- Federal and state political pressure on school systems to include cybersecurity concepts in K-12 classes
- School system pressure on K-12 schools to do the same
- Local (principal) pressure on local faculty to develop these courses
- Teachers are unable to create these environments because of school system and local IT resistance to build the environment needed to teach these classes.
I came from the sysadmin world and remember the "prime directive" of sysadmins: "Keep the systems running at all costs". This directive, while noble, has caused more security headaches over the past 25 years. Simple things like patching OS, applications and hardware for security issues run into the sysadmin prime directive which resulted in security vulnerabilities not being corrected in a timely manner.
This reminds me of the "Ultimate Computer" episode of Star Trek (TOS). The Enterprise was fitted with the new M5 computer which automated the ship's handling, offensive and defensive capabilities. When things went south quickly because the M5 started behaving in a dangerous manner, Dr. Daystrom was blind to what the machines was doing because of his loyalty to a particular train of thought ("You don't shut a child off when it makes a mistake. M-5 is growing, learning."
"Learning to kill." "To defend itself. It's quite a different thing.")
Sysadmins were infected with the "Daystrom syndrome" where we became so involved (enamored?) with our technology that we lost sight of the real goal of our technology: to allow people to use the technology in a meaningful way to themselves and to business. Some examples of this Daystrom Syndrome variant include:
- making systems harder to use for the sake of "security" of the system
- restricting how users can access information that is "questionable" to the IT person but not the user. We're not talking about porn here. We're talking about using the Internet as a research tool to get software, algorithms, etc. that make our business more efficient and how this behavior is restricted by IT because of security issues.
- not patching systems because that would required them being unavailable for a period of time. This downtime violates the 24x7 availability rule that is one of the governing things that sets sysadmin behavior.
- Anything that causes the user to say "IT won't let me do this"
- Anything that causes sysadmins to say " users will wreck our security, availability, stability".
Let me come back to the Range and K-12 scenario. The conundrum is the K-12 teachers need to build machines that can connect to the net and be able to be configured, modified by teachers and students. Let's also face the fact that most school IT suffers from low budgets and the IT staff/machine ratio is frighteningly high. These factors combined with the Daystrom sysndrome means the K-12 teachers are told they can't use the school systems or net to build these cybersecurity classes. The Range provides an environment that allows teachers to actually create a space for their classes without IT interference. The school IT just have to allow web access to the Range. Unfortunately, this sometimes is easier said than done.
This brings me back to my premise - IT has created a worse security problem than the one they were trying to solve by imposing unnecessary restrictions on user behavior thereby preventing them from doing their jobs which encourages them to bypass these restrictions.
It's time for us to rethink the model.