April 9, 2026 • 44 mins
The guys discuss the rising AI-driven security risks facing school districts, including convincing deepfake video and voice scams, advanced phishing, and the implications of new AI research such as Anthropic’s Mythos and Project Glasswing.
They cover recent news items that affect K12 cybersecurity: proposed federal budget cuts that shift CISA and school safety responsibilities to states, the growth of non-classroom education jobs including IT roles, and the industry response to potentially dangerous AI models.
————
Sponsored by:
PowerGistics:How K-12 Charging Models Impact Chromebook Sustainability
Bring Chromebooks Back to the Classroom, but NOT Carts!
One-Person Tech Department Success Story
Incident IQ Fortinet ClassLink Lightspeed NTP ————Join the K12TechPro Community (exclusively for K12 Tech professionals)
Buy some swag (tech dept gift boxes, shirts, hoodies...)!!!
Email us at k12techtalk@gmail.com
OR our "professional" email addy is info@k12techtalkpodcast.com
Visit our LinkedIn
Music by Colt Ball
Disclaimer: The views and work done by Josh, Chris, and Mark are solely their own and do not reflect the opinions or positions of sponsors or any respective employers or organizations associated with the guys. K12 Tech Talk itself does not endorse or validate the ideas, views, or statements expressed by Josh, Chris, and Mark's individual views and opinions are not representative of K12 Tech Talk. Furthermore, any references or mention of products, services, organizations, or individuals on K12 Tech Talk should not be considered as endorsements related to any employer or organization associated with the guys.
Listen
Watch
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
On this week's episode of the K-12 Tech Talk podcast, we talk about the latest AI-powered
(00:04):
security risks, including deepfake video scams, and what K-12 districts can do to prepare
for the next generation of cyberattacks.
Thanks for listening.
From the NTP studios, this is the K-12 Tech Talk podcast.
This is episode 259, first full week of April, I guess, and it is full-on testing season
(00:28):
here in Missouri.
This is Josh.
Here in Missouri with me is Chris.
Hello, Chris.
What's up?
And Mark.
Hello, Mark.
Hello.
Chris, have you guys started testing?
Yeah, I think it was today at one of our elementaries was the first small group, like one class.
We do ACT tomorrow, and then we start full-on state assessment next week.
(00:53):
It's always silliness.
Isn't testing season just like year-round now?
Not for the state assessment.
Not for state assessments, but every district's got their own online assessments, and so it
just feels like you start the year testing, you end the year testing, middle of the year
testing.
The need is high.
(01:13):
Yeah.
Did you do paper ACT, or do you do online ACT now, Josh?
We've done, where all of the juniors take it, we've done online for the last three years,
four years.
Okay.
And then the one that we can give on the weekend, I think we still give that paper, because
there's too many X factors there, like people bringing their own devices in and having a
(01:37):
Wi-Fi that they can connect to.
Yeah, I think next year or something, we have signed up to do something more that is online
now.
Yeah.
Because I said it can be fine as long as tech department is in the loop.
Right.
Well, there was drama today because one of my teachers was actually reading the administration
(02:01):
manual for the state assessment, and the name of the app, they write out all of the language
for the teachers to literally read so they don't have to think about what to say, and
the language says, launch app blah, blah, blah, blah, blah.
That's not the right name of the app.
When you go to the app tray on the Chromebook and you look for the apps, the name of the
(02:25):
app for the state assessment does not match the name of the app that the manual tells
the teacher to say.
It's wonderful.
Yeah.
It's wonderful.
So I called support, and they're like, yeah, we did that so that the student doesn't get
confused and log into the portal.
I said, do students have access to the portal?
Well, no.
I said, so you're only confusing the teachers.
(02:46):
Yeah, well, whatever.
They're not going to take my suggestion seriously.
So testing season is here.
Yeah.
Yes, it is.
Mark, did you guys, were your state assessments in the spring, or was it year round?
Because Missouri, they're talking about changing it to ongoing instead of one big final assessment
(03:09):
at the end of the year.
We had March and then April, May.
So the March was like the ELA assessments were done then, and then April, May was math
and science.
Interesting.
All right.
Well, before we get into the news, Chris, do you need to hit a sponsor?
Oh, I do.
PowerGistics hanging out with us for several episodes.
(03:30):
I'm going to put several links into the podcast description of different presentations they've
done.
They have some great charging stations, so check out PowerGistics.
And for the month of April on CatoTek Pro, Hayden's Hot Deal has some discounted PowerGistics
charging stations.
You can get signed up now.
You don't have to pay anything until your July 1 budget kicks in.
(03:51):
So check out PowerGistics, those links, and then go to CatoTek Pro if you want a hot deal
from Hayden.
So Mark has scoured the web and curated a couple top stories for us.
Mark, what do you got?
We have a state that's about to enact or is voting on a bill to enact the most restrictive
cell phone social media ban in the country, the state of Massachusetts.
(04:18):
I am super excited about this one.
The Massachusetts Senate had passed a cell phone ban for schools.
No big surprises there.
It was just about making sure that schools establish a policy to ban cell phones.
Well, the House just said, no, we need to go a little bit farther on this one.
They just said anybody under the age of 14, total ban on social media.
(04:41):
And then ages 14 and 15 can be permitted with explicit parental consent.
So this is like taking the KOSMA, the Kids Off Social Media Act, and actually moving
it up a step in enacting it at the state level.
So I'll be very interested to see if this one goes through and what the reaction is.
But I am, you know me.
I'm pretty much against social media for youth, and I think this is a great one to see.
(05:05):
So expanding on the existing social media ban and going as far as personal use on social
media.
Love it.
All right.
Let's get into the main topics here.
So the Trump administration has come out with their proposed budget, and in that, the latest
news this week is around some pretty major cuts to the CISA, the Cybersecurity and Infrastructure
(05:25):
Security Agency, with a budget reduction of about $700 million.
A lot of that reduction is just vacant positions.
But they are looking to move some pretty significant programs, $45.5 million for the Cyber Defense
Education and Training Program.
They're basically just going to push people to free foundational cybersecurity programs
that are already out there.
(05:48):
And then a decrease in about $43 million for federal school safety programs.
And so their goal here is to move that down to the state's level.
It'll be very interesting to see how states respond to this one.
I understand that this is kind of a major goal of the Trump administration, is to push
more down to the state level.
But I think the initial response from states is, sounds great, where is our funding in
(06:11):
order to do this work?
And are states going to be able to pick this one up and make sure that schools are supported
both for physical and cybersecurity?
So I'll be interested to see if this goes through and to see if the states are able
to pick this one up and run with it, or if it just kind of falls to the wayside.
Yeah.
(06:31):
This is where we're supposed to not be political, right?
Yes, Josh.
Okay.
Yes, Josh.
We should move on, Mark.
Well, okay.
We can still tackle this problem without being political.
This is a reduction of service from the federal government.
(06:51):
Obviously there's going to be a lot of people who have strong feelings about that one in
one way or the other.
Does this go down to the state level?
If so, are states going to be able to pick up with it and run with it and give school
districts more local support than they're currently getting?
Here's my problem.
There are 50 or 53 different versions of state implemented cybersecurity programs and agencies.
(07:16):
At varying ages of maturity, we'll say, expecting to give all of those entities a check and
say, enhance things, does nothing ... I don't know.
I think you still have to have that central guiding light.
(07:40):
If there's one thing that I have come to realize over the last year and a half of being more
involved than maybe I should be, states don't trust the feds and information sharing and
listening to guidance.
Locals don't necessarily trust the state.
Hell, state agencies don't trust other state agencies.
(08:02):
I don't know how they perceive this is going to work.
I don't know.
Maybe I'm jaded.
Well, and a big part of what you just said was giving states a check.
Well, that's not in the plan.
There is no plan to give states the funding.
It's just expected that this functionality will roll down to the states and they'll have
to figure out how to fund it.
Then it's not going to happen.
(08:22):
It's no different than in K-12 with an unfunded mandate.
You pass these rules, but then you don't have a funding mechanism to implement these rules.
That's like this screen monitoring thing that's likely to pass in Missouri.
Okay, you have to come up with a plan on how you're going to track how much time kids are
spending on screens.
Okay, great.
With what money and what tools?
Not going to happen.
Yeah.
(08:44):
Yeah, this, like, you kind of touched on it.
I think you said the age or something.
Maturity.
Yeah.
Some states will have more skillful people or knowledgeable people or wise people that
can do some of these things than other states.
So I mean, you can boil it down to the whole thing that schools deal with.
(09:06):
The rural school that's in the middle of nowhere, they have a hard time getting a Spanish teacher
because they're out in the middle of the forest or whatever you want to say.
So you can absolutely scale that over to cybersecurity stuff and I'm reading bombing prevention and
just the school safety stuff in general.
A lot of states just aren't going to have that capability to pull in people and resources
(09:29):
to do those things.
That's the bummer, I think, that we're touching on too with this.
Yeah.
I think if done correctly, I do think that school districts and municipalities will listen
to a local more than they would somebody from the feds and somebody from the, you know,
from many, many states away.
So I think if done right, I think that school districts can benefit from stronger infrastructure
(09:53):
and stronger support at the state level.
I just have a hard time seeing that that support, that funding is not part of this.
It's just kind of pulling the rug out and expecting states to pick up the pieces.
And without the resources, as you mentioned, they're not going to.
And I did not realize that some state laws prevent state agency from telling locals what
(10:16):
to do as far as implementing stuff like this.
So there are some states that, let's say they were going to join the MS-ISAC, they cannot
tell their locals that they should join.
Like there is a law preventing the state from telling locals what to do and how to do it
in that manner.
(10:36):
So there are some instances where the state might think this is best practice and at the
state agency level, you know, Secretary of State, whatever, at the state department level,
the Department of Education, they are implementing those rules.
But they can't force locals to implement those same rules due to local control law or whatever.
(11:04):
It's not, all 50 states don't have the same method of implementation for practices and
standards like that, which I did not realize until recently.
Sounds like a New Hampshire thing.
I always want to think that I'm just not educated enough, like if there's a reason that we're
going to make these mass cuts, that what am I missing that justifies for the mass cuts?
(11:29):
You know, so I always want to learn more about, okay, what these programs actually do and
if that goes away, what is the actual impact?
I say this lightly referring back to the, like that there was the, and I say this very
lightly to those that we know that were involved in it, but like our national technology plan,
like I didn't know for a long time that we had a national plan.
(11:52):
If I was doing anything locally that was like aligning with it, I didn't know.
So I want to believe that the trickle down of what my state's initiatives were, that
those were aligning nationally and I was following it without knowing, but if you were to tell
me years ago, hey, let's cut the national tech plan, I'd be like, heck yeah, I don't
(12:14):
even know what that thing is.
Get that thing out of here.
Having seen it and read it, I can see how it's influential and how it makes sense.
Again, like you said, Josh, that there's this light kind of guiding us towards a proper
direction and proper communication.
So I want to think I'm missing something here, but I don't know that I am.
Well I think too, we're talking about cuts to CISA, cuts to MS-ISAC, this is about information
(12:37):
sharing and there's no need to have another layer, meaning the state layer in between
information sharing.
It's just going to slow things down to kind of cause different states to have different
response times.
When you have a critical alert, why not have a single information sharing center that can
disseminate information quickly to school districts and municipalities about critical
(12:59):
cyber safety issues or risks.
So yeah, it's a difficult one.
I'm very curious to see where this goes and which states are able to run with it, but
it does feel from the district level that we're getting a little bit more and more ignored
with cybersecurity.
(13:19):
There will be states that do an amazing job at this, but there will be others that struggle
dramatically.
Yeah, for sure.
All right, let's talk about Ed Surge has come up with an article or has come up with an
article about which education jobs are growing the fastest and the headline or the subheading
is mostly non-classroom roles with IT being one of the bigger areas.
(13:44):
So the article sums up looking at some of the major jobs that they anticipate are going
to grow over the next 10 years.
This is not in the next year or two.
This is over the next decade.
Not surprising number one is substitute teachers, short-term substitute teachers, and you have
a lot of jobs around occupational therapists, speech pathologists.
(14:05):
Shout out speech pathologists.
Nurse practitioners, Chris.
But what's great is there's multiple jobs in the top 10 that are related to IT, including
computer information systems managers, data scientists, information security analysts,
training and development specialists, not necessarily IT related, but obviously we're
(14:28):
going to need a lot more training.
We're seeing huge growth.
We're seeing for the data scientist role, 23% anticipated growth in those jobs in the
market.
That makes total sense.
More and more districts are wrapping their heads around data science and the needs around
that one.
I'm very excited to see if this one pans out.
It will also be very interesting given that COSEN has come out with a lot of data recently
(14:52):
about job cuts as a result of the ESSER funding.
But again, this is long-term.
This is 10 years and it will be very interesting to see if this pans out.
I don't think I like that subs are the top, because typically a substitute teacher doesn't
– that doesn't mean that the kid's getting the best education.
(15:13):
Yeah.
Don't get me started.
So we're filling in some holes because there's a bunch of holes.
Yeah.
That means teachers are not on this list.
Not a good sign.
Not a good sign.
Shout out to my speech teacher in elementary school.
I couldn't say brick.
I just said britch.
But with some good speech work, she taught me my K's.
(15:37):
Next story, Mark.
Well, I was also going to say the end of the article also talks about the jobs that are
going to be reduced over the next 10 years.
Administrative support workers and office administrative support occupations.
Those are the ones that are going to be cut the most or anticipated to be reduced the
most.
(15:57):
So I always was taught when I was going to be a teacher, you have to make friends with
the school secretary the very first day.
So I don't want to see those jobs.
Cafeteria workers.
Make friends with the cafeteria workers.
Oh, no.
I was taught school secretary and then custodian.
But this data shows otherwise.
Yeah.
(16:17):
Just when AI takes over, everybody's going to be out of a job anyway.
Not us, Josh.
Well, our last article, speaking of AI, something that has just hit the headlines in the last
24 hours.
So we're all still trying to figure out what this is.
But Anthropic is excited about their newest model, Claude Mythos.
(16:38):
Yeah, this is wild.
It is so dangerous in their words that they are not going to be releasing it to the public.
And instead, they have formed a 40 company coalition called Glasswing, and they're going
to be using this to.
That sounds awesome.
Yeah, they're going to be using this to identify how this will play a role in cybersecurity
(16:59):
defense.
Apparently, this tool has found bugs and zero day exploits in almost all of the major operating
systems and tools out there.
So this coalition includes AWS, Google, Microsoft, Cisco, CrowdStrike, Palo Alto Networks.
And their goal is to use this for good before the bad guys get their hands on this.
(17:19):
So I started getting messages about this last night from listener Terry.
He was all amped up.
He had read a couple articles about it.
So let me just put this story into perspective here.
So Anthropic kind of locked Mythos into a sandbox with a couple of tools that it could
use, a couple of assets, and said, CV could break out.
(17:43):
So they led it to its own devices for a while.
And what they quickly found is Mythos didn't just try to leverage a single vulnerability,
but it chained together multiple vulnerabilities and escaped containment.
Then it did something a little more concerning.
(18:05):
It actually reached out and got to the web.
The researcher that was in charge of this had no idea apparently he was having lunch.
And his phone buzzed in an email and said, Mythos got out.
And apparently now, whether or not this is accurate or not, but apparently that email
was from the AI tool itself.
(18:25):
So it actually discovered thousands of undiscovered zero-day vulnerabilities in OSs for network
switching, firewalls, operating systems for machines.
And it clearly demonstrated a real-world offensive strategy.
Like Mark said, it's been kind of shelved and put in a container.
(18:49):
But God only knows if it'll be able to be kept in that container.
This is it, boys.
Yeah, it's just like that James Bond movie.
Isn't it Mission Impossible?
Mission Impossible.
Mission Impossible.
Yeah, yeah, yeah.
Yeah, yeah, yeah.
Yeah, it's either Mission Impossible or the world's greatest marketing ploy.
(19:09):
Yeah, that too.
I was going to say Orange Bullcrap.
It's good though.
I mean, I love...
I'm muted by Mike and I just want to hear your story.
Yeah, it's pretty wild.
It'll be interesting to see where this ends up in the next...
Even if they talk about it again, what it does in the next six months.
(19:30):
Could be just marketing, but the vibe of companies actually coming together to work on it adds
some validity to...
Even if it's this beginning root thing of, hey, we think we've figured out something
that's going to be causing a ruckus and we could choose it for good or for bad.
Companies actually coming together to get ahead of it feels different than how we've
(19:54):
been doing a lot of AI stuff so far.
It makes me feel like Armageddon.
You know, like the movie Armageddon where they all come together and put differences
aside and they're going to go blow up this asteroid.
I think we're beyond getting ahead of it.
It's ahead of us.
Well, it's a little scary to have this conversation just a few minutes after talking about how
(20:15):
SZA is just being slashed and gutted at the federal level, but I'm sure it's fine.
It's fine.
It's fine.
It's fine.
Well, we're going to talk in a few minutes about what do we need to do to prep for AI
cybersecurity defenses and offenses.
But Chris, do you want to transition to a quick ad?
Yeah.
So check out Incident IQ.
(20:35):
If you are in IT, if you're listening to us and you're a K-12 tech, your job is not getting
easier.
It's not simple.
You have a bunch of devices to manage.
You're juggling a bunch of support tickets.
You're thinking about cybersecurity budget cuts, refresh cycles, the whole bit.
Incident IQ can help you with all of that.
They are a service management platform.
They are built for schools.
(20:57):
They will integrate your help desk, your asset tracking, your workflows, all into one system.
They can help your team work smarter, respond faster, so that you have a good pulse on all
that's going on within your district.
So learn more at incidentiq.com.
All right.
So Project Glasswing obviously is setting the entire cybersecurity world on a buzz right
(21:20):
now.
But the one article over the last couple of weeks that for me made me a little bit more
nervous than this was the one, I don't know if you saw this, there's always those guys
on Twitch and YouTube who try to bait the cyber attackers and the scammers along on
phone calls.
One of the major guys out there got a video call from a scammer.
(21:41):
And this scammer was using face swap AI technology to change his face into a different person
and was having a full blown conversation with this guy.
It scared me to death because this conversation, this Zoom call looked very, very real.
I would have fallen for that.
And I tend to think that I'm a little bit more advanced in my ability to see scams and
(22:05):
AI deep fakes.
But if you think about this one hitting your school district, we know teachers are falling
for emails, they're falling for phishing text messages.
A phishing Zoom call with an AI face swap technology today would ripple through a district
very, very quickly and have enormous, enormous consequences.
(22:27):
So I thought, let's have a conversation tonight about what are you doing to prepare for AI
threats, both offense and defense.
And is there something that we need to think about as an industry in order to prep for
AI powered cyber attacks?
Josh, you want to go forward or go first and talk about some of the things you're doing?
(22:49):
Well, no, but I'll just say this.
I have a real hard time feeling good about transitioning to a conversation about AI threats
and what we need to do, AI defenses, that type of conversation.
When I see my phish failure rate on the phishing tests that I send my employees and I know
(23:17):
how ugly that rate is, we don't stand a chance to AI engineered attacks.
Period. End of sentence.
Let's just go to the sponsors and get this thing.
Just get out of here.
Well, until districts can raise that bare minimum, low hanging fruit, whatever you want
(23:41):
to call it. And I'm sorry, I'm going to be really frank here.
Ninety five percent of the time, the problem is a human, not a policy, not a technology,
not a not a you have to have MFA.
It's the human not pausing thinking before they click and act.
(24:02):
And until we can fix that, we don't even need to have this conversation about AI threats
because we can't handle the baby steps.
Yeah, I've had a lot of conversations over the years about one of the consequences for a
staff member if they fail a phishing test.
And in many, many private sector companies, the consequences are on the third strike,
(24:26):
you're out. And I think that's viewed very extreme and a little too over the top in the
public sector. But at the same time, that extreme consequence causes people to take
things more seriously and causes people to pause before responding, before clicking a
link. And I think that is, for me, one of the biggest things that's missing is the real
(24:49):
world consequences of not taking the training seriously, of not thinking twice before
clicking a link, of responding to an email and driving out and getting gift cards.
I had conversations in my own district around like, well, if a teacher falls for the gift
card scams, maybe we should reimburse them.
No, no, no.
(25:10):
And I'm not trying to be cruel here, but I'm trying to say we've got to make sure that
people understand that there are real world consequences, because if they're not, then
they're not going to take our training seriously.
They're not going to take these things seriously.
So, yes, I agree with you, Josh.
I had a real hard time getting buy-in to do fishing tests of our staff originally, years
(25:31):
and years and years ago, because it was perceived as a shameful, like K-12 doesn't stand a
chance.
I'm still working with a district today that has the exact same problem.
They cannot roll out fishing exams or fishing tests because it is perceived as a gotcha.
Yeah.
I've had, I've worked at three different school districts over my 20 years, many different
(25:56):
superintendents.
At a previous district, I did the whole cybersecurity awareness moth, and we would do the fake
email in particular on that moth.
And this is when it was kind of new.
So it was all very, and I still do this, and it still kind of has a positive spin to it.
But back then, we did like an email security week and had so many people click it, and
(26:17):
we knew which people, right?
So we would do a weekly admin meeting, and I would share results on that.
And my superintendent then was curious of who did the clicking, and I would share that
report.
And like the third week of the moth, it was like a student data week or something, and
did a similar thing one year with another email campaign, and the same people clicked
again.
(26:38):
Now I, at that time, wanted to just stay light.
You know, like we would do like the can of spam if they clicked it and all that kind
of stuff, whatever.
I wasn't wanting to, I didn't do that moth to get people in trouble.
But that superintendent wanted to have direct conversations with those people that had
clicked it.
You know, just, I mean, literally two times in a moth, they clicked on the bad email.
(27:03):
And back then, those were pretty obvious emails to not click on.
Now I've since had superintendents.
I had one in particular.
Josh, you can remember, it floated around Missouri.
It was like a Google Drive, you know, link sharing.
It was just spreading.
I mean, it was just all over.
Everybody's just clicking on this stupid thing.
And again, we had the same group of like three to five people that always fail our
(27:27):
simulations, and they're the ones that clicked on this thing that spread it around our
district.
And I asked for more action, and I got the literal, you know, no, we're not going to
do that, because that's a negative thing.
You know, I just put my hands up, because what, I mean, again, going back to the, what's
the point then?
Why are we, like, why are we even trying?
It's going to be the same people.
(27:47):
We, all we've done is identify who's going to click the thing.
We're going to know what accounts to look at first.
And to your point, and probably to answer your question better, Mark, on your thoughts
of this first area of what does an AI-powered attack on a school look like in reality now?
I think we're already seeing it with phishing attacks.
The grammatical errors and spelling errors have disappeared.
(28:11):
The legitimate-looking phishes are spot on now.
That's, I think that's what we're seeing.
We're not, we're not seeing, at least not yet, I don't think, we're not seeing AI-powered
firewall attacks or pokes or scans.
Where we're seeing an AI attack now are these, the edits of these phishing emails being
(28:36):
darn near perfect.
Almost too perfect.
And those are the broad, general email going to hundreds, thousands of people at the same
time.
The emails that are very, very specific to a person, to a superintendent, are even more
realistic because they can, with AI, they can insert a lot more custom-specific information.
(28:59):
Deepfake phone calls, the deepfake videos, that is going to elevate this even farther
because, again, one of the things we've talked about over the years is look for spelling,
look for grammar mistakes.
Now we're talking about get on the phone with a person and verify this information
through their voice.
Now, within the next five years, that's not going to be a piece of information that you
(29:20):
can trust because the deepfake voices are going to be so realistic that we're going
to see the superintendent phished or spearphished.
If you're being targeted with a phish or a spearphish, let's say, you initiating that
phone call to your pre-established phone number or contact information to that perceived sender
(29:43):
is the best way to do that.
You're not relying on an inbound call for that verification.
You're making an external call or an outbound call to verify that information.
We got to bring back fax.
Yeah.
Like fax machines?
Yeah.
Fax or fax machines?
Yes.
No, fax don't exist today.
(30:06):
No, HIPAA still says faxes are the secure method of transportation.
But to your point, Josh, I'm less worried about teachers and more worried about the
finance office, the procurement specialists who have to deal with outside providers and
don't know the details on these vendors and things like that.
I think that's where we're going to see the most immediate and impactful results.
(30:31):
You don't have to go real far.
We had an incident in the fall.
Thankfully, nobody fell for it, but there was an article in the paper about who's doing
our construction on campus.
Somebody registered a domain that looked like that contractor's website.
It had an extra character that was hard to spot and sent an email saying, hey, we missed
(30:53):
our payment.
Can you resend it?
Well, if you weren't really paying attention to that sender address, you could have sent
a payment to a general contractor.
Use your imagination and they mount.
Yeah, I don't know.
I really do like the facts.
F-A-X-C-T-S machines where we have to come up with a new technology.
(31:22):
Who runs the fax machines?
Fax machines.
You have to give three answers to three random questions and only, you know, I don't know.
We're figuring out something here.
Fax machines.
You're stressing me out, Mark.
I don't like this topic.
I'm sorry, but it's already a stressful topic.
It's only going to get worse.
(31:42):
All right.
So what do we do?
What do we do about this?
Nothing.
We can't spell words right.
No, we're talking about fax machines.
They're going to spit fax.
We click every link.
We click every link.
I'll tell you one thing we're going to do.
We're going to go to COSIN and have a happy hour thanks to NTP and Checkpoint.
(32:05):
Uh, work hard.
And then when you get home, hang out with your family, be with your friends,
realize that life is short.
The end of the world is coming.
This Glasswing thing is going to get out of the box.
It's all over soon, folks.
So if you're going to COSIN, hang out with us April 13th, 6 to 8 p.m.
I have a couple spots open for this.
(32:26):
You can RSP to hang out with us while we're at COSIN thanks to NTP and Checkpoint.
And Chris and I might have a surprise if you come to the happy hour.
Something from the past.
Something from the past, yep.
By the way, Checkpoint would say that they can probably help and NTP with this AI thing.
Yes, and Milo.
(32:47):
Or no, that's Chris's dog.
See, I got him worked up now.
So, Mark, what skills do the K-12 folks need to mitigate this besides unplugging the internet?
Well, that was going to be my first recommendation.
I mean, not necessarily unplugging the internet,
but I do think we're going to have to get stronger policies in place for allow listing.
(33:09):
And we're going to start to see more and more districts move towards blocking
the non-approved applications and websites more than we are right now.
I think that has to be something.
Yeah.
Oh, Mark.
Oh, Mark.
I mean, I'd do it tomorrow.
I, yeah, so that would be my first, I would say,
(33:31):
five to 10 year outlook is more and more movement towards allow listing
versus block listing, which is what we currently do.
I think the other thing that we really need to do, and again, this is very hard for me to say,
because it's not necessarily something that I think is easy to do, but
we have to really dive down into our policies and make sure that
(33:53):
the staff understand that there are real world consequences
to not taking the training seriously and not taking these emails seriously.
And I say that because the three of us all have wives that are in schools,
and I'll speak for my own.
I'm very, very concerned about her falling for a phishing scam.
I'm going to be very quiet right now.
(34:14):
And so the idea of the, you know, three strikes, you're out scenario is...
You don't think your wife will be employed very long?
She's gone.
I think she's gone by Friday.
But if you were to tell my wife and many other teachers that,
hey, your job is on the line.
(34:34):
If you make a mistake, if you don't go through training,
they're going to take it seriously.
They're going to start to follow protocols.
That alone will make more of an impact than sending out these blind emails
and just hoping that teachers are listening to these and following them.
I'm going to say something that is going to be perceived a couple of ways.
(34:58):
One, talking out of both sides of my mouth.
And two, harsh.
If you go to a teacher and you say,
these things are serious.
Your job could be on the line.
Yada, yada, yada.
You're at two strikes.
You only get three and then we're canning you.
One, the harsh statement is, will it matter?
(35:20):
Two, the out of the both sides of my mouth statement is,
is that unfair when the teachers are already
layered with responsibilities in the class of being a mental health professional
as well as trying to teach kids their ABCs and numbers.
(35:42):
And then you're laying this threat of,
you could be fired if you click this thing three times.
I understand the duplicity of what I'm saying here.
But I don't know what the right answer is.
Yeah, we just did the news article about the substitute teachers on the uptick.
That's because teachers are on the downtick.
And we have all these retention issues.
(36:07):
I'm with you.
I understand why the teacher thinks it's not their problem.
Because they didn't get into teaching because they wanted to worry about
what link they're going to click on.
They got into teaching because they love kids and want to help kids learn.
Yeah, and I think it's an extreme example.
And, you know, losing your job over clicking an email is a tough one, right?
(36:28):
And I'm not necessarily saying the simulated emails and the fake emails.
Well, that's going to result in loss of jobs.
That is what some private companies do.
But I do think that teachers need to understand,
and staff need to understand there are consequences
should you not follow procedures and policies and the like.
(36:49):
The third thing that I would say, though, is on our end, on the IT side,
we need to have a much, much bigger footprint at the decision-making table
for these kinds of things.
And the number of times that we are forced to implement and support tools
that we've never heard of before,
and we had nothing to do with the decision-making process,
(37:12):
that has to change.
That's not necessarily on our plate,
but it's the organizations that we work with,
the districts and our vendors need to understand
that our doors are not open anymore.
And it kind of goes towards the allow listing conversation,
but a lot of it goes down to the procurement practices
need to have IT leaders saying yes or no at the end of the day.
(37:36):
There needs to be a decision point where IT can say,
hey, this tool does not meet our protocols,
does not meet our standards,
and therefore it is a no,
rather than I bought it, go ahead and implement it,
go ahead and make it work.
Yeah, that mentality has to stop,
but I don't see that, I don't know.
(37:59):
I think bad stuff has to happen in order for the community to see that,
unfortunately.
Agree.
Your comment about even doing a faculty-staff allow list,
today we had a person going to a new website
that they don't normally go to and they misspelled it,
so it was doing the whole fake pop-ups and freak out stuff.
(38:22):
And again, that's something that's been around for years and years and years,
let alone the AI element of this.
So going back to what Josh said initially,
we're not ready.
And going back to what Josh said too,
it's gonna be the user that does the thing still.
Man, yeah, I don't usually get down like,
(38:42):
we're recording a little bit later tonight,
so you know, Josh came in already tired,
so I knew Josh was gonna try to bring us down,
and I wasn't gonna try to stay on top of it mentally,
but I'm not making it.
What other questions do you have, Mark?
I got nothing, I got nothing.
I'm optimistic though.
I think, you know, when I see things like Project Glasswing,
(39:04):
when you see Anthropic is saying,
Anthropic is saying,
let's give this to the good guys ahead of time,
what I'm excited about is,
there are going to be cybersecurity tools that come out as a result of this,
and are given to the school districts,
the municipalities in order to help safeguard our systems and our tools.
Anthropic has committed $100 million in AI tokens
(39:26):
for the researchers to figure out how to use this for good.
I hope that is carried forward into the community and saying,
hey, here are some tools that everybody can have access to.
Let's not put these things behind paywalls.
Let's make the cybersecurity defense, the AI cybersecurity layer,
a part of just the standard tool set that every school district has access to.
(39:48):
I wholeheartedly agree with you in your sentiment.
I don't see it happening.
We're gonna be paying for those tools.
So what else can we do, boys?
Mark, you did make some notes that I agree with,
and I will say, I'm trying to do more for my,
(40:09):
our department's trying to do more with a tabletop exercise with folks.
That's practical.
We can do that today.
Caring more about DPAs.
If you don't care, you should care.
And even getting into the weeds of,
you have your incidents response plan,
(40:29):
and you have your disaster recovery plan.
Go farther with that to get into your business continuity stuff.
Do playbook things.
I mean, it's time to start spending the time
on all that stuff that we always talk about that we should do.
Yeah.
I know last week we teased Josh for making his 3D printer vendor sign a DPA.
(40:53):
Which they won't.
We're gonna get to it.
We're gonna come back to that in a second.
But at the same time, what Josh is doing is in his community,
is setting the expectation that if you're going to implement
a new technology, hardware or software,
it's going to go through a review.
And I think that's a great thing to see.
It's a great thing to have.
Very, very hard to get to that level.
(41:16):
But you're setting higher expectations.
You're raising the bar.
Josh, you're raising the bar.
You're raising the bar.
Josh, you did get a listener support reaching out to you.
Or a listener email reaching out to you.
Yes.
They said you guys are mean.
Josh, I want to say this to you.
You have a bar set and you make every company hit, like, do it.
(41:41):
And I think that is standout and that is excellent.
And I'm not joking.
I appreciate you for that and you're leading the way with that.
So go take down that 3D printer company.
Yeah, we'll take them down.
Chinese owned asset is what they are.
All right.
Anything else, guys?
(42:02):
We're going to be together next week.
For a couple minutes.
For a couple minutes.
We got two, three days together at Kosen, Chicago.
If you guys are, if the listeners are going to Chicago, come see us.
We're going to have a table set up.
We're recording.
Come say hi to us.
We'll have stickers and some different things as well we can give you for sure.
(42:23):
Josh is going to be going through the vendor showcase area,
just like beating up on all 3D printer vendors.
I'm excited for that.
Yeah.
I think some of our sponsors are going to be there.
And no matter what, it's our sponsors that make trips like that possible,
that make this podcast possible.
So we want to say thank you and do a plug to Fortinet.
Check out Fortinet Podcast or email fortinetpodcast at fortinet.com.
(42:47):
If you have any questions about Fortinet Firewall or any of the Forta products,
shoot an email to Chris Illingworth over at fortinetpodcast at fortinet.com.
Also check out ClassLink.
They can do your rostering, your SSO, do your analytics, all that kind of good stuff.
So you can have a good look at what your folks are doing.
Check out classlink.com.
(43:08):
And last but not least, Lightspeed Systems, a great content filter.
I've used it for many, many years.
They have a great signal product and other products as well.
Check out Lightspeed.
Yeah, I'll see you guys.
I mean, Kosen's coming.
That's in a couple of days, Sunday through Tuesday, right?
Pumped about it.
See you soon.
See you guys next week.
(43:42):
The views and opinions expressed on the K12 Tech Talk Podcast are the personal opinions of Josh,
Chris, and Mark, and do not represent the views or opinions of our sponsors or other
organizations that we're affiliated with.
The material and information presented here is for general information and entertainment purposes
only.
Thanks for listening and we'll see you next week.
On this week's episode of the K-12 Tech Talk podcast, we talk about the latest AI-powered
(00:04):
security risks, including deepfake video scams, and what K-12 districts can do to prepare
for the next generation of cyberattacks.
Thanks for listening.
From the NTP studios, this is the K-12 Tech Talk podcast.
This is episode 259, first full week of April, I guess, and it is full-on testing season
(00:28):
here in Missouri.
This is Josh.
Here in Missouri with me is Chris.
Hello, Chris.
What's up?
And Mark.
Hello, Mark.
Hello.
Chris, have you guys started testing?
Yeah, I think it was today at one of our elementaries was the first small group, like one class.
We do ACT tomorrow, and then we start full-on state assessment next week.
(00:53):
It's always silliness.
Isn't testing season just like year-round now?
Not for the state assessment.
Not for state assessments, but every district's got their own online assessments, and so it
just feels like you start the year testing, you end the year testing, middle of the year
testing.
The need is high.
(01:13):
Yeah.
Did you do paper ACT, or do you do online ACT now, Josh?
We've done, where all of the juniors take it, we've done online for the last three years,
four years.
Okay.
And then the one that we can give on the weekend, I think we still give that paper, because
there's too many X factors there, like people bringing their own devices in and having a
(01:37):
Wi-Fi that they can connect to.
Yeah, I think next year or something, we have signed up to do something more that is online
now.
Yeah.
Because I said it can be fine as long as tech department is in the loop.
Right.
Well, there was drama today because one of my teachers was actually reading the administration
(02:01):
manual for the state assessment, and the name of the app, they write out all of the language
for the teachers to literally read so they don't have to think about what to say, and
the language says, launch app blah, blah, blah, blah, blah.
That's not the right name of the app.
When you go to the app tray on the Chromebook and you look for the apps, the name of the
(02:25):
app for the state assessment does not match the name of the app that the manual tells
the teacher to say.
It's wonderful.
Yeah.
It's wonderful.
So I called support, and they're like, yeah, we did that so that the student doesn't get
confused and log into the portal.
I said, do students have access to the portal?
Well, no.
I said, so you're only confusing the teachers.
(02:46):
Yeah, well, whatever.
They're not going to take my suggestion seriously.
So testing season is here.
Yeah.
Yes, it is.
Mark, did you guys, were your state assessments in the spring, or was it year round?
Because Missouri, they're talking about changing it to ongoing instead of one big final assessment
(03:09):
at the end of the year.
We had March and then April, May.
So the March was like the ELA assessments were done then, and then April, May was math
and science.
Interesting.
All right.
Well, before we get into the news, Chris, do you need to hit a sponsor?
Oh, I do.
PowerGistics hanging out with us for several episodes.
(03:30):
I'm going to put several links into the podcast description of different presentations they've
done.
They have some great charging stations, so check out PowerGistics.
And for the month of April on CatoTek Pro, Hayden's Hot Deal has some discounted PowerGistics
charging stations.
You can get signed up now.
You don't have to pay anything until your July 1 budget kicks in.
(03:51):
So check out PowerGistics, those links, and then go to CatoTek Pro if you want a hot deal
from Hayden.
So Mark has scoured the web and curated a couple top stories for us.
Mark, what do you got?
We have a state that's about to enact or is voting on a bill to enact the most restrictive
cell phone social media ban in the country, the state of Massachusetts.
(04:18):
I am super excited about this one.
The Massachusetts Senate had passed a cell phone ban for schools.
No big surprises there.
It was just about making sure that schools establish a policy to ban cell phones.
Well, the House just said, no, we need to go a little bit farther on this one.
They just said anybody under the age of 14, total ban on social media.
(04:41):
And then ages 14 and 15 can be permitted with explicit parental consent.
So this is like taking the KOSMA, the Kids Off Social Media Act, and actually moving
it up a step in enacting it at the state level.
So I'll be very interested to see if this one goes through and what the reaction is.
But I am, you know me.
I'm pretty much against social media for youth, and I think this is a great one to see.
(05:05):
So expanding on the existing social media ban and going as far as personal use on social
media.
Love it.
All right.
Let's get into the main topics here.
So the Trump administration has come out with their proposed budget, and in that, the latest
news this week is around some pretty major cuts to the CISA, the Cybersecurity and Infrastructure
(05:25):
Security Agency, with a budget reduction of about $700 million.
A lot of that reduction is just vacant positions.
But they are looking to move some pretty significant programs, $45.5 million for the Cyber Defense
Education and Training Program.
They're basically just going to push people to free foundational cybersecurity programs
that are already out there.
(05:48):
And then a decrease in about $43 million for federal school safety programs.
And so their goal here is to move that down to the state's level.
It'll be very interesting to see how states respond to this one.
I understand that this is kind of a major goal of the Trump administration, is to push
more down to the state level.
But I think the initial response from states is, sounds great, where is our funding in
(06:11):
order to do this work?
And are states going to be able to pick this one up and make sure that schools are supported
both for physical and cybersecurity?
So I'll be interested to see if this goes through and to see if the states are able
to pick this one up and run with it, or if it just kind of falls to the wayside.
Yeah.
(06:31):
This is where we're supposed to not be political, right?
Yes, Josh.
Okay.
Yes, Josh.
We should move on, Mark.
Well, okay.
We can still tackle this problem without being political.
This is a reduction of service from the federal government.
(06:51):
Obviously there's going to be a lot of people who have strong feelings about that one in
one way or the other.
Does this go down to the state level?
If so, are states going to be able to pick up with it and run with it and give school
districts more local support than they're currently getting?
Here's my problem.
There are 50 or 53 different versions of state implemented cybersecurity programs and agencies.
(07:16):
At varying ages of maturity, we'll say, expecting to give all of those entities a check and
say, enhance things, does nothing ... I don't know.
I think you still have to have that central guiding light.
(07:40):
If there's one thing that I have come to realize over the last year and a half of being more
involved than maybe I should be, states don't trust the feds and information sharing and
listening to guidance.
Locals don't necessarily trust the state.
Hell, state agencies don't trust other state agencies.
(08:02):
I don't know how they perceive this is going to work.
I don't know.
Maybe I'm jaded.
Well, and a big part of what you just said was giving states a check.
Well, that's not in the plan.
There is no plan to give states the funding.
It's just expected that this functionality will roll down to the states and they'll have
to figure out how to fund it.
Then it's not going to happen.
(08:22):
It's no different than in K-12 with an unfunded mandate.
You pass these rules, but then you don't have a funding mechanism to implement these rules.
That's like this screen monitoring thing that's likely to pass in Missouri.
Okay, you have to come up with a plan on how you're going to track how much time kids are
spending on screens.
Okay, great.
With what money and what tools?
Not going to happen.
Yeah.
(08:44):
Yeah, this, like, you kind of touched on it.
I think you said the age or something.
Maturity.
Yeah.
Some states will have more skillful people or knowledgeable people or wise people that
can do some of these things than other states.
So I mean, you can boil it down to the whole thing that schools deal with.
(09:06):
The rural school that's in the middle of nowhere, they have a hard time getting a Spanish teacher
because they're out in the middle of the forest or whatever you want to say.
So you can absolutely scale that over to cybersecurity stuff and I'm reading bombing prevention and
just the school safety stuff in general.
A lot of states just aren't going to have that capability to pull in people and resources
(09:29):
to do those things.
That's the bummer, I think, that we're touching on too with this.
Yeah.
I think if done correctly, I do think that school districts and municipalities will listen
to a local more than they would somebody from the feds and somebody from the, you know,
from many, many states away.
So I think if done right, I think that school districts can benefit from stronger infrastructure
(09:53):
and stronger support at the state level.
I just have a hard time seeing that that support, that funding is not part of this.
It's just kind of pulling the rug out and expecting states to pick up the pieces.
And without the resources, as you mentioned, they're not going to.
And I did not realize that some state laws prevent state agency from telling locals what
(10:16):
to do as far as implementing stuff like this.
So there are some states that, let's say they were going to join the MS-ISAC, they cannot
tell their locals that they should join.
Like there is a law preventing the state from telling locals what to do and how to do it
in that manner.
(10:36):
So there are some instances where the state might think this is best practice and at the
state agency level, you know, Secretary of State, whatever, at the state department level,
the Department of Education, they are implementing those rules.
But they can't force locals to implement those same rules due to local control law or whatever.
(11:04):
It's not, all 50 states don't have the same method of implementation for practices and
standards like that, which I did not realize until recently.
Sounds like a New Hampshire thing.
I always want to think that I'm just not educated enough, like if there's a reason that we're
going to make these mass cuts, that what am I missing that justifies for the mass cuts?
(11:29):
You know, so I always want to learn more about, okay, what these programs actually do and
if that goes away, what is the actual impact?
I say this lightly referring back to the, like that there was the, and I say this very
lightly to those that we know that were involved in it, but like our national technology plan,
like I didn't know for a long time that we had a national plan.
(11:52):
If I was doing anything locally that was like aligning with it, I didn't know.
So I want to believe that the trickle down of what my state's initiatives were, that
those were aligning nationally and I was following it without knowing, but if you were to tell
me years ago, hey, let's cut the national tech plan, I'd be like, heck yeah, I don't
(12:14):
even know what that thing is.
Get that thing out of here.
Having seen it and read it, I can see how it's influential and how it makes sense.
Again, like you said, Josh, that there's this light kind of guiding us towards a proper
direction and proper communication.
So I want to think I'm missing something here, but I don't know that I am.
Well I think too, we're talking about cuts to CISA, cuts to MS-ISAC, this is about information
(12:37):
sharing and there's no need to have another layer, meaning the state layer in between
information sharing.
It's just going to slow things down to kind of cause different states to have different
response times.
When you have a critical alert, why not have a single information sharing center that can
disseminate information quickly to school districts and municipalities about critical
(12:59):
cyber safety issues or risks.
So yeah, it's a difficult one.
I'm very curious to see where this goes and which states are able to run with it, but
it does feel from the district level that we're getting a little bit more and more ignored
with cybersecurity.
(13:19):
There will be states that do an amazing job at this, but there will be others that struggle
dramatically.
Yeah, for sure.
All right, let's talk about Ed Surge has come up with an article or has come up with an
article about which education jobs are growing the fastest and the headline or the subheading
is mostly non-classroom roles with IT being one of the bigger areas.
(13:44):
So the article sums up looking at some of the major jobs that they anticipate are going
to grow over the next 10 years.
This is not in the next year or two.
This is over the next decade.
Not surprising number one is substitute teachers, short-term substitute teachers, and you have
a lot of jobs around occupational therapists, speech pathologists.
(14:05):
Shout out speech pathologists.
Nurse practitioners, Chris.
But what's great is there's multiple jobs in the top 10 that are related to IT, including
computer information systems managers, data scientists, information security analysts,
training and development specialists, not necessarily IT related, but obviously we're
(14:28):
going to need a lot more training.
We're seeing huge growth.
We're seeing for the data scientist role, 23% anticipated growth in those jobs in the
market.
That makes total sense.
More and more districts are wrapping their heads around data science and the needs around
that one.
I'm very excited to see if this one pans out.
It will also be very interesting given that COSEN has come out with a lot of data recently
(14:52):
about job cuts as a result of the ESSER funding.
But again, this is long-term.
This is 10 years and it will be very interesting to see if this pans out.
I don't think I like that subs are the top, because typically a substitute teacher doesn't
– that doesn't mean that the kid's getting the best education.
(15:13):
Yeah.
Don't get me started.
So we're filling in some holes because there's a bunch of holes.
Yeah.
That means teachers are not on this list.
Not a good sign.
Not a good sign.
Shout out to my speech teacher in elementary school.
I couldn't say brick.
I just said britch.
But with some good speech work, she taught me my K's.
(15:37):
Next story, Mark.
Well, I was also going to say the end of the article also talks about the jobs that are
going to be reduced over the next 10 years.
Administrative support workers and office administrative support occupations.
Those are the ones that are going to be cut the most or anticipated to be reduced the
most.
(15:57):
So I always was taught when I was going to be a teacher, you have to make friends with
the school secretary the very first day.
So I don't want to see those jobs.
Cafeteria workers.
Make friends with the cafeteria workers.
Oh, no.
I was taught school secretary and then custodian.
But this data shows otherwise.
Yeah.
(16:17):
Just when AI takes over, everybody's going to be out of a job anyway.
Not us, Josh.
Well, our last article, speaking of AI, something that has just hit the headlines in the last
24 hours.
So we're all still trying to figure out what this is.
But Anthropic is excited about their newest model, Claude Mythos.
(16:38):
Yeah, this is wild.
It is so dangerous in their words that they are not going to be releasing it to the public.
And instead, they have formed a 40 company coalition called Glasswing, and they're going
to be using this to.
That sounds awesome.
Yeah, they're going to be using this to identify how this will play a role in cybersecurity
(16:59):
defense.
Apparently, this tool has found bugs and zero day exploits in almost all of the major operating
systems and tools out there.
So this coalition includes AWS, Google, Microsoft, Cisco, CrowdStrike, Palo Alto Networks.
And their goal is to use this for good before the bad guys get their hands on this.
(17:19):
So I started getting messages about this last night from listener Terry.
He was all amped up.
He had read a couple articles about it.
So let me just put this story into perspective here.
So Anthropic kind of locked Mythos into a sandbox with a couple of tools that it could
use, a couple of assets, and said, CV could break out.
(17:43):
So they led it to its own devices for a while.
And what they quickly found is Mythos didn't just try to leverage a single vulnerability,
but it chained together multiple vulnerabilities and escaped containment.
Then it did something a little more concerning.
(18:05):
It actually reached out and got to the web.
The researcher that was in charge of this had no idea apparently he was having lunch.
And his phone buzzed in an email and said, Mythos got out.
And apparently now, whether or not this is accurate or not, but apparently that email
was from the AI tool itself.
(18:25):
So it actually discovered thousands of undiscovered zero-day vulnerabilities in OSs for network
switching, firewalls, operating systems for machines.
And it clearly demonstrated a real-world offensive strategy.
Like Mark said, it's been kind of shelved and put in a container.
(18:49):
But God only knows if it'll be able to be kept in that container.
This is it, boys.
Yeah, it's just like that James Bond movie.
Isn't it Mission Impossible?
Mission Impossible.
Mission Impossible.
Yeah, yeah, yeah.
Yeah, yeah, yeah.
Yeah, it's either Mission Impossible or the world's greatest marketing ploy.
(19:09):
Yeah, that too.
I was going to say Orange Bullcrap.
It's good though.
I mean, I love...
I'm muted by Mike and I just want to hear your story.
Yeah, it's pretty wild.
It'll be interesting to see where this ends up in the next...
Even if they talk about it again, what it does in the next six months.
(19:30):
Could be just marketing, but the vibe of companies actually coming together to work on it adds
some validity to...
Even if it's this beginning root thing of, hey, we think we've figured out something
that's going to be causing a ruckus and we could choose it for good or for bad.
Companies actually coming together to get ahead of it feels different than how we've
(19:54):
been doing a lot of AI stuff so far.
It makes me feel like Armageddon.
You know, like the movie Armageddon where they all come together and put differences
aside and they're going to go blow up this asteroid.
I think we're beyond getting ahead of it.
It's ahead of us.
Well, it's a little scary to have this conversation just a few minutes after talking about how
(20:15):
SZA is just being slashed and gutted at the federal level, but I'm sure it's fine.
It's fine.
It's fine.
It's fine.
Well, we're going to talk in a few minutes about what do we need to do to prep for AI
cybersecurity defenses and offenses.
But Chris, do you want to transition to a quick ad?
Yeah.
So check out Incident IQ.
(20:35):
If you are in IT, if you're listening to us and you're a K-12 tech, your job is not getting
easier.
It's not simple.
You have a bunch of devices to manage.
You're juggling a bunch of support tickets.
You're thinking about cybersecurity budget cuts, refresh cycles, the whole bit.
Incident IQ can help you with all of that.
They are a service management platform.
They are built for schools.
(20:57):
They will integrate your help desk, your asset tracking, your workflows, all into one system.
They can help your team work smarter, respond faster, so that you have a good pulse on all
that's going on within your district.
So learn more at incidentiq.com.
All right.
So Project Glasswing obviously is setting the entire cybersecurity world on a buzz right
(21:20):
now.
But the one article over the last couple of weeks that for me made me a little bit more
nervous than this was the one, I don't know if you saw this, there's always those guys
on Twitch and YouTube who try to bait the cyber attackers and the scammers along on
phone calls.
One of the major guys out there got a video call from a scammer.
(21:41):
And this scammer was using face swap AI technology to change his face into a different person
and was having a full blown conversation with this guy.
It scared me to death because this conversation, this Zoom call looked very, very real.
I would have fallen for that.
And I tend to think that I'm a little bit more advanced in my ability to see scams and
(22:05):
AI deep fakes.
But if you think about this one hitting your school district, we know teachers are falling
for emails, they're falling for phishing text messages.
A phishing Zoom call with an AI face swap technology today would ripple through a district
very, very quickly and have enormous, enormous consequences.
(22:27):
So I thought, let's have a conversation tonight about what are you doing to prepare for AI
threats, both offense and defense.
And is there something that we need to think about as an industry in order to prep for
AI powered cyber attacks?
Josh, you want to go forward or go first and talk about some of the things you're doing?
(22:49):
Well, no, but I'll just say this.
I have a real hard time feeling good about transitioning to a conversation about AI threats
and what we need to do, AI defenses, that type of conversation.
When I see my phish failure rate on the phishing tests that I send my employees and I know
(23:17):
how ugly that rate is, we don't stand a chance to AI engineered attacks.
Period. End of sentence.
Let's just go to the sponsors and get this thing.
Just get out of here.
Well, until districts can raise that bare minimum, low hanging fruit, whatever you want
(23:41):
to call it. And I'm sorry, I'm going to be really frank here.
Ninety five percent of the time, the problem is a human, not a policy, not a technology,
not a not a you have to have MFA.
It's the human not pausing thinking before they click and act.
(24:02):
And until we can fix that, we don't even need to have this conversation about AI threats
because we can't handle the baby steps.
Yeah, I've had a lot of conversations over the years about one of the consequences for a
staff member if they fail a phishing test.
And in many, many private sector companies, the consequences are on the third strike,
(24:26):
you're out. And I think that's viewed very extreme and a little too over the top in the
public sector. But at the same time, that extreme consequence causes people to take
things more seriously and causes people to pause before responding, before clicking a
link. And I think that is, for me, one of the biggest things that's missing is the real
(24:49):
world consequences of not taking the training seriously, of not thinking twice before
clicking a link, of responding to an email and driving out and getting gift cards.
I had conversations in my own district around like, well, if a teacher falls for the gift
card scams, maybe we should reimburse them.
No, no, no.
(25:10):
And I'm not trying to be cruel here, but I'm trying to say we've got to make sure that
people understand that there are real world consequences, because if they're not, then
they're not going to take our training seriously.
They're not going to take these things seriously.
So, yes, I agree with you, Josh.
I had a real hard time getting buy-in to do fishing tests of our staff originally, years
(25:31):
and years and years ago, because it was perceived as a shameful, like K-12 doesn't stand a
chance.
I'm still working with a district today that has the exact same problem.
They cannot roll out fishing exams or fishing tests because it is perceived as a gotcha.
Yeah.
I've had, I've worked at three different school districts over my 20 years, many different
(25:56):
superintendents.
At a previous district, I did the whole cybersecurity awareness moth, and we would do the fake
email in particular on that moth.
And this is when it was kind of new.
So it was all very, and I still do this, and it still kind of has a positive spin to it.
But back then, we did like an email security week and had so many people click it, and
(26:17):
we knew which people, right?
So we would do a weekly admin meeting, and I would share results on that.
And my superintendent then was curious of who did the clicking, and I would share that
report.
And like the third week of the moth, it was like a student data week or something, and
did a similar thing one year with another email campaign, and the same people clicked
again.
(26:38):
Now I, at that time, wanted to just stay light.
You know, like we would do like the can of spam if they clicked it and all that kind
of stuff, whatever.
I wasn't wanting to, I didn't do that moth to get people in trouble.
But that superintendent wanted to have direct conversations with those people that had
clicked it.
You know, just, I mean, literally two times in a moth, they clicked on the bad email.
(27:03):
And back then, those were pretty obvious emails to not click on.
Now I've since had superintendents.
I had one in particular.
Josh, you can remember, it floated around Missouri.
It was like a Google Drive, you know, link sharing.
It was just spreading.
I mean, it was just all over.
Everybody's just clicking on this stupid thing.
And again, we had the same group of like three to five people that always fail our
(27:27):
simulations, and they're the ones that clicked on this thing that spread it around our
district.
And I asked for more action, and I got the literal, you know, no, we're not going to
do that, because that's a negative thing.
You know, I just put my hands up, because what, I mean, again, going back to the, what's
the point then?
Why are we, like, why are we even trying?
It's going to be the same people.
(27:47):
We, all we've done is identify who's going to click the thing.
We're going to know what accounts to look at first.
And to your point, and probably to answer your question better, Mark, on your thoughts
of this first area of what does an AI-powered attack on a school look like in reality now?
I think we're already seeing it with phishing attacks.
The grammatical errors and spelling errors have disappeared.
(28:11):
The legitimate-looking phishes are spot on now.
That's, I think that's what we're seeing.
We're not, we're not seeing, at least not yet, I don't think, we're not seeing AI-powered
firewall attacks or pokes or scans.
Where we're seeing an AI attack now are these, the edits of these phishing emails being
(28:36):
darn near perfect.
Almost too perfect.
And those are the broad, general email going to hundreds, thousands of people at the same
time.
The emails that are very, very specific to a person, to a superintendent, are even more
realistic because they can, with AI, they can insert a lot more custom-specific information.
(28:59):
Deepfake phone calls, the deepfake videos, that is going to elevate this even farther
because, again, one of the things we've talked about over the years is look for spelling,
look for grammar mistakes.
Now we're talking about get on the phone with a person and verify this information
through their voice.
Now, within the next five years, that's not going to be a piece of information that you
(29:20):
can trust because the deepfake voices are going to be so realistic that we're going
to see the superintendent phished or spearphished.
If you're being targeted with a phish or a spearphish, let's say, you initiating that
phone call to your pre-established phone number or contact information to that perceived sender
(29:43):
is the best way to do that.
You're not relying on an inbound call for that verification.
You're making an external call or an outbound call to verify that information.
We got to bring back fax.
Yeah.
Like fax machines?
Yeah.
Fax or fax machines?
Yes.
No, fax don't exist today.
(30:06):
No, HIPAA still says faxes are the secure method of transportation.
But to your point, Josh, I'm less worried about teachers and more worried about the
finance office, the procurement specialists who have to deal with outside providers and
don't know the details on these vendors and things like that.
I think that's where we're going to see the most immediate and impactful results.
(30:31):
You don't have to go real far.
We had an incident in the fall.
Thankfully, nobody fell for it, but there was an article in the paper about who's doing
our construction on campus.
Somebody registered a domain that looked like that contractor's website.
It had an extra character that was hard to spot and sent an email saying, hey, we missed
(30:53):
our payment.
Can you resend it?
Well, if you weren't really paying attention to that sender address, you could have sent
a payment to a general contractor.
Use your imagination and they mount.
Yeah, I don't know.
I really do like the facts.
F-A-X-C-T-S machines where we have to come up with a new technology.
(31:22):
Who runs the fax machines?
Fax machines.
You have to give three answers to three random questions and only, you know, I don't know.
We're figuring out something here.
Fax machines.
You're stressing me out, Mark.
I don't like this topic.
I'm sorry, but it's already a stressful topic.
It's only going to get worse.
(31:42):
All right.
So what do we do?
What do we do about this?
Nothing.
We can't spell words right.
No, we're talking about fax machines.
They're going to spit fax.
We click every link.
We click every link.
I'll tell you one thing we're going to do.
We're going to go to COSIN and have a happy hour thanks to NTP and Checkpoint.
(32:05):
Uh, work hard.
And then when you get home, hang out with your family, be with your friends,
realize that life is short.
The end of the world is coming.
This Glasswing thing is going to get out of the box.
It's all over soon, folks.
So if you're going to COSIN, hang out with us April 13th, 6 to 8 p.m.
I have a couple spots open for this.
(32:26):
You can RSP to hang out with us while we're at COSIN thanks to NTP and Checkpoint.
And Chris and I might have a surprise if you come to the happy hour.
Something from the past.
Something from the past, yep.
By the way, Checkpoint would say that they can probably help and NTP with this AI thing.
Yes, and Milo.
(32:47):
Or no, that's Chris's dog.
See, I got him worked up now.
So, Mark, what skills do the K-12 folks need to mitigate this besides unplugging the internet?
Well, that was going to be my first recommendation.
I mean, not necessarily unplugging the internet,
but I do think we're going to have to get stronger policies in place for allow listing.
(33:09):
And we're going to start to see more and more districts move towards blocking
the non-approved applications and websites more than we are right now.
I think that has to be something.
Yeah.
Oh, Mark.
Oh, Mark.
I mean, I'd do it tomorrow.
I, yeah, so that would be my first, I would say,
(33:31):
five to 10 year outlook is more and more movement towards allow listing
versus block listing, which is what we currently do.
I think the other thing that we really need to do, and again, this is very hard for me to say,
because it's not necessarily something that I think is easy to do, but
we have to really dive down into our policies and make sure that
(33:53):
the staff understand that there are real world consequences
to not taking the training seriously and not taking these emails seriously.
And I say that because the three of us all have wives that are in schools,
and I'll speak for my own.
I'm very, very concerned about her falling for a phishing scam.
I'm going to be very quiet right now.
(34:14):
And so the idea of the, you know, three strikes, you're out scenario is...
You don't think your wife will be employed very long?
She's gone.
I think she's gone by Friday.
But if you were to tell my wife and many other teachers that,
hey, your job is on the line.
(34:34):
If you make a mistake, if you don't go through training,
they're going to take it seriously.
They're going to start to follow protocols.
That alone will make more of an impact than sending out these blind emails
and just hoping that teachers are listening to these and following them.
I'm going to say something that is going to be perceived a couple of ways.
(34:58):
One, talking out of both sides of my mouth.
And two, harsh.
If you go to a teacher and you say,
these things are serious.
Your job could be on the line.
Yada, yada, yada.
You're at two strikes.
You only get three and then we're canning you.
One, the harsh statement is, will it matter?
(35:20):
Two, the out of the both sides of my mouth statement is,
is that unfair when the teachers are already
layered with responsibilities in the class of being a mental health professional
as well as trying to teach kids their ABCs and numbers.
(35:42):
And then you're laying this threat of,
you could be fired if you click this thing three times.
I understand the duplicity of what I'm saying here.
But I don't know what the right answer is.
Yeah, we just did the news article about the substitute teachers on the uptick.
That's because teachers are on the downtick.
And we have all these retention issues.
(36:07):
I'm with you.
I understand why the teacher thinks it's not their problem.
Because they didn't get into teaching because they wanted to worry about
what link they're going to click on.
They got into teaching because they love kids and want to help kids learn.
Yeah, and I think it's an extreme example.
And, you know, losing your job over clicking an email is a tough one, right?
(36:28):
And I'm not necessarily saying the simulated emails and the fake emails.
Well, that's going to result in loss of jobs.
That is what some private companies do.
But I do think that teachers need to understand,
and staff need to understand there are consequences
should you not follow procedures and policies and the like.
(36:49):
The third thing that I would say, though, is on our end, on the IT side,
we need to have a much, much bigger footprint at the decision-making table
for these kinds of things.
And the number of times that we are forced to implement and support tools
that we've never heard of before,
and we had nothing to do with the decision-making process,
(37:12):
that has to change.
That's not necessarily on our plate,
but it's the organizations that we work with,
the districts and our vendors need to understand
that our doors are not open anymore.
And it kind of goes towards the allow listing conversation,
but a lot of it goes down to the procurement practices
need to have IT leaders saying yes or no at the end of the day.
(37:36):
There needs to be a decision point where IT can say,
hey, this tool does not meet our protocols,
does not meet our standards,
and therefore it is a no,
rather than I bought it, go ahead and implement it,
go ahead and make it work.
Yeah, that mentality has to stop,
but I don't see that, I don't know.
(37:59):
I think bad stuff has to happen in order for the community to see that,
unfortunately.
Agree.
Your comment about even doing a faculty-staff allow list,
today we had a person going to a new website
that they don't normally go to and they misspelled it,
so it was doing the whole fake pop-ups and freak out stuff.
(38:22):
And again, that's something that's been around for years and years and years,
let alone the AI element of this.
So going back to what Josh said initially,
we're not ready.
And going back to what Josh said too,
it's gonna be the user that does the thing still.
Man, yeah, I don't usually get down like,
(38:42):
we're recording a little bit later tonight,
so you know, Josh came in already tired,
so I knew Josh was gonna try to bring us down,
and I wasn't gonna try to stay on top of it mentally,
but I'm not making it.
What other questions do you have, Mark?
I got nothing, I got nothing.
I'm optimistic though.
I think, you know, when I see things like Project Glasswing,
(39:04):
when you see Anthropic is saying,
Anthropic is saying,
let's give this to the good guys ahead of time,
what I'm excited about is,
there are going to be cybersecurity tools that come out as a result of this,
and are given to the school districts,
the municipalities in order to help safeguard our systems and our tools.
Anthropic has committed $100 million in AI tokens
(39:26):
for the researchers to figure out how to use this for good.
I hope that is carried forward into the community and saying,
hey, here are some tools that everybody can have access to.
Let's not put these things behind paywalls.
Let's make the cybersecurity defense, the AI cybersecurity layer,
a part of just the standard tool set that every school district has access to.
(39:48):
I wholeheartedly agree with you in your sentiment.
I don't see it happening.
We're gonna be paying for those tools.
So what else can we do, boys?
Mark, you did make some notes that I agree with,
and I will say, I'm trying to do more for my,
(40:09):
our department's trying to do more with a tabletop exercise with folks.
That's practical.
We can do that today.
Caring more about DPAs.
If you don't care, you should care.
And even getting into the weeds of,
you have your incidents response plan,
(40:29):
and you have your disaster recovery plan.
Go farther with that to get into your business continuity stuff.
Do playbook things.
I mean, it's time to start spending the time
on all that stuff that we always talk about that we should do.
Yeah.
I know last week we teased Josh for making his 3D printer vendor sign a DPA.
(40:53):
Which they won't.
We're gonna get to it.
We're gonna come back to that in a second.
But at the same time, what Josh is doing is in his community,
is setting the expectation that if you're going to implement
a new technology, hardware or software,
it's going to go through a review.
And I think that's a great thing to see.
It's a great thing to have.
Very, very hard to get to that level.
(41:16):
But you're setting higher expectations.
You're raising the bar.
Josh, you're raising the bar.
You're raising the bar.
Josh, you did get a listener support reaching out to you.
Or a listener email reaching out to you.
Yes.
They said you guys are mean.
Josh, I want to say this to you.
You have a bar set and you make every company hit, like, do it.
(41:41):
And I think that is standout and that is excellent.
And I'm not joking.
I appreciate you for that and you're leading the way with that.
So go take down that 3D printer company.
Yeah, we'll take them down.
Chinese owned asset is what they are.
All right.
Anything else, guys?
(42:02):
We're going to be together next week.
For a couple minutes.
For a couple minutes.
We got two, three days together at Kosen, Chicago.
If you guys are, if the listeners are going to Chicago, come see us.
We're going to have a table set up.
We're recording.
Come say hi to us.
We'll have stickers and some different things as well we can give you for sure.
(42:23):
Josh is going to be going through the vendor showcase area,
just like beating up on all 3D printer vendors.
I'm excited for that.
Yeah.
I think some of our sponsors are going to be there.
And no matter what, it's our sponsors that make trips like that possible,
that make this podcast possible.
So we want to say thank you and do a plug to Fortinet.
Check out Fortinet Podcast or email fortinetpodcast at fortinet.com.
(42:47):
If you have any questions about Fortinet Firewall or any of the Forta products,
shoot an email to Chris Illingworth over at fortinetpodcast at fortinet.com.
Also check out ClassLink.
They can do your rostering, your SSO, do your analytics, all that kind of good stuff.
So you can have a good look at what your folks are doing.
Check out classlink.com.
(43:08):
And last but not least, Lightspeed Systems, a great content filter.
I've used it for many, many years.
They have a great signal product and other products as well.
Check out Lightspeed.
Yeah, I'll see you guys.
I mean, Kosen's coming.
That's in a couple of days, Sunday through Tuesday, right?
Pumped about it.
See you soon.
See you guys next week.
(43:42):
The views and opinions expressed on the K12 Tech Talk Podcast are the personal opinions of Josh,
Chris, and Mark, and do not represent the views or opinions of our sponsors or other
organizations that we're affiliated with.
The material and information presented here is for general information and entertainment purposes
only.
Thanks for listening and we'll see you next week.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Betrayal Season 5
Saskia Inwood woke up one morning, knowing her life would never be the same. The night before, she learned the unimaginable – that the husband she knew in the light of day was a different person after dark. This season unpacks Saskia’s discovery of her husband’s secret life and her fight to bring him to justice. Along the way, we expose a crime that is just coming to light. This is also a story about the myth of the “perfect victim:” who gets believed, who gets doubted, and why. We follow Saskia as she works to reclaim her body, her voice, and her life. If you would like to reach out to the Betrayal Team, email us at betrayalpod@gmail.com. Follow us on Instagram @betrayalpod and @glasspodcasts. Please join our Substack for additional exclusive content, curated book recommendations, and community discussions. Sign up FREE by clicking this link Beyond Betrayal Substack. Join our community dedicated to truth, resilience, and healing. Your voice matters! Be a part of our Betrayal journey on Substack.