Student Hackers — The Full Story
Hackers. You think of them as criminals, as people who steal your data and break the law. But, have you ever thought that your child might be going to school with them? That’s the truth in today’s world, but first, we have to get a clear understanding of what a hacker is. The word hacker is defined as an expert at programming and solving problems with a computer, as well as, a person who illegally gains access to and sometimes tampers with information in a computer system. However, in the popular imagination, hackers are only known for being the latter. In fact, 90% of all hackers actually help keep your data safe. These hackers are called White-hat hackers, and the kind that are typically associated with breaking the law are Black-hat hackers. There is a type in between, called Grey-hat hackers, and most students fall into that category. But before we get into that, let’s take a look at the big picture.
The average school district has about 7–15 thousand students. Given the size of school districts, it’s very likely that there are students with special technical skills in districts. According to the National Center for Education Statistics, in 2015, 94 percent of children ages 3 to 18 had a computer at home and 61 percent of children ages 3 to 18 had internet access at home. When you think about how curious a child is, it isn’t surprising that they would find ways to “hack”. The usual targets are what you would expect, grade books, and the passwords of their peers and the staff.
Furthermore, students are not typically educated on the subject of digital etiquette. However, districts do have institutions for this purpose. Some districts have teams called Educational Technology, or EdTech. Saddleback Valley Unified School District (SVUSD), a school district in Southern California has this type of team. In an interview with us, Ozzy Cortez, the Chief Technology Officer at SVUSD said, “So our teachers then (get training from the EdTech team and) pass along that knowledge to students and tell them what is good and bad.” From the perspective of the students, they do not “hack” with malicious intent. But that doesn’t mean that they are white-hat hackers. In reality, they want to show other students and staff that they possess this skill, and therefore were able to break into the systems, ironically, it’s also the thing that usually gets them caught.
School districts around the country take a similar approach to the subject of student hacking. The most common policy that is administered to young hackers is one made to prevent students from hacking in the future. This approach is not completely wrong. In fact, it is good for students to face the consequences of their actions. However, there is a better way for districts to deal with this issue. Ozzy Cortez went on to state, ”Our schools try to approach student hackers from a teaching viewpoint… I would encourage them to pen-test. I’ve never come across a student who tried to hack with malicious intent.” Overall it is much more beneficial for schools to follow this approach to student hackers.
In the past few years, cyberattacks on school districts have skyrocketed. School district databases are packed with valuable information on people. This includes your address, student’s health information, and much more. This makes them a huge target for black-hat hackers as this data can be sold for money. Generally, districts do a good job of protecting their databases but sometimes there are small loopholes in their systems that they miss. Malicious hackers could take advantage of those small loopholes. However, there is a solution to both the problem of students hacking districts without permission and malicious hackers stealing information from districts, which is to use the student hackers to prevent malicious hackers. Instead of thinking “This student got into our network and did…” they should be thinking “If this student was able to break into our systems, what are the odds that someone who does mean harm can do the same?” The vast majority of vulnerabilities discovered by students are left unpatched. Students shouldn’t be punished for doing something that even the district’s cybersecurity team can’t. Instead, make sure that the vulnerability found by the student can’t be exploited by a black hat.
On an ending note, imagine how much better the cybersecurity of schools will be if they learned from students. How much better it would be if students could openly try to hack their school because they know that instead of being punished, they would be able to work with the district to keep their school safe.
We don’t need to imagine that. Just having a simple bug bounty program for students to register and report bugs will make cybersecurity at the district much safer. Many companies today already have bug-bounty systems, and it would be very useful for the education system to follow suit. Student hackers are here to stay but now more than ever districts have two options, they can either work with the students and block out the malicious hackers in their systems, or they can continue to repress student hacking and leave themselves vulnerable.
This article was written by: Kavish Shah & Atharv Attri
Sources
www.cnbc.com/2019/08/29/hackers-are-targeting-colleges-for-students-data.html
www.wired.com/story/teen-hacker-school-software-blackboard-follett/
