A reality based independent journal of observation & analysis, serving the Flathead Valley & Montana since 2006. © James Conner.

6 October 2017 — 2256 mdt

There is no way schools can obtain cyber security on the cheap

Talk to information technology security specialists and you’ll be staggered by their tales of never ending swarms of hostile electrons trying to gain illicit entry to computer systems. Sometimes a weakness is detected, and the hacking begins. That’s probably what happened to the servers at Columbia Falls. The Dark Overlord got lucky, the school district was unlucky, parents and educators had the bejesus scared out of them, and an extortion attempt began.

In retrospect, it appears that the IT staff at Columbia Falls may have made a mistake. Whether that mistake was a blunder, the result of not enough training for the IT staff, or using hardware and software that was vulnerable to attack, is something the public may never be told.

But comments by the district’s superintendent, Steve Bradshaw, to the Flathead Beacon suggest that parsimonious procurement practices may have contributed to the cyber break-in and data theft:

Bradshaw said the school district is devoted to defending against this type of situation in the future, but it comes with a cost.

Most of the technology used throughout the Columbia Falls school district was either donated or bought through general funds remaining at the end of each fiscal year, Bradshaw said.

“There really is no technology budget in our district budget. We will look at trying to change that, but it isn’t cheap,” he said.

In Alaska, where Bradshaw previously worked as an administrator, the school district set a goal of $500,000 a year for technology needs, including security, throughout the district’s schools.

Relying on donated equipment and surplus funds is a recipe for being hacked, not a responsible IT policy. A school board taking that approach to fire safety would equip its buildings with cast-off fire extinguishers, discarded garden hoses, and recalled smoke alarms that allegedly had been refurbished and were available for next to nothing from an obscure website in the Ukraine.

A high level of cyber security requires new and robust hardware, up to date software, physically secured equipment, written cyber security policies that are followed to the letter, and well trained and paid IT staff. The system’s data must be secured with super-strong encryption, not just passwords. And achieving a high level of cyber security must be so important to the school board that were it faced with choosing between funding football and other sports, or funding cyber security, the board would choose funding cyber security unhesitatingly.

Stephen Paddock did not make threats – he just started shooting

There’s a lesson in the Las Vegas ambush and the most deadly mass shooting; perhaps in virtually all mass shootings. Killers do not attempt to terrorize their victims by sending them threats before opening fire. They just show up and starts shooting. If a school district begins receiving emails and text messages talking about school shootings and using prose that’s intended to terrify people, the probability that a man with a machine gun is on his way to kill everyone in the cafeteria is exceeding low to non-existent. Something else is going on. The highest probability is that the so-called threats are a sign of safety, not an announcement of impending bloodshed.