, do all differentkinds of things.
And so being able to setboundaries on what's private and
what's not and who can haveaccess is just a part of living
in a democracy.
It's part of living and growingin a place where we can think
(25:29):
our own thoughts and become fullpeople.
Zac (25:31):
This hits me in the place where the conversations around
digital literacy and AI literacyand all these, there's a new
literacy.
And if you look at those, yourealize, oh man, if we just did
literacy right, which we have Iwas
Stephanie (25:47):
going
Zac (25:50):
to say, we don't.
They were doing what theywanted to, how to set those
(26:18):
boundaries.
Then an online piece.
I think the difference thatstrikes me, and I see it in our
own home, is the lack of aphysical embodiment with the
other, right?
So in online spaces, the avatarI'm facing in Fortnite isn't
real.
And so the people who arecontrolling those characters in
(26:41):
Fortnite must not be realeither, right?
I know they are, but they don'tseem that way.
So it's much easier for me togive myself stuff my information
to them so the cyber securitykind of breaks down there like
whereas if a stranger came up tome and said to my kid and was
like where are you what's youraddress when were you born those
kinds of things they wouldn'tthey would be like no way weirdo
um but that the the kind ofonline aspect of it i think
(27:05):
makes it a differentconversation there's a there's
an added level of complexity
Michael (27:09):
absolutely and i think in that case zach one of the
best things we can do as parentsand as adults is to help
children children see theconnection between what we would
do and expect in a real worldphysical setting, and how that
relates to this online setting,right?
What you just did there ofdescribing, I would never do
this in this context.
Why would I do it here?
(27:30):
Just letting kids come to thatexperience of like, even role
playing with them, right?
Like, I'm a stranger, I'm gonnacome up to you and ask you for
the stuff, right?
Like, I think there are waysthat kids would one, find that
fun and silly.
And two, it would make clearlike, oh, in my head, when
someone starts asking me forthis stuff, even though I can't
see their face, this is creepyor like this is not appropriate.
Sorry.
(27:50):
I always take us tocybersecurity kind of
necessarily takes you to a badplace, but hopefully we're going
with positive versions of likewhat we can do from the bad
place.
Zac (27:57):
Absolutely.
Stephanie (27:58):
Okay.
So, so what are the top threethings you would say all student
facing educators need to knowand do to improve cybersecurity?
Michael (28:09):
So I think in general, and this is my own frustration
in the world, having been aneducator and also having been an
it director, and then havingworked in federal policy.
We're asking school districtsevery day to defend themselves
from transnational criminalgangs.
We don't ask towns to do that
Zac (28:27):
with
Michael (28:27):
physical security, right?
Like we don't ask a localpolice force to like defend
themselves against an invadingarmy, right?
And so what we're doing is likewe are pushing down onto
under-resourced organizationsthe expectation that they defend
themselves against reallychallenging threats.
And so I think like At a highlevel, what I would hope is that
(28:48):
we understand there's a rolefor the federal government to
both resource, provide thenecessary resources to help
people defend themselves at thestate and local level, and also
do the protecting as well.
And then for the statedepartments of education and
state agencies, which many ofthem do, to provide many of the
resources that school districtswould need, because many of our
school districts are very small,like a 600-student school
(29:11):
district where thesuperintendent drives the bus
and fixes printers on theweekend is not well positioned
to defend themselves againstreally challenging cybersecurity
threats.
But I think school districtsshould be able to, number one,
make sure that multi-factorauthentication, so that other
thing than just a username andpassword, is turned on on as
many systems as possible for asmany people as possible.
(29:33):
Not necessarily for kidsbecause that gets really
complicated, but if you hack akid's account, for the most
part, you can't shut down aschool district.
You can get their information,that's not great, but I think
from a risk perspective,multi-factor authentication on
as many systems as possible,certainly for administrators,
certainly for teachers.
The second thing, make surethat anything that you have in
your district that touches theinternet is patched, right?
(29:55):
Patching first.
We're updating by that.
Sorry.
So every system...
has defects in it and we findthose defects over time and
that's when you have to likeupdate your iphone so that it
like gets its newest version gotit right and so it has a
security flaw you just like turnit off turn it back on again
for an iphone and then boom it'supdated right um similar for
(30:17):
technology in school districtsand anything that touches the
internet like outside yourdistrict can be seen by bad guys
and if there's a vulnerabilityor a bad thing in the software
or a bug they can get into yoursystem so patching is number two
so multi And I think the thirdthing is user education, right?
(30:37):
So how are we helping teachersand students understand what the
threats look like?
This is what a phishing emaillooks like.
This is what happens when youclick on a link or download
something you shouldn't, right?
So those are the three things Ithink every school district
should really be responsiblefor, right?
Because that's stuff that theycontrol directly.
For teachers, I would say thethings you should be most
concerned about are one, does myschool district know I'm using
(30:59):
the thing that I'm using?
So that's
Stephanie (31:00):
actually- Quite an
Michael (31:03):
important question.
And respectfully, having beenboth a teacher and an IT
director, I'm not saying youshould never use things that are
not authorized by your schooldistrict.
I don't want to be the personsaying that necessarily.
But it's hard to manage therisk of the technology we're
using if you are just signing upfor a random thing, we don't
know what it is, and thenputting student data into that
(31:24):
thing.
So there is a tension there.
We as teachers really want todo the right thing, educate our
students, get them the newestand most interesting thing.
But we need to balance thatwith the risk of putting
sensitive student data intothose systems, right?
So I feel like that's one thingto really consider.
Another thing to consider is,do you know what to do when
(31:44):
something bad happens on theinternet in your school, right?
So do you know who to contactin IT?
Do you know how to helpescalate something if you see
something bad happening, right?
I think in the same way that wedo fire drills for our physical
security in buildings everyyear We should be doing cyber
fire drills, right?
Everybody should know what ismy role.
(32:06):
If I see something badhappening with the technology in
my school, how do I bring it tothe right person to get that
problem solved?
So I think the third thing thatteachers should be thinking
about or asking is how can theymake cybersecurity work?
real and meaningful to theirstudents?
How can they help themunderstand what it means to be
learning online together?
And I think that doesn't needto be super technical.
(32:28):
That's just helping them tounderstand when we're engaging
physically, like sitting in ourclassroom here and having a
conversation, this is how weinteract.
And when we're online, we needto think about how we're
interacting, what we're sharing,right?
So there's that context ofbeing able to help students find
their way into society andpractice democracy using the
technology.
Zac (32:47):
This makes me think, and I've seen these exercises done
with And I think it would bereally interesting, especially
in like a high school classroomthat hasn't instituted some
draconian cell phone ban to say,all right, just saying, all
right, I want everybody tounlock their phone and pass it
to the person two seats down.
Don't actually have them dothat.
(33:08):
But just imagine the responsethat would happen in that
classroom, because I think thatgets you to the place of, all
right, that's why cybersecurityis important.
The things you were justworried about is why
cybersecurity is important.
And all your phone is guardedby is, you know, a picture of
(33:28):
your face or your thumbprint orsome alphanumeric code.
But those conversations are nothard to have.
And I love the point you madeearlier about how do we start to
have conversations aboutprivacy in general with younger
kids so that by the time thingsget more complex and we're
talking about cyber relatedprivacy, they have some sort of
(33:49):
foundational premise there?
Michael (33:51):
Our society tends to take a very punitive approach to
people tinkering and tryingthings, especially with
technology.
And hacking can be for good.
And because that's the case,the earlier we can see students
trying and testing thoseboundaries and direct them
towards positive ways to channelthat, the less likely they will
be to get into a situationwhere the FBI shows up at their
(34:12):
door because they've been goingto a place they shouldn't and
hacking at things.
Which is just
Zac (34:17):
the same as all psychological development that
we know about boundary pushing.
So this continues that like ifyou do it right in the physical
non-digital world, your chancesof mitigating risk in the
digital world are
Michael (34:30):
great.
And the thing I'll say aboutthis specifically is that there
is a group, I mentioned thehacker who was 19 years old who
got into the power school,right?
The biggest kind of like breachwe've ever had.
There's a group that are likejokingly called AP teams, like
advanced persistent threats, butthey're teenagers that are
really good at this, that aremostly actually English speaking
(34:50):
based in the US and the UK thatare doing what's called social
engineering, right?
This is like phishing.
This is convincing people togive you information that they
shouldn't give you so you canget into their system.
And so they're not even reallyhacking so much as like
gathering information and thenusing it to do the kinds of
things that other hackers woulddo.
And this is like groups ofteenagers that are loosely
(35:13):
associated online.
So the more we can help kidssteer away from that version of
this world and steer towardsusing those powers for good, to
help secure systems and protecttheir families and protect their
communities, I think we can bemoving in a much more positive
direction.
And there are some countrieslike the Netherlands that
actually have programs that arealternatives to incarceration
(35:33):
for these kinds of situations,where for a first offense for
this kind of thing, you thenhave the opportunity to get
mentorship and learn from peopleand change directions on this,
rather than going down the kindof cyber crime route.
So I think there's some reallyinteresting opportunities there
in terms of the All right,
Zac (35:53):
last question.
Does these things.
(36:20):
Maybe I might too.
I think I know what the otherone is going to be, but you go
ahead and I know what the nextone's going to be, but tell me
and I'll tell you if I wasright.
Michael (36:28):
Yeah.
I assume you're going to knowwhat my next one is.
So I use a password manager.
So I use one password, which isa password manager, but a
password manager in its mostbasic terms is a really
effective place that you keepall of your passwords and it is
really well protected and youhave one password that that
(36:50):
opens the vault that has allyour other passwords in it.
And you have this live in yourbrowser on your computer.
And then it will, as you createyour passwords, auto-fill them
for you when you go to log in toother websites.
And it creates complexpasswords for you.
Because the problem that thisis solving for is that the
number one way that people gethacked is through valid
(37:12):
usernames and passwords thathave been reused or that have
shown up in a data breach.
And all of us, all of our datahas shown up in data breaches,
including user names andpasswords people tend to use the
same password across many manyaccounts and it's impossible to
remember complex passwords forall of your accounts it's just
not what we were made to do aspeople right that's not how our
brains are structured and so weneed technology to help us with
(37:34):
that and that's what a passwordmanager does is it's a secure
place to keep all of your usernames and passwords including
other things that are helpfulyou can keep identity documents
in there and other things likethat so when you're on this
travel website it'll just autofill it for you from a secure
place, and it'll generate arandom password for you.
So that's my number one tipwould be use a password manager,
(37:56):
but don't overwhelm yourself bydoing it for everything at
once.
Get it.
Start with just your email andyour banking information, the
stuff that would be mostvulnerable, and then go from
there.
As you go to log into otherthings, then change those
passwords too.
But it can feel overwhelming.
So to start with one or tworeally important ones is a good
place to start.
Zac (38:17):
And you're talking about 1Password.
Is this similar to what I knowChrome...
And like Google offers asimilar password manager.
I know Apple products offer asimilar password manager.
Are those the same thing ornot?
So
Michael (38:31):
those are different.
And again, that is way betterthan using the same password
everywhere.
So if that is a good first stepfor you, definitely feel free
to use the kind of passwordthat's kind of in the browser
through Google or through Apple.
But ideally, having a separatepassword manager is something
that provides you another layerof security because there are
(38:53):
hacks at this point that areable to pull passwords from
browsers, depending on theextensions you have in them and
stuff like that.
But I would say, again, that'sbetter than having the same
password everywhere.
The other thing I'll say interms of cyber hygiene for me is
on both my Apple device and onmy Google account, I have set up
what's called advancedprotection.
(39:13):
And so for Google, what thatis, you go into your Google
accounts, you go into thesecurity settings, you'll need
something called a YubiKey orlike a physical token.
And I I would buy a couple ofthem.
And what this does is it makesit much more secure for your
Google account.
People can't just reset yourpasswords.
They can't get into youraccount as easily.
There are a lot of advancedfeatures that will protect your
(39:34):
account against hackers andthings like that.
For me, that's an importantthing because I've been in
environments where it'simportant for me to have
something like that.
But I think it's a goodpractice for everybody.
And on your iPhone, there'ssomething similar for iCloud.
If you turn on iCloud advancedprotection, especially if you're
political world that we live inand now and everything.
(39:54):
When you do those things, itdoes what's called end-to-end
encrypt them.
So what it does is it makes thedata that's on that device and
in your iCloud inaccessible toanyone except you.
And so it's locking thosethings down in a much more
secure way.
And it's turning off featuresthat are often used by hackers
to get into those devices.
That said, the most importantthing you can do for your
(40:16):
computer, for Chrome, foranything else is just update,
right?
Anytime you see an update thingpop up, Do it or if possible,
just turn on auto updatesbecause no one wants to remember
that stuff.
And so the more you can justhave things happen automatically
for security, the better.
For your iPhone, it's literallyturn it off and turn it on
again and you're good.
Zac (40:35):
Michael Klein, you have been very helpful.
Well, let me say this.
We've had a number of episodeswhere we talk to very smart
people such as yourself and askthem questions.
And there's a lot of like, oh,the world is burning.
And I thought this was going tobe one of them.
Stephanie, I don't know aboutyou, but I don't.
It's like more of like theworld could catch on fire, but I
(41:01):
feel like we've got some reallygood practical stuff that folks
can do
Stephanie (41:05):
to kind of tamp out those flames.
Yeah.
Yeah.
Michael (41:09):
Absolutely.
Rather than assuming we cankeep all the bad stuff out, we
have to be resilient against thethings that we know are going
to happen.
We have to assume that thesethings are going to get through.
We're going to have theseissues and we need to know like
when that happens, what's ourresponsibility?
right
Zac (41:24):
thank you michael
Stephanie (41:24):
thank you
Michael (41:26):
thank you
Stephanie (41:32):
Thank you so much for joining us today on this
episode of AcademicDistinctions.
We promised you a good time andwe hope we delivered.
And until our next episodedrops, be sure to follow us on
Instagram atacademicdistinctionspod.
Find us on Blue Sky atfixingschools or find us on
Facebook.
As always, this is your call toaction to share the podcast,
like us and subscribe.
You can find us online atacademicdistinctions.com.
(41:54):
Have a question for the pod ora topic you'd like us to dig
into?
Email us at mail atacademicdistinctions.com.
Until next week, friends.
This podcast is underwritten bythe Federation of American
Scientists.
Find out more at fas.org.
Hey friends, it's Zac.
Thank you for joining us forthis episode.
What a lot to be covered here.
We have a fantasticconversation with Michael Klein
around the importance ofcybersecurity in schools.
We touch on its importance foreducators.
We talk about how students canlearn about it the most.
We talk about what angles froma parent's perspective we can
(00:21):
start to do to help peoplefigure these things out.
All of it working together.
We hope you enjoy and staytuned for the entire episode
because it's just chock full ofgreat information.
I'm Zac Chase.
Stephanie (00:41):
I'm Stephanie Melville.
Zac (00:43):
And our guest this episode is Michael Klein, the Senior
Director of Preparedness andResponse at the Institute for
Security and Technology and alsojust an all-around good human
being.
Michael, hello.
Michael (00:56):
Hey, it is so wonderful to be here with my fellow
fellows and friends.
Zac (01:01):
Michael, there's a piece in the news that is what led us to
talk to you.
But we're going to talk about abunch of things around
cybersecurity, cyberpreparedness, those kinds of
things.
You're bread and butter, butthere's a sun setting law that
is due to sunset in September.
Can you give us a briefexplanation of what that law is
(01:21):
and what it does?
And the best part about thisepisode for folks who are
listening at home is this isalso an area of expertise that
is not my bread and butter, noris it Stephanie's bread and
butter.
So all the questions youmuggles, can we say muggles?
Like, can we, can we stillreference JK Rowling?
You
Stephanie (01:40):
know, it's fine.
Zac (01:41):
Yeah, she doesn't get any money every time I say it.
So yeah, if you were a muggleto the whole cybersecurity and
preparedness world, Stephanieand I are your proxy for this
one to help make sense of it.
Michael, what is the law thatis...
Because we are muggalicious.
What is the law that's sunsetting in September?
Michael (01:59):
Absolutely.
And by way of introduction,I'll say I am still somewhat of
a muggle to the cybersecuritywork as well.
Because I started as a teacher.
I taught third, fourth, andfifth grade in Brooklyn and
Harlem.
And when I started teaching, wewere using Palm Pilots.
and our students didn't havecomputers.
So it was a long time ago.
He's 80, everybody.
Exactly.
I'm actually 80 years old.
Stephanie (02:22):
That's why we get along so well.
Michael (02:24):
Exactly.
But what I'd say is I came fromteaching and then I got
interested in how tech can behelpful for teaching and
learning, which is really Zac'sbread and butter.
And then from there, I becamean IT director in a school
district during the pandemic.
And from there, I went to workat the Department of Thank you
so much.
(02:54):
and private sectororganizations to share
(03:14):
information with the federalgovernment that would be helpful
for protecting federal networksand just for protecting in
general our internet from cyberthreats.
And it also allows companies toshare information between each
other without fear ofprosecution, right?
And so that is like core toeverything we do in
cybersecurity because threatsare not just to one individual.
(03:36):
All of us are connected on theinternet.
And so this law really enablesus to be able to share quickly
information between differentkinds of organizations to stop
threats from happening in thefirst place or to mitigate them
when they do happen
Zac (03:49):
and is the is the fear on the corporate level like an
antitrust piece like insiderinformation sharing without this
law to like to clearlyarticulate no you can talk about
this kind of informationwithout fear of of Right.
Michael (04:05):
So I think that's part of it.
And I think it's also fear ofprosecution for a number of
other reasons, right?
Because as you are sharinginformation about things that
might be proprietary, you mightbe worried about discovery of
that information in court.
So this provides kind of alegal shield to companies that
are acting in good faith toshare information, to allow them
to do that, to tell thegovernment, here's what's going
(04:27):
on, and to collaborate with eachother on things that have
become really popular, which arecalled information sharing and
analysis.
So this
Zac (04:40):
reminds me of what I talk to my kids when they have done
something that they don't wantme to find out about.
I tell them, it is better foryou to tell me what happened
than for you to try to hide itand me to find out later.
And so this is basically likea, you know, global corporation
technological version of that oflike, we just want to make it
(05:00):
this is a safe space for you totell us something went wrong,
and we will help you.
And we'll deal with what weneed to do afterward.
Is that kind of the gist
Michael (05:09):
of it?
It's a big piece of it.
Yeah.
And it's a safe harbor, right?
It allows organizations toshare this information without
being worried about getting introuble.
And the other important pieceto this is that while the
federal government has a lot ofcontrol in a lot of places, the
internet is mostly owned and runby private institutions.
And so they have way moreinformation about most of the
things going on online than thefederal government does.
(05:31):
And so this allows them toshare that information to be
able to do that collectivedefense work.
Zac (05:36):
Fantastic.
That is what got us curiousabout all this.
Michael (05:40):
One last thing I should say about this is that
literally no one is againstthis.
This is a law that literallyeveryone agrees that at least
this thing should bereauthorized.
There are people who think weshould tweak it in this way or
tweak it in that way, but no onethinks this information should
not be shared.
Everybody who lives in theworld of defending, whether
you're at the federal governmentor in states or in private
(06:02):
companies, everybody Right.
And
Zac (06:06):
what we are seeing is that Congress, not unlike every
student I ever taught, iscontinuing to wait to do its
homework until the night beforeit's due.
And so there are Congresspeople who are saying, you know
what, we will tweak it later.
Right now, we just have to getthe thing reauthorized.
And other people are saying,no, no, let's tweak it now.
And they're saying, no, no, weneed a continuity of coverage
(06:27):
here.
So that's fun.
It's just people's information.
It's not Not like it'svaluable.
Okay, so here's a question foryou.
And we're going to start realbroad.
Cybersecurity.
Why does cybersecurity matterto school districts?
And I know that that may seemsilly to some people who work in
(06:48):
this sector, but I think that,you know, on its face,
cybersecurity is apparent.
Like, I don't care if they seemy kids' essays.
Some people might, but like,why does this matter?
Michael (06:58):
So I would say it's not a silly question, actually.
It's one of the main challengesthat I think we as education
systems and also more broadlycompanies have is this tends to
be thought of as a technicalnerdy thing that only technical
people can understand.
But actually, this is a lotlike other kinds of risk.
Cybersecurity is aboutunderstanding risk and then
(07:20):
managing risk, right?
And it's the same withfinancial risk.
You don't want just anyone tohave access to your finances.
You don't want anyone to beable to make any choices with
your finances.
That's why we have people incharge of finances in every
institution, making sure theright things are happening, and
then we audit it to make surethere's not fraud and other
things like that.
Cybersecurity is similar.
So the kinds of risks that weworry about in schools, I'd say,
(07:42):
are two or three differenttypes.
So the first kind of risk, Ithink, is that schools actually
won't be able to open, right?
So that's one kind of risk thatcomes with cybersecurity.
Stephanie (07:52):
Can I pause you there?
What do you mean?
Why would schools not be ableto open?
Michael (07:55):
In the last five years or so, there's been a rash of
ransomware attacks.
And so at its most basic level,this is when a bad guy gets
control of a school district'snetwork and can shut that
network down.
So basically, you wouldn't beable to do a number of things
that could include you wouldn'thave any internet in the school
building, which means you oftenwouldn't have phones or other
(08:16):
systems that are connected tothe internet.
It might shut down your abilityto do lunch service or school
buses or things like that.
And no school district can openif you can't do those things.
And so if one of the concernswe have is ransomware being able
to stop schools from operating,that becomes a really big
challenge.
So I say that That's the numberone concern is when a school
shuts down, it means thatparents can't go to work.
(08:38):
Kids aren't getting theservices they need.
And it really stops a wholetown or city from functioning.
You've disrupted the
Zac (08:44):
economy.
Exactly.
Right.
Let alone the kids not beingable to get the learning.
Like the ripple effect there ispretty huge.
I'm also thinking about, youknow, there are a lot of
computer operated securitysystems in schools, too.
Right.
So being able to lock the doorsor open the doors, just that
piece could could keep a schoolfrom being able to feel
Michael (09:08):
like they can open.
(09:33):
There's tons of informationabout their learning, including
if they have an individualizededucation plan for special
education, and a lot of reallysensitive data on health and
learning.
And that data should stayprivate.
So that's one really importantpiece of the puzzle as well as
the privacy of that data.
And that's really whatcybersecurity is
Zac (09:55):
about too.
Getting access to data that wedon't want people to have in
general, right?
Like things that should beprivate that maybe we don't
always think about.
Oh, a school district has thaton file.
Our social security numbersbeing one of the pieces.
Michael (10:18):
And then I would say there's one more thing and then
I can tie them all together.
The third way that we'reworried about cybersecurity is
what we call business emailcompromise, but that's really a
fancy name for fraud, right?
This is essentially when youconvince someone to give you
information about like a routingnumber, or you convince them to
pay the wrong person.
And we've seen school districtslose millions and millions of
(10:39):
dollars, which is a huge impactin terms of like, I don't know,
maybe a teacher, right?
Like you can't pay a certainnumber of teachers if you lose
millions of dollars, right?
And so we have challenges withthat combination of ransomware,
the fear of shutting downschools, which has happened in
many school districts.
We have data breaches, right?
So the confidential data thatwe don't want going out into the
(10:59):
world.
And Well, that all soundshorrible.
So cybersecurity
Zac (11:29):
is important to school districts.
You have cleared up A lot ofmisconceptions about
cybersecurity in education.
Is there anything else thatpeople, we muggles, don't know
about that you're like, I wishfamilies knew this.
I wish the regular people knewthis.
I wish educators knew this.
(11:50):
And maybe you've covered thosethree with the height of things
that frustrate you.
Michael (11:56):
I would say there are a couple of things that are
important that I wish morepeople understood.
One is that most schooldistricts in the country are
relying on a few key vendors tomake sure that schools can open
every day.
Those are your vendors forthings like a student
information system that holdsall of that really important
student data, your bus routingsystems that make sure kids get
(12:18):
safely to school, your foodservice systems that make sure
kids get warm lunches every dayat school.
And those systems are notthings that districts are
creating themselves, right?
They all rely on two or threevendors.
So there's a lot of risk andconcentrated risk.
And so even if you as a schooldistrict are doing everything
right for the things that are onyour school district network,
(12:40):
all the computers that you have,the wireless that you run, all
of those things, and you avoidthings like ransomware, there
are huge risks out there fromthese what we call third
parties, these otherorganizations that hold all of
this really importantinformation.
And what we saw in January whenI was at the department still
was the biggest cyber incidentever in the United States, which
(13:01):
was the Power School databreach.
And so this was a situationwhere you had one company that
is in charge of the studentinformation systems for 4,000
school districts.
This is a third of the country.
And so that vendor gotattacked.
Someone was able to log in witha username and a password, and
there wasn't any more protectionon that system.
(13:23):
And from there, the bad guy,who was actually a 19-year-old
student from Massachusetts, wasable to log in and steal the
data of 60 million students and10 Right.
And the school districts inthat context had no control over
what was happening becausethat's all managed by that third
party company.
You could imagine if you're aperson at home that this is like
(13:44):
if Google were hacked.
Right.
You have no control over Googlesecurity systems.
You only control your usernameand password for the system.
Right.
And so I'm not this wasn'tactually Google.
This was PowerSchool.
But it's a similar kind ofchallenge.
And so that's one of thosethings that I think we should
really understand is that.
School districts rely a lot onthese third parties.
(14:06):
And so when these incidentshappen, people get frustrated
and might say, oh, the districtdid this thing wrong.
But in this case, it wasn't thedistrict.
It was actually a vendor thatthe district and every other
district relies on.
So that's a really bigchallenge.
Zac (14:19):
And I will say, and all three of us have worked at the
district level, and we haveprobably been a part of the
procurement, like the buying andcontracting process.
And there are lots of legalprotections that districts put
in place that require companiesto show that they have done you
know as much as required as theycan require to keep those those
(14:41):
data safe right so people arewith power school because power
school is very big and and theydo these things but they're also
with power school becauseeveryone has agreed that these
are the the protections thatwill be put in place we're just
also living in a landscape wherethieves and attackers are just
constantly getting better umthank goodness i watched the
(15:03):
movie hackers when I was a kidand sneakers.
So that I, I maybe, maybe I'mnot a muggle.
Like I've seen Angelina Joliehack into a computer.
I've seen Dan Aykroyd.
You've
Stephanie (15:17):
seen oceans eight.
You've seen Rihanna do it.
You know, that's true.
Yeah.
Zac (15:21):
For Phoenix.
Like, okay, nevermind.
I know everything aboutcybersecurity.
Stephanie (15:25):
We know everything we need to know.
Right.
We're experts.
Yeah.
Zac (15:29):
Also, I know the cheat codes for many NES games.
So, maybe I'm a hacker.
Michael (15:34):
And that is absolutely hacking too.
And I think, you know, all youreally need is a black hoodie
and intense look on your faceand staring at your keyboard
screen or staring at yourkeyboard and being able to say,
I'm in.
And then you're good.
I think that's nice.
Stephanie (15:46):
Sweet.
Okay.
So with the rise of remotelearning and new technologies
like AI, how has that changed,you know, the cybersecurity
challenges for schools?
Michael (15:56):
I think I would answer that kind of in one basic way,
right?
So when we think aboutcybersecurity, we're thinking
about managing risk, right?
And when we think about whatremote learning did, it meant
that we needed a lot moredevices.
So every student could havedevices.
We had a lot more internetaccess, including at school and
at home.
And we had people accessing newsystems in ways they never had
(16:19):
before.
And so that adds risk in awhole bunch of different areas,
right?
Because now you're trying toaddress so many more devices, so
many more systems, and so manydifferent ways of connecting
that sometimes the schooldistrict does not have total
access over, right?
And And so that's one of thosebig things that, you know,
there's a fancy name we callattack surface, which is
essentially just like what isavailable for the bad guy to
(16:41):
attack.
And so what happened is weexpanded the attack surface
quite a lot, right?
Because we have way more thingsto protect.
We have a bigger footprint.
Exactly.
Exactly.
And with AI, I'd say the otherthing, I mean, there are so many
ways that AI can be impactfulhere.
We would be in trouble if wedidn't talk about AI somewhere
in this conversation.
But the thing that I think ismost interesting with respect to
(17:01):
AI on the offensive side isthat for the bad guys, now if
you get a giant data breach, youcan now dump that information
into a large language model orsomething like that and now have
it match up.
Who are these people?
Do some research online.
How do I get in touch withthem?
How do I find this stuff?
And so it will allow you tomuch more rapidly take data that
(17:22):
has gone out the door and useit for nefarious purposes.
So I think it makes thereconnaissance and the ability
to use and exploit that datamuch faster.
But hopefully on the defenderside, over time, AI will also
allow us to patch things morequickly or find vulnerabilities
that are in the systems and dealwith them quickly, right?
(17:42):
So I think there's, anytime yousee kind of technology move
forward, oftentimes you'll seefirst an advantage for the
attacker because the defendersaren't ready yet and the
attackers can use these thingsto exploit.
And then you start to see thedefenders catch up and
eventually have an advantagebecause the technology overall
will allow them to defend thenetwork more effectively.
Zac (18:02):
Well, this is all terrifying
Stephanie (18:05):
yeah but you know what there's got to be like a
way that we can as as parents orcaregivers kind of like be a
little bit more aware of what itis you know that that that we
can do or that our schools ordistricts are doing right like
we've talked about why schoolcyber security is important to
families and caregivers you knowjust from a from a personal
(18:29):
identifiable information leakyou know like where you live
what your kids social securitynumbers are their medical
information who's allowed topick your kids up you know like
all all that good stuff but whatwhat questions can we ask of
our schools cyber securitypolicies or practices like
they're i feel like beinginformed is a good thing yes
Zac (18:54):
premise of podcast
Michael (18:57):
overall for anyone doing stuff for their own their
own cyber security or forothers.
There's one thing likemulti-factor authentication,
right?
So this is like when you aregoing to log into an account,
you're probably familiar withthis in your bank.
Once you put in your usernameand password, you're not in and
good to go.
You either have to receive atext message or use an app on
(19:19):
your phone, or even in thefanciest versions of this, you
have a little thing you pluginto your computer that says,
hey, this is me.
And that really stops a lot ofcyber attacks, right?
Because you can't just get inwith a username and password you
need another thing that islikely on a phone of the person
that you don't have access to.
And so for the systems that wethink about in our schools, one
(19:40):
of the most important questionswe can ask is, are we using
multi-factor authentication inthese systems, right?
Because that will stop a lot ofthe breaches from happening.
And so that's really important.
I think another way thatfamilies can be involved is to
understand how are you teachingstudents about cybersecurity and
(20:00):
how are you teaching teachersabout cybersecurity?
Right.
Because we hope that schooldistricts are doing some kind of
digital citizenship or otherkind of program that's helping
kids understand this is what itmeans to use technology.
Well, these are the risks andalso helping teachers to
understand, wow, you have a lotof data that you have access to.
Do you understand how we'remanaging that risk and how not
(20:22):
to put students data in placesthat it shouldn't be and things
like that?
So I think those are a coupleof things that families can do
to better understand how schooldistricts are doing.
Zac (20:31):
You've got a kid.
Michael (20:32):
I do.
Zac (20:33):
Your kid goes to school.
Michael (20:36):
She does.
Zac (20:37):
So what are the questions you, what do you know about your
kid's school?
Michael (20:40):
So one, in terms of the school district, I knew right
away what are the technologiesthat they're using.
So I can be keeping track ofwhether there's an incident or
whether there are issuesinvolved, right?
So for me, that was like just amajor part of my job because
like I was working incybersecurity in schools.
So I was already thinking aboutthat topic.
But I would say with respect tomy daughter specifically, She
(21:03):
is someone who is incrediblycurious.
And so from a really young age,we have talked about what does
it mean for something to beprivate to you?
And what are things you feelcomfortable sharing, right?
And how do we decide whether wewant to share something or not,
right?
So I think a lot of thesethings can be in much more basic
concepts than the technologicalones that we often use.
(21:24):
A lot of this stuff is justnormal, kind of good parenting
practice.
And then when it does come tothe technology, you know, her
iPad has a passcode.
We talk about why we use apasscode.
And so just getting used tothose kinds of things, I think
is a good and normal part ofkind of growing up with the
internet, right?
Especially for kids today thathave devices all the time.
(21:44):
And so I think from thecybersecurity side, that's one
thing.
Then there's a cyber safetyside, which is kind of
different, which also is superimportant.
Zac (21:52):
My kids are flummoxed that I will not tell them the
passcode to my phone.
And they will say, you know,what secrets do you hide on
there?
All of them.
(22:13):
Our parents never had to talkto us about cybersecurity.
(22:35):
They should have.
I was definitely on AIM or inAOL chat rooms, Prodigy chat
rooms, pretending to be people Iwas not.
Again, I was a hacker.
See?
No, that's not what that means.
Are there books for kids thatfamilies could, for people who
are coming to this conversationnew, that just boil it down to
(22:56):
what you're talking about?
Or does it just have to beworded like, oh, I listened to
this podcast and they weretalking about this?
Is that
Michael (23:07):
how we're going to get this done?
This is a huge cultural shift.
(23:30):
One thing I will recommend ismy favorite book, honestly, on
this topic, which is not reallyfor kids, but it could be, is
called How the Internet ReallyWorks.
I
Zac (23:40):
love that book so much.
Stephanie (23:43):
And it's amazing.
How have I never heard aboutit?
Michael (23:45):
It is the best book.
And it has basically picturesof and like there's a little cat
and the cat is like navigatingthe space.
So it's like incredibledrawings, but it's super, super
well done by like professionals.
And I learned a ton from it aswell.
So that's like one thing Iwould recommend to all the
parents out there because mostpeople don't really understand
(24:06):
how the internet works.
It's really complicated.
And so that one's superhelpful.
And the more I think about it,Zac, and the more I think about
my child growing up and the moreI think about raising...
like an amazing kid has so muchto do with boundaries,
relationships.
So all the things that we thinkabout in the kind of physical
(24:26):
world and physical interactionsand physical safety, which is
something that unfortunately wedo have to think about a lot.
It's like, how do you help yourchild understand how to have
friendships, how to haverelationships, how to set
boundaries and keep thoseboundaries, right?
And the digital world isanother place to do that work.
And it all comes back to trustand it all comes back to your
(24:46):
ability to share things when youfeel comfortable sharing that.
And I think for me, that is themost important piece of the
puzzle.
Back to your kid's questionabout why can't I have your
login or your passcode?
It's because, well, this isprivate to me and I'll share
pieces of it with you when it'simportant and we can have a
shared place where we put that.
And there are different thingsthat I'm always happy to share
(25:07):
with you, but just like you havea journal in your room that I
wouldn't go and read, this is apart of our world that allows
you to see so many differentthings, track your location,
take pictures, do all differentkinds of things.
And so being able to setboundaries on what's private and
what's not and who can haveaccess is just a part of living
in a democracy.
It's part of living and growingin a place where we can think
(25:29):
our own thoughts and become fullpeople.
Zac (25:31):
This hits me in the place where the conversations around
digital literacy and AI literacyand all these, there's a new
literacy.
And if you look at those, yourealize, oh man, if we just did
literacy right, which we have Iwas
Stephanie (25:47):
going
Zac (25:50):
to say, we don't.
They were doing what theywanted to, how to set those
(26:18):
boundaries.
Then an online piece.
I think the difference thatstrikes me, and I see it in our
own home, is the lack of aphysical embodiment with the
other, right?
So in online spaces, the avatarI'm facing in Fortnite isn't
real.
And so the people who arecontrolling those characters in
(26:41):
Fortnite must not be realeither, right?
I know they are, but they don'tseem that way.
So it's much easier for me togive myself stuff my information
to them so the cyber securitykind of breaks down there like
whereas if a stranger came up tome and said to my kid and was
like where are you what's youraddress when were you born those
kinds of things they wouldn'tthey would be like no way weirdo
um but that the the kind ofonline aspect of it i think
(27:05):
makes it a differentconversation there's a there's
an added level of complexity
Michael (27:09):
absolutely and i think in that case zach one of the
best things we can do as parentsand as adults is to help
children children see theconnection between what we would
do and expect in a real worldphysical setting, and how that
relates to this online setting,right?
What you just did there ofdescribing, I would never do
this in this context.
Why would I do it here?
(27:30):
Just letting kids come to thatexperience of like, even role
playing with them, right?
Like, I'm a stranger, I'm gonnacome up to you and ask you for
the stuff, right?
Like, I think there are waysthat kids would one, find that
fun and silly.
And two, it would make clearlike, oh, in my head, when
someone starts asking me forthis stuff, even though I can't
see their face, this is creepyor like this is not appropriate.
Sorry.
(27:50):
I always take us tocybersecurity kind of
necessarily takes you to a badplace, but hopefully we're going
with positive versions of likewhat we can do from the bad
place.
Zac (27:57):
Absolutely.
Stephanie (27:58):
Okay.
So, so what are the top threethings you would say all student
facing educators need to knowand do to improve cybersecurity?
Michael (28:09):
So I think in general, and this is my own frustration
in the world, having been aneducator and also having been an
it director, and then havingworked in federal policy.
We're asking school districtsevery day to defend themselves
from transnational criminalgangs.
We don't ask towns to do that
Zac (28:27):
with
Michael (28:27):
physical security, right?
Like we don't ask a localpolice force to like defend
themselves against an invadingarmy, right?
And so what we're doing is likewe are pushing down onto
under-resourced organizationsthe expectation that they defend
themselves against reallychallenging threats.
And so I think like At a highlevel, what I would hope is that
(28:48):
we understand there's a rolefor the federal government to
both resource, provide thenecessary resources to help
people defend themselves at thestate and local level, and also
do the protecting as well.
And then for the statedepartments of education and
state agencies, which many ofthem do, to provide many of the
resources that school districtswould need, because many of our
school districts are very small,like a 600-student school
(29:11):
district where thesuperintendent drives the bus
and fixes printers on theweekend is not well positioned
to defend themselves againstreally challenging cybersecurity
threats.
But I think school districtsshould be able to, number one,
make sure that multi-factorauthentication, so that other
thing than just a username andpassword, is turned on on as
many systems as possible for asmany people as possible.
(29:33):
Not necessarily for kidsbecause that gets really
complicated, but if you hack akid's account, for the most
part, you can't shut down aschool district.
You can get their information,that's not great, but I think
from a risk perspective,multi-factor authentication on
as many systems as possible,certainly for administrators,
certainly for teachers.
The second thing, make surethat anything that you have in
your district that touches theinternet is patched, right?
(29:55):
Patching first.
We're updating by that.
Sorry.
So every system...
has defects in it and we findthose defects over time and
that's when you have to likeupdate your iphone so that it
like gets its newest version gotit right and so it has a
security flaw you just like turnit off turn it back on again
for an iphone and then boom it'supdated right um similar for
(30:17):
technology in school districtsand anything that touches the
internet like outside yourdistrict can be seen by bad guys
and if there's a vulnerabilityor a bad thing in the software
or a bug they can get into yoursystem so patching is number two
so multi And I think the thirdthing is user education, right?
(30:37):
So how are we helping teachersand students understand what the
threats look like?
This is what a phishing emaillooks like.
This is what happens when youclick on a link or download
something you shouldn't, right?
So those are the three things Ithink every school district
should really be responsiblefor, right?
Because that's stuff that theycontrol directly.
For teachers, I would say thethings you should be most
concerned about are one, does myschool district know I'm using
(30:59):
the thing that I'm using?
So that's
Stephanie (31:00):
actually- Quite an
Michael (31:03):
important question.
And respectfully, having beenboth a teacher and an IT
director, I'm not saying youshould never use things that are
not authorized by your schooldistrict.
I don't want to be the personsaying that necessarily.
But it's hard to manage therisk of the technology we're
using if you are just signing upfor a random thing, we don't
know what it is, and thenputting student data into that
(31:24):
thing.
So there is a tension there.
We as teachers really want todo the right thing, educate our
students, get them the newestand most interesting thing.
But we need to balance thatwith the risk of putting
sensitive student data intothose systems, right?
So I feel like that's one thingto really consider.
Another thing to consider is,do you know what to do when
(31:44):
something bad happens on theinternet in your school, right?
So do you know who to contactin IT?
Do you know how to helpescalate something if you see
something bad happening, right?
I think in the same way that wedo fire drills for our physical
security in buildings everyyear We should be doing cyber
fire drills, right?
Everybody should know what ismy role.
(32:06):
If I see something badhappening with the technology in
my school, how do I bring it tothe right person to get that
problem solved?
So I think the third thing thatteachers should be thinking
about or asking is how can theymake cybersecurity work?
real and meaningful to theirstudents?
How can they help themunderstand what it means to be
learning online together?
And I think that doesn't needto be super technical.
(32:28):
That's just helping them tounderstand when we're engaging
physically, like sitting in ourclassroom here and having a
conversation, this is how weinteract.
And when we're online, we needto think about how we're
interacting, what we're sharing,right?
So there's that context ofbeing able to help students find
their way into society andpractice democracy using the
technology.
Zac (32:47):
This makes me think, and I've seen these exercises done
with And I think it would bereally interesting, especially
in like a high school classroomthat hasn't instituted some
draconian cell phone ban to say,all right, just saying, all
right, I want everybody tounlock their phone and pass it
to the person two seats down.
Don't actually have them dothat.
(33:08):
But just imagine the responsethat would happen in that
classroom, because I think thatgets you to the place of, all
right, that's why cybersecurityis important.
The things you were justworried about is why
cybersecurity is important.
And all your phone is guardedby is, you know, a picture of
(33:28):
your face or your thumbprint orsome alphanumeric code.
But those conversations are nothard to have.
And I love the point you madeearlier about how do we start to
have conversations aboutprivacy in general with younger
kids so that by the time thingsget more complex and we're
talking about cyber relatedprivacy, they have some sort of
(33:49):
foundational premise there?
Michael (33:51):
Our society tends to take a very punitive approach to
people tinkering and tryingthings, especially with
technology.
And hacking can be for good.
And because that's the case,the earlier we can see students
trying and testing thoseboundaries and direct them
towards positive ways to channelthat, the less likely they will
be to get into a situationwhere the FBI shows up at their
(34:12):
door because they've been goingto a place they shouldn't and
hacking at things.
Which is just
Zac (34:17):
the same as all psychological development that
we know about boundary pushing.
So this continues that like ifyou do it right in the physical
non-digital world, your chancesof mitigating risk in the
digital world are
Michael (34:30):
great.
And the thing I'll say aboutthis specifically is that there
is a group, I mentioned thehacker who was 19 years old who
got into the power school,right?
The biggest kind of like breachwe've ever had.
There's a group that are likejokingly called AP teams, like
advanced persistent threats, butthey're teenagers that are
really good at this, that aremostly actually English speaking
(34:50):
based in the US and the UK thatare doing what's called social
engineering, right?
This is like phishing.
This is convincing people togive you information that they
shouldn't give you so you canget into their system.
And so they're not even reallyhacking so much as like
gathering information and thenusing it to do the kinds of
things that other hackers woulddo.
And this is like groups ofteenagers that are loosely
(35:13):
associated online.
So the more we can help kidssteer away from that version of
this world and steer towardsusing those powers for good, to
help secure systems and protecttheir families and protect their
communities, I think we can bemoving in a much more positive
direction.
And there are some countrieslike the Netherlands that
actually have programs that arealternatives to incarceration
(35:33):
for these kinds of situations,where for a first offense for
this kind of thing, you thenhave the opportunity to get
mentorship and learn from peopleand change directions on this,
rather than going down the kindof cyber crime route.
So I think there's some reallyinteresting opportunities there
in terms of the All right,
Zac (35:53):
last question.
Does these things.
(36:20):
Maybe I might too.
I think I know what the otherone is going to be, but you go
ahead and I know what the nextone's going to be, but tell me
and I'll tell you if I wasright.
Michael (36:28):
Yeah.
I assume you're going to knowwhat my next one is.
So I use a password manager.
So I use one password, which isa password manager, but a
password manager in its mostbasic terms is a really
effective place that you keepall of your passwords and it is
really well protected and youhave one password that that
(36:50):
opens the vault that has allyour other passwords in it.
And you have this live in yourbrowser on your computer.
And then it will, as you createyour passwords, auto-fill them
for you when you go to log in toother websites.
And it creates complexpasswords for you.
Because the problem that thisis solving for is that the
number one way that people gethacked is through valid
(37:12):
usernames and passwords thathave been reused or that have
shown up in a data breach.
And all of us, all of our datahas shown up in data breaches,
including user names andpasswords people tend to use the
same password across many manyaccounts and it's impossible to
remember complex passwords forall of your accounts it's just
not what we were made to do aspeople right that's not how our
brains are structured and so weneed technology to help us with
(37:34):
that and that's what a passwordmanager does is it's a secure
place to keep all of your usernames and passwords including
other things that are helpfulyou can keep identity documents
in there and other things likethat so when you're on this
travel website it'll just autofill it for you from a secure
place, and it'll generate arandom password for you.
So that's my number one tipwould be use a password manager,
(37:56):
but don't overwhelm yourself bydoing it for everything at
once.
Get it.
Start with just your email andyour banking information, the
stuff that would be mostvulnerable, and then go from
there.
As you go to log into otherthings, then change those
passwords too.
But it can feel overwhelming.
So to start with one or tworeally important ones is a good
place to start.
Zac (38:17):
And you're talking about 1Password.
Is this similar to what I knowChrome...
And like Google offers asimilar password manager.
I know Apple products offer asimilar password manager.
Are those the same thing ornot?
So
Michael (38:31):
those are different.
And again, that is way betterthan using the same password
everywhere.
So if that is a good first stepfor you, definitely feel free
to use the kind of passwordthat's kind of in the browser
through Google or through Apple.
But ideally, having a separatepassword manager is something
that provides you another layerof security because there are
(38:53):
hacks at this point that areable to pull passwords from
browsers, depending on theextensions you have in them and
stuff like that.
But I would say, again, that'sbetter than having the same
password everywhere.
The other thing I'll say interms of cyber hygiene for me is
on both my Apple device and onmy Google account, I have set up
what's called advancedprotection.
(39:13):
And so for Google, what thatis, you go into your Google
accounts, you go into thesecurity settings, you'll need
something called a YubiKey orlike a physical token.
And I I would buy a couple ofthem.
And what this does is it makesit much more secure for your
Google account.
People can't just reset yourpasswords.
They can't get into youraccount as easily.
There are a lot of advancedfeatures that will protect your
(39:34):
account against hackers andthings like that.
For me, that's an importantthing because I've been in
environments where it'simportant for me to have
something like that.
But I think it's a goodpractice for everybody.
And on your iPhone, there'ssomething similar for iCloud.
If you turn on iCloud advancedprotection, especially if you're
political world that we live inand now and everything.
(39:54):
When you do those things, itdoes what's called end-to-end
encrypt them.
So what it does is it makes thedata that's on that device and
in your iCloud inaccessible toanyone except you.
And so it's locking thosethings down in a much more
secure way.
And it's turning off featuresthat are often used by hackers
to get into those devices.
That said, the most importantthing you can do for your
(40:16):
computer, for Chrome, foranything else is just update,
right?
Anytime you see an update thingpop up, Do it or if possible,
just turn on auto updatesbecause no one wants to remember
that stuff.
And so the more you can justhave things happen automatically
for security, the better.
For your iPhone, it's literallyturn it off and turn it on
again and you're good.
Zac (40:35):
Michael Klein, you have been very helpful.
Well, let me say this.
We've had a number of episodeswhere we talk to very smart
people such as yourself and askthem questions.
And there's a lot of like, oh,the world is burning.
And I thought this was going tobe one of them.
Stephanie, I don't know aboutyou, but I don't.
It's like more of like theworld could catch on fire, but I
(41:01):
feel like we've got some reallygood practical stuff that folks
can do
Stephanie (41:05):
to kind of tamp out those flames.
Yeah.
Yeah.
Michael (41:09):
Absolutely.
Rather than assuming we cankeep all the bad stuff out, we
have to be resilient against thethings that we know are going
to happen.
We have to assume that thesethings are going to get through.
We're going to have theseissues and we need to know like
when that happens, what's ourresponsibility?
right
Zac (41:24):
thank you michael
Stephanie (41:24):
thank you
Michael (41:26):
thank you
Stephanie (41:32):
Thank you so much for joining us today on this
episode of AcademicDistinctions.
We promised you a good time andwe hope we delivered.
And until our next episodedrops, be sure to follow us on
Instagram atacademicdistinctionspod.
Find us on Blue Sky atfixingschools or find us on
Facebook.
As always, this is your call toaction to share the podcast,
like us and subscribe.
You can find us online atacademicdistinctions.com.
(41:54):
Have a question for the pod ora topic you'd like us to dig
into?
Email us at mail atacademicdistinctions.com.
Until next week, friends.
This podcast is underwritten bythe Federation of American
Scientists.
Find out more at fas.org.
Popular Podcasts
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com