Showering malware-laced laptops on UK schools is the wrong way to teach them about cybersecurity

The Department for Education needs to learn its lesson too

Column It is not good form to ruin people's online privacy. It is especially bad form if you're in a position of authority when you do this. It goes beyond bad form altogether if you're the Department for Education and you are potentially exposing schoolchildren to online attacks. That is criminal neglect.

And it just happened. By distributing malware-ridden laptops to the most vulnerable and needy schoolkids, the Department for Education is guilty of an astonishing breach of responsibility. It's bad enough if you put adults at risk, but for this to happen to school-aged children is a sign that significant safeguards have been ignored or short-circuited. There are protocols and best-practice rules and layer after layer of hard-won protection for IT aimed at kids in education. Shipping Russian-infiltrated kit to them isn't just a mistake.

Remote learning

Laptops given to British schools came preloaded with malware


Here's how it should work – something I know about because I've been taking IT into schools lately. It's been a real education.

Some background. For the past three years, I've been part of an outfit called Civic Digits in Edinburgh. With playwright and producer/director extraordinaire Clare Duffy, I've co-written The Big Data Show, which is part live-action game show, part digital magic, part play about the 1984 Prestel hackers of whom I was one. We have actors from film and telly, a production team and partnerships across the Scottish drama world. Pukka stuff.

We've toured it around schools to audiences of a hundred or so 10 to 13-year-old kids, taking it entirely online in 2020, for obvious reasons. Audiences take part in the show, which is about digital life, cybersecurity, identity, and making good decisions online, through an app we wrote that we ask them to load on their phones. It looks like a game at first, but secretly communicates with a server that triggers events, gets audience feedback, and generally messes with their young, impressionable minds. Great fun.

It turns out that "we want to run our software on your kids phones and teach them cybersecurity through surprising stuff" is a fun thing to say to educators, governments, and funding bodies. On the plus side, nobody else is doing cyber education for that audience, let alone with our panache. On the minus side – you want to do WHAT?

And so I found myself helping to write briefing documents, reports, and analyses, and sitting on an ethics committee – yes, a journalist on an ethics committee, you may laugh at will – with the police, state cybersecurity experts from a place down south, education and government people, and appropriate academics. We had to demonstrate what we were doing to protect identity and data, which meant a proper walkthrough of the show architecture, the data flow, the safeguards taken on app, server and comms, a risk assessment of all potential vulnerabilities, and so on.

Who generates the image? Who checks it, and how? What tests are in place? How do you establish a secure supply chain? How are the laptops commissioned before being passed to the children? Who's responsible for ongoing security?

It was a lot of work, I got some hard questions to answer, and I learned a great deal about what responsibility means in this context. And it gives me the right to say that the Department for Education deserves to be roasted with nuclear fire.

Back to the malwared laptops – what in Hades were they thinking? The story is developing so we don't yet know who was responsible for generating the image for the laptops and checking that it was correctly and securely installed. My guess is that nobody thought to specify this – contracts went out saying "Windows 10 laptops with X, Y and Z" to resellers, resellers found suppliers, laptops were dispatched from the factory and sent on to the schools that unopened packaging. Hurry, hurry, there's a pandemic on.

Let's run that past our ethics committee. Who generates the image? Who checks it, and how? What tests are in place? How do you establish a secure supply chain? How are the laptops commissioned before being passed to the children? Who's responsible for ongoing security?

You can guess how much of that happened. As a result, it looks as if a well-established Russian crime gang's infiltration of Chinese manufacturing has propagated into the homes and lives of schoolchildren in lockdown.

Preventable? Very. Culpable? Very, very culpable.

If The Big Data Show had been responsible for infecting phones, I'd expect serious repercussions. It's far worse if you're the government department not only responsible for cybersecurity in schools but also the one sending out the kit that you insist people use.

There has to be an official inquiry. Whatever happened here must not – cannot – happen again. It is unconscionable to put vulnerable families at extra risk of fraud, cybercrime, or the sort of abuse criminal gangs can visit on children.

Let's be clear. The Department for Education has invited the Russian mafia into the heart of family life, mid-pandemic, when we're all at our most vulnerable.

I'm all for teaching kids about cybersecurity, but not like this.

There must be consequences. ®

Similar topics

Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022