Showering malware-laced laptops on UK schools is the wrong way to teach them about cybersecurity

The Department for Education needs to learn its lesson too


Column It is not good form to ruin people's online privacy. It is especially bad form if you're in a position of authority when you do this. It goes beyond bad form altogether if you're the Department for Education and you are potentially exposing schoolchildren to online attacks. That is criminal neglect.

And it just happened. By distributing malware-ridden laptops to the most vulnerable and needy schoolkids, the Department for Education is guilty of an astonishing breach of responsibility. It's bad enough if you put adults at risk, but for this to happen to school-aged children is a sign that significant safeguards have been ignored or short-circuited. There are protocols and best-practice rules and layer after layer of hard-won protection for IT aimed at kids in education. Shipping Russian-infiltrated kit to them isn't just a mistake.

Remote learning

Laptops given to British schools came preloaded with malware

READ MORE

Here's how it should work – something I know about because I've been taking IT into schools lately. It's been a real education.

Some background. For the past three years, I've been part of an outfit called Civic Digits in Edinburgh. With playwright and producer/director extraordinaire Clare Duffy, I've co-written The Big Data Show, which is part live-action game show, part digital magic, part play about the 1984 Prestel hackers of whom I was one. We have actors from film and telly, a production team and partnerships across the Scottish drama world. Pukka stuff.

We've toured it around schools to audiences of a hundred or so 10 to 13-year-old kids, taking it entirely online in 2020, for obvious reasons. Audiences take part in the show, which is about digital life, cybersecurity, identity, and making good decisions online, through an app we wrote that we ask them to load on their phones. It looks like a game at first, but secretly communicates with a server that triggers events, gets audience feedback, and generally messes with their young, impressionable minds. Great fun.

It turns out that "we want to run our software on your kids phones and teach them cybersecurity through surprising stuff" is a fun thing to say to educators, governments, and funding bodies. On the plus side, nobody else is doing cyber education for that audience, let alone with our panache. On the minus side – you want to do WHAT?

And so I found myself helping to write briefing documents, reports, and analyses, and sitting on an ethics committee – yes, a journalist on an ethics committee, you may laugh at will – with the police, state cybersecurity experts from a place down south, education and government people, and appropriate academics. We had to demonstrate what we were doing to protect identity and data, which meant a proper walkthrough of the show architecture, the data flow, the safeguards taken on app, server and comms, a risk assessment of all potential vulnerabilities, and so on.

Who generates the image? Who checks it, and how? What tests are in place? How do you establish a secure supply chain? How are the laptops commissioned before being passed to the children? Who's responsible for ongoing security?

It was a lot of work, I got some hard questions to answer, and I learned a great deal about what responsibility means in this context. And it gives me the right to say that the Department for Education deserves to be roasted with nuclear fire.

Back to the malwared laptops – what in Hades were they thinking? The story is developing so we don't yet know who was responsible for generating the image for the laptops and checking that it was correctly and securely installed. My guess is that nobody thought to specify this – contracts went out saying "Windows 10 laptops with X, Y and Z" to resellers, resellers found suppliers, laptops were dispatched from the factory and sent on to the schools that unopened packaging. Hurry, hurry, there's a pandemic on.

Let's run that past our ethics committee. Who generates the image? Who checks it, and how? What tests are in place? How do you establish a secure supply chain? How are the laptops commissioned before being passed to the children? Who's responsible for ongoing security?

You can guess how much of that happened. As a result, it looks as if a well-established Russian crime gang's infiltration of Chinese manufacturing has propagated into the homes and lives of schoolchildren in lockdown.

Preventable? Very. Culpable? Very, very culpable.

If The Big Data Show had been responsible for infecting phones, I'd expect serious repercussions. It's far worse if you're the government department not only responsible for cybersecurity in schools but also the one sending out the kit that you insist people use.

There has to be an official inquiry. Whatever happened here must not – cannot – happen again. It is unconscionable to put vulnerable families at extra risk of fraud, cybercrime, or the sort of abuse criminal gangs can visit on children.

Let's be clear. The Department for Education has invited the Russian mafia into the heart of family life, mid-pandemic, when we're all at our most vulnerable.

I'm all for teaching kids about cybersecurity, but not like this.

There must be consequences. ®


Biting the hand that feeds IT © 1998–2021