5 Lessons from Fairfax County Public Schools’ Cybersecurity Failures
On April 21, 2020, the head of Fairfax County Public Schools' (FCPS) IT department resigned after repeatedly fumbling the launch of FCPS’ online learning platform for the 189,000+ students in its jurisdiction.
Assistant Superintendent for the Department of Information and Technology Maribeth Luftglass walked away from 21 years with FCPS after the historically prestigious school system failed to successfully implement virtual classrooms and exposed its students and teachers to online harassment and potential privacy breaches. The technology issues were so severe that FCPS cancelled school for several days and issued a statement in which it announced the retention of several Godzilla-sized cybersecurity experts to conduct damage control and find a solution, namely:
Hunton Andrews Kurth LLP, a law firm with expertise in information technology and cybersecurity;
Bobbie Kilberg, President and CEO of the Northern Virginia Technology Council;
Andrew Ko, Managing Director of Global Education at Amazon Web Services; and
Amy Gilliland, President of General Dynamics IT.
Allegedly fearing a cover up, a group of FCPS IT specialists sent a letter to their employer, which was then published in The Washington Post detailing the emails, documents, and screen shots demonstrating their repeated efforts to alert FCPS leadership about the technological, safety, and security concerns in the weeks before the rollout of the FCPS virtual learning environment. One problem highlighted in the letter was the ability of students to use guest links to repeatedly infiltrate any virtual lesson with a username of their choice. Predictably, the students exploited this feature, using racist and obscene usernames to pop in and out of classrooms to interrupt lessons, leaving the teachers without recourse or a technological manner to prevent the repeated intrusions.
The Washington Post further reported that FCPS’s issues, in part, resulted from FCPS’s failure to apply software updates for nearly two years and refusal to migrate to more advanced and privacy-friendly software.
As with most breaches and oversight failures, there are important lessons:
Patch all software every week unless there is a specific alert to a “zero day” bug; in fact, the industry calls it “Patch Tuesday.”
FCPS was using Blackboard despite teachers’ repeated requests for Google Classrooms. C-Suite executives and management must carefully weigh options, especially when practitioners provide direct insight, as well as look for quality products with automatic security updates as opposed to defaulting to in-stock software.
The FCPS IT director was with her employer for 21 years – when was the last time there was an assessment of Luftglass’ technological abilities compared to current threat vectors? Did she attend continuing education seminars in her field to learn about new technology and software specific to K-12 education? (Seems unlikely given current facts)
Hunton Andrews Kurth LLP (HAK) is an extremely prestigious law firm, and with that comes a corresponding price-tag for crisis-level operations. This cost will be passed to the taxpayers. Had FCPS consulted HAK or another cybersecurity attorney in advance of rolling out the virtual classroom, HAK would have advised them to check software updates, ensure all patches were implemented, worked with the IT staff and CISOs to ensure the best platform available was used, and implemented privacy controls to ensure regulatory compliance. The cost of the forethought by HAK would be substantially less than post-disaster mitigation.
Do not ignore the IT staff. Read the letter published by The Washington Post. These individuals knew the problems that would arise, documented their attempts to prevent these issues, and in doing so, immunized themselves from blame and repositioned it on their leadership.
As for what comes next, there may be reports to the Department of Education for alleged violations of the Family Educational Rights and Privacy Act (FERPA), an investigation by the Department of Education, and general negligence claims against FCPS by parents and teachers for negligent supervision, hiring, and training. The result of a lack of forethought and preparation will be millions of dollars and man hours expended on remediation efforts – not to mention the effect on the students.