I see a lot of rules based ‘quick fix’ learning opportunities in cybersecurity, and by that I mean short, intensive courses that claim to make you ready for a cyber job by taking a couple of courses. These are usually boot camp style condensed programs that promise to turn an accounting or science student into a cybersecurity practitioner in a single semester by showing you how to use tools x, y and z. They treat cybersecurity as though it’s an office job: we show you the cybersecurity rules and you follow them. You can see how well this is working by the ongoing shortage Canada faces in finding cybersecurity professionals.
I got into cybersecurity with my students in 2017 when we started chasing CyberTitan, but I brought something with us that isn’t typical in the world of STEM: a relationship with technology that is based on a willingness to hack. I don’t like the word hack, it has negative connotations to it in English that have been encouraged by the self appointed masters of STEM (the S&M part), but that willingness to iterate and work outside the expected outcomes is the secret sauce in cybersecurity that many ignore, and a major reason for why I’ve taken to it like I have.
‘Necessity is the mother of invention’ has been the motivating factor in my relationship with technology since the beginning. I moved quickly from off-the-shelf to customized solutions based on experimentation and need. WIthin six months of owning my first home computer (a VIC20), I’d figured out how to copy software using a sufficiently low noise audio deck. My first x86 Windows PC was purchased but quickly modified as I came to need more memory and processing power. By the mid-90s I was building my own computers at a time when many people didn’t own one.
This process was initially powered by curiosity, which many training programs eclipse with the promise of ‘we provide the initiative and knowledge so you don’t have to’ approach – something that has never appealed to me and a major reason why I didn’t start collecting certifications until 2001 (I’d been working in IT for a decade at that point). Schools are bad at this too. Many educators feel that it is their job to impart knowledge in a regimented format (that’s why we call them disciplines!) and assess student understanding with examples of rote learning that emphasize compliance rather than their own understanding of a subject. Many in education call this approach rigorous and disciplined – it’s how they demonstrate credibility.
The Indians have a term for austere innovation: jugaad (non-conventional, frugal innovation) which doesn’t have the pejorative connotations of the English ‘hack’. Jugaad celebrates common sense with a solutions focused approach to creative problem solving without needless bureaucracy. It emphasizes an applied approach to making technology works that is especially needed in an industry like cybersecurity where practitioners are often facing out of the box problems. WIRED recently did an article on a Ukrainian technologist who demonstrated this start-up like approach in the war with Russia. There is even an event in cyber that highlights this out-of-the-box rapid response to an unknown problem: the dreaded zero day vulnerability. Jugaad will get you much further than any amount of rote learning during a zero day attack.
There is another term in Japanese that takes the derision found in English out of making old things work. I’ve long enjoyed the concept of ‘kintsugi‘ or ‘golden joinery’, which is the repairing of old things using gold to embellish the fix rather than trying to hide it. In typical Japanese fashion it raises what is seen as banal work in the West to an artform. A concept that combines jugaad’s celebration of a fix beyond rules based approaches with kintsugi’s raising of that fix to an artform is where a good candidate for work in cybersecurity should find themselves inspired. When I started in cyber I found my IT background helped in terms of understanding the mechanics of what was happening, but my kintsugi powered jugaad approach is what has allowed me to thrive.
This ‘secret sauce’ is often ignored in education and especially in cybersecurity adult retraining. There are some disciplines that tend to attract rules focused types, but that fixation on systemic order blinds them in the edge cases where cybersecurity often operates. Rather than retraining an accountant or rigorously compliant STEM student, I suspect that those exploring subjects like detective work in policing or creatives in the arts would find the skills they’ve honed more effective, but that doesn’t stop everyone from demanding a computer science degree for any job in the industry.
There are many jobs in cybersecurity. People who lean toward the jugaad end where they can problem solve without restrictions can find a comfortable fit in operational cybersecurity where they are monitoring real time threats, penetration testing where they are attempting to exploit a client’s system to highlight vulnerabilities, or threat intelligence which focuses on gathering reconnaissance data on threat actors. But even in the policy and compliance work, a willingness to consider and understand threats and solutions that are outside the box is a necessity.
This map of cybersecurity domains gives you an idea of the many specializations that the field offers, though I would argue that in all of them (even those up the compliance end) an ability to work from your own initiative and experience rather a rule book is essential.
I sometimes describe cybersecurity types as sheepdogs. I think many in law enforcement also fit this description. You can’t send a goat to fend of wolves, but having a wolf of your own will do the trick. Early on in my transition from IT into cybersecurity I found myself leaning on IT administrative habits that don’t work in cyber, and came to realize that the jobs are very different, though the technology is the same. If you have an IT person running your cybersecurity you’re likely to be constantly surprised by the attacks you face because they tend to see systems in an architectural way rather than as an opportunity to be compromised.
It would be easy to say something silly like, ‘there are no rules in cybersecurity!’ but that’s pointlessly reductive. It would also be easy to describe all the people in it as hackers, but this isn’t true either, though a mentality that tackles problems from a place of curiosity and jugaad is far better than a rules compliant myopic who can’t see beyond the framework they maintain. At the end of all this I firmly believe that you need a bit of the wolf in you if you want to consider a career in cybersecurity. I wish more cybersecurity training and especially adult retraining would emphasize that when looking for candidates rather than demanding STEM grads often missing these skills. If it’s a formulaic job that you’re looking for, cyber isn’t it.
STEM students are often missing skills which “include teamwork, collaboration, leadership, problem-solving, critical thinking, work ethic, persistence, emotional intelligence, organizational skills, creativity, interpersonal communication, and conflict resolution.” Adding an ‘A” to STEM doesn’t fix this, incorporating an iterative, resilient, team-based problem solving mindset into STEM subjects would, but that doesn’t tend to be how we teach them.
I’ve been thinking about that post and believe all of the responses from both new cybersecurity practitioners and veterans are valid. It would appear that when you try to fix a talent shortage with rushed retraining no one trusts the results. Problems such as absurd requirements for entry level positions like asking for 5 years of experience on a tool that only came out last year or demands for that vaunted yet irrelevant computer science degree continue to strangle entry level workers coming into the field, even though they have hacked (cough) their way through our broken cyber education system to do it.
Not to sound hopelessly jugaad, but the simple solution would be to introduce cybersecurity apprenticeships that give everyone a chance to find those with the right combination of fearless curiosity, critical thinking and tenacity needed to do the job. Students with a background in science and technology might find that they are familiar with the medium that cybersecurity operates in, but that doesn’t mean they’ll be able to handle the demanding stochastic message that working in cyber demands.
I’ve always told my students that if they can bring a willingness to explore, experiment and possibly break things in the process of figuring them out, they don’t need to sweat the technicalities, I can teach them those by harnessing the curiosity they bring with them. I’ve had strong technical students fail in cyber because they lean on systemic approaches to do less. Another favourite adage of mine in the classroom is, ‘if you’re looking for a way to do less, you’ll usually find it.’ Those that want to work in a framework often do it so that they can delineate where they can stop; in other words it’s used as a way to limit their involvement. That’s no way to approach cybersecurity. If solving a problem is a nine to five gig for you, go find work elsewhere.
I’ve been sitting on this one for some time. What’s below is more like brainstorming than a clear solution, but I feel like it’s moving in the right direction…
The Problem: Canada’s Cyber-education system is broken – or doesn’t exist at all
I’ve been ruminating on this since virtually attending the “How to protect our children in an increasingly digital and online world” meeting by Economic Development Ontario and the Canadian Trade commission a couple of weeks ago. James Hayes from Cyber Legends is a man on a mission. His keynote was both insightful and frustrating – the main point being that Ontario (and by extension Canada)’s cyber-education ecosystem is broken. I’d go so far as to say that in most places it doesn’t exist at all; broken implies that there was something there to begin with.
This observation speaks to a cultural challenge that Canada faces. Other countries are able to leverage a collaborative approach to the asymmetrical global threat cyberattacks pose, but Canada’s history and the loose confederation it has produced creates many gaps between levels of government. Those gaps are where cybercriminals operate.
The Problem: cybersecurity, cybersafety and online privacy are barely mentioned in Canadian school curriculum and educators are some of the least digitally experienced professionals able to resolve this skills crisis
In Ontario we’ve mandated mandatory eLearning for all students, but cybersecurity only just got into the computer studies curriculum in this year’s rewrite, and what’s there is thin (it immediately devolves into personal online data awareness and ignores the many interesting technical specialities in cybersecurity). This optional course doesn’t run in most high schools (it was cancelled locally in mine), so this one mention isn’t seen by most students.
Many other provinces don’t mention cybersecurity at all even as they all depend on it every day with networked education technology delivering material in every classroom. Cyberskills are now essential skills if we want to keep the learning happening, but aren’t treated that way in our education systems. New Brunswick is the exception with a full cyber-learning pathway for students interested in heading into the field professionally. Why does that matter? There is a global shortage of cybersecurity professionals, so Canada’s usual approach of immigrating in solutions to its education failings won’t work in this case.
James mentioned teacher cyber-illiteracy in his keynote as well.
Our oblivious response to cybersecurity awareness is part of a larger problem in public education. When I first came into teaching in 2003 I was surprised to see the education system rocking early 90s information and communication technology. Throughout my career education has dragged its feet at every opportunity in terms of adopting digital transformation and the benefits it delivers. The result of this decades long drag is that people in education tend to be less digitally literate than the general population, even as they are expected to teach students essential digital skills like cyber awareness.
Teachers are precisely who you want to be raising general cyberawareness and the skills needed to safely navigate our online world, but decades of status quo leadership means educators are missing the digital media literacy necessary to do it.
The Problem: we’re happy to make online edtech solutions mandatory (usually as a cost cutting measure) but a surprising percentage of the people doing it don’t think they should be held legally responsible for its safe delivery
I spoke on a panel about cybersecurity at the Canadian Edtech Summit the week before. The event had an online component so I started a poll aimed at the education administration and technology companies in attendance. Recently the SEC in the US sued a company for their failure to respond to cybersecurity problems that they were very much aware of that resulted in many clients’ data being spilled onto the darkweb. This raises an interesting policy question: should school boards and provincial education ministries be held legally responsible for cybersecurity in Canadian classrooms? Canadian educational ministries and their school boards have increasingly adopted cloud based solutions to reduces costs on what used to be locally managed technology integration, but with internet based ‘cloud’ solutions come cybersecurity responsibilities. This US decision will likely influence our lax cyber responsibility policies in Canada and I was curious what the people implementing these technologies (often poorly) thought of the potential for liability penalties for failing to protect student data (which often also includes staff and family personal data too).
I expected the people delivering online edtech (school boards, ministries, not-for-profits and private edtech companies) to recognize that cybersecurity is very much their responsibility if their technology is vulnerable online. Especially if they are going to demand that students use online learning tools. This should be especially obvious when our ‘clients’ are vulnerable sector children whose safety should be a primary concern.
Most did recognize the importance of taking responsibility for their technology delivery, but I’d love to have a chat with the quarter or so who thought they should be putting student learning online while bearing no legal responsibility for it. One of those people could well be managing your local school board‘s technology department.
If we’ve got a problem with the people delivering online edtech understanding that they are responsible for cybersecurity, we need to back the bus up and clarify those responsibilities with policy – legally binding policy. I recently saw a memo which said data privacy wasn’t even a paid job in the school board and is done outside of regular work responsibilities by IT staff, most of whom have no cybersecurity experience. Until we begin taking public sector cybersecurity seriously we will continue to see our public services being disrupted by breaches and system failures.
NIST’s cybersecurity framework offers a technical policy approach to cybersecurity that clarifies what organizations need to do to provide viable online security. ISED has a Canadian version called ITSG-33 which is more policy focused. This isn’t an all or nothing thing with a solution for every problem. Any time you put data online you risk being hacked, but by following these best practices you can at least know you’ve taken reasonable steps towards preventing abuse. What you want to do is get up to Tier 4 of the NIST framework where you’re proactively defending against threats, but public education in Canada can’t get out of tier two because “implementation is still piecemeal”, and no one has “the proper resources needed to protect themselves.” Our cyber failures in Canadian education are the result of both policy and a subsequent lack of funding. I’d hope that we’d follow best practices in protecting student data, but that ship sailed years ago. If that carrot isn’t available, then a legal policy stick might be the only thing left that prompts ministries and schools to make data privacy a priority.
The Problem: Public services in Canada are siloed bureaucracies that are difficult to work with
This isn’t just an education problem, it’s a CANADA problem. Canada’s history hasn’t produced a culture that can collaborate against asymmetrical global threats.
During the panel talk at the EdTech summit one of the speakers said, “working with public school boards is very difficult. It can take years just to find the right person to talk to. Even if you can find that person, they’ll tell you there are no resources.” I talked to Kyle Bokyo, another of the panelists, after the event and we commiserated on this point.
There are not for profits and businesses in Canada who are attempting to provide solutions to Canada’s ongoing cyber-education failures, but attempting to engage with any public service in Canada is a a difficult prospect. If you talk to the ministries they hold up their hands and say they only manage the funding and not the implementation of cybersecurity solutions. If you talk to the regional school boards they say that they aren’t provided resources to do it.
In Canada’s uncoordinated cyber policy landscape I suspect it’s easier to play victim even as you assume greater cyber risk pushing user data into the cloud than it is to develop a coordinated response to this very asymmetrical problem. These gaps in responsibility make it easy for the people being paid to be responsible for the safety of online student data to point the finger at each other, even as breach after breach occurs.
What I learned through COVID as a classroom teacher is that the people running public education will ask all manner or ridiculousness just to maintain the illusion of a functional system. It’s what got them into their offices and they aren’t about to jeopardize that. Public education, along with other public services, are insular industries with generational employees and tightly knit networks of political operatives managing them. This might sound like immigrant complaining (and it is), but the best way to get into education ‘leadership’ is to have had family who did it, or marry into one. The next best way is to be willing to maintain the status quo at all costs. Agility and responsiveness aren’t words often applied to this sector.
Cybersecurity in the public education is dangerously under-prioritized even as we continue the rush to cloud based edtech solutions in an attempt to save money. On top of that a surprising percentage of the people delivering these solutions don’t think they should be held legally responsible for its safe delivery. This deadlock suggests that we need policy that not only enforces best cybersecurity practices in education, but also makes resources for it a requirement rather than a politically motivated failure.
But the fix needs to go further in education because we also have a responsibility for providing graduates with opportunities to learn the skills they need to survive in a rapidly changing world; something we’re not doing as many jurisdictions continue to studiously ignore cyber education. The key piece to this puzzle is policy that creates a responsive, responsible Canadian cybereducation system.
The Solution: A Viable 21st Century Canadian Education Ecosystem
As both James and Kyle mentioned in their talks, technology moves so quickly that large public services are always going to struggle to keep up, but an agile edtech sector could help with that. Startups and small businesses can pivot to keep up with technology emergence in a way that larger organizations struggle with – that’s why Google and the rest buy agility rather than trying to produce it in-house. The problem has been Canada’s pigeon hole approach which doesn’t aim to produce a coherent ecosystem of interrelated programs that provide a comprehensive Canadian shield.
As mentioned, the issue of regional school boards and provincial ministries making it difficult for anyone outside of these insular systems from collaborating with them is a key problem. We can’t leverage digitally literate industry partners if they have no way to effectively communicate with education delivery systems.
The solution is to connect the federal government with the Council of Ministers of Education, Canada and The Insurance Bureau of Canada and design a centralized approval process that connects Canadian not for profits and industry edtech expertise with provincial ministries and clears the way for access to credible cybereducation materials and best practices through internal communications with education systems across the country. Instead of individual boards doing cyber badly, a national partnership with a wide range of technology specializations and strengths would work together to build solutions at scale while also ensuring that these solutions are prioritized. This relationship would also prompt meaningful updates to curriculum instead of the current ‘in a bubble’ approach that produces material well short of what is needed to prepare graduates for our technically challenging future.
In such an environment a startup like James’ Cyber Legends, or an internationally partnered and long running national competition like CyberTitan would pass NIST levels of cyber-review nationally and then be welcomed into a Canada-wide edtech ecosystem that works through each provincial and territorial education ministry directly into school boards. Any edtech company working outside of this framework would find itself where we all do now: on the outside unable to make any significant change. But those who meet this national standard would be considered trusted internal partners with access to federal funding and direct internal access to provincial education at both the ministry and district levels. No more trying for years to find a person who may (or most likely doesn’t) exist in a local school board who is in charge of cybereducation.
This ecosystem would reward collaboration. Members that don’t want to collaborate would find themselves removed. Those that want to do want to partner to build a more secure and digitally literate Canada would work with other members to produce complementary resources that allow teachers from all corners of the country to develop meaningful digital skills, including the difficult ones to deliver like cybersecurity. These members would find funding and partners who ensure that their programs are successful and always ready to keep up with the impressive rate of technological change we’re all dealing with. This would also give those providing federal funding clear guidelines for who they should be supporting.
The stick would come through policy changes that are both legal and regulatory. Any school board (and by association ministry) not making use of these secure, partner provided resources for improving student data protection would find themselves both liable for any breaches, and also uninsured. Educational cybersecurity would no longer be a political blame game. Local implementation would still very much remain the purview of school districts, and ministries would remain very much in charge of funding their province or territory, but with focused federal support many of the associated expenses would be reduced through the centralization of resources. These savings would also be a carrot. With national cyber standards and partnerships that leverage the strengths of all members of Canada’s education ecosystem (federal government, private industry, national not for profit, education ministries, and local school boards), Canadian students would enjoy access to more Canadian made digital learning opportunities that raise digital fluency in a meaningful way, and they could do this while also exploring cybersecurity in a way that creates a more secure Canada. Imagine what all these cyber-aware students could do for our national security.
We have a habit of regionalizing our approaches to government in Canada, but in the face of wildly asymmetrical threats like cybercrime and (increasingly) international cyber espionage, we need to push back against this culture and build a collaborative defence. In doing so we would also create much richer digital learning opportunities in our schools that make Canada more secure and competitive in the networked, global economy.
The Solution:collaboration doesn’t end locally, regionally or even nationally in Canada
“It is paramount for all nations to have the expertise, knowledge and skills to strengthen their cyber-resilience”
I’m presenting a research paper a former student and CyberTitan (Louise Turner) and I have written about the disruption quantum computing will cause to cybersecurity encryption in the coming years. Doing this research with Louise has been both eye opening and very intellectually satisfying, but after 20+ years in the classroom I’m still very much a cyber-educator first and a cyber researcher second. It’s why I invited one of the next generation of cyber professionals to write the paper with me.
Looking at the program for the conference, the lack of talent and focus on developing cyberskills both in the population and in those interested in pursuing work in the industry isn’t a Canada only problem, it’s a global one. If we can repair Canada’s internal cyber-education system, we can then work with international partners to help them do the same. The cyber battlefield inherently favours the anonymity of hackers damaging our systems with impunity for their own gain, but through collaboration the defenders could become mighty.
As the GFCE so eloquently puts it: “Nations should work together and support each other with these capabilities, so that no country is left behind in their digital evolution. After all, a chain is only as strong as the weakest link.” Look for the Accra Call: a global action framework that supports countries in strengthening their cyber resilience being announced during the conference.
I’ve been in a series of presentations over the past couple of months where organizations are getting frantic about catching the ‘AI Wave’. This urgent need to feel like they aren’t missing out on a fad is understandable, but like so many emerging technologies, getting ‘into it’ won’t be effective if you ignore the foundations its built on, and the foundations of AI and the technology itself are… problematic.
You can’t have ‘generative’ AI without massive data sets to train it on. This data is scraped from the internet and then fed into systems that can eventually give users “a statistically likely configuration of words” that look like an answer. That’s right, the brilliant answer you just got on a generative AI platform isn’t really an answer, it’s a cloud computer cluster giving you its best guess based on crowdsourced data. None of that stops people from thinking it’s intelligent (it isn’t), and being in a panic about missing out.
Putting the fact that AI isn’t nearly as smart as the marketing portrays it aside for a moment, large data and the cloud infrastructure that stores and delivers it are a house of cards teetering on the edge of collapse. You can’t have AI without climbing to the stop of this wobbly infrastructure. How precarious is it? Data growth worldwide is in an explosive phase of growth (partially driven by the AI fad). Our overloaded storage infrastructure is under pressure because AI uses it much more aggressively that simply storing information. AI demands fast data retrieval and constant interaction making the rise in AI particularly problematic for our stressed storage systems.
We’re facing data storage shortages in the next couple of years because of our belief that the cloud is an infinite resource. It isn’t, it’s an artfully hidden technological sleight of hand. The irony is that our digital storage infrastructure limitations will also end up limiting our current crop of AIs as well.
One of the first posts on Dusty World was about dancing in this datasphere twelve years ago. Back then I’d found a quote by Google CEO Eric Schmidt talking about the coming information revolution:
I’d make a distinction between information and data. One is useful, the other is raw binary numbers and storing the majority of it is a complete waste of time and resources. Sussing out information from data is an ongoing challenge. That doesn’t change the fact that the amount of data being generated back then wouldn’t even register on the graph below, which looks like a runaway growth curve – you can make good money from all that data.
So, we live in a world that is well into an aggressive phase of digital growth, though very few people understand how any of that works. Even as we compile more content than we have in the entirety of human history to feed the attention economy, we also decide to play a sleight of hand game with machine learning on massive datasets just to see if it’ll work.
From an educational perspective, AI is in the wild now and ignoring it will only get you and your students in trouble. If we’re going to make functional use of this progenitor of true artificial intelligence, we need to teach the media literacy around it so that people understand what it is, how it works and how best to use it to amplify rather than replace their humanity.
I’ve seen a lot of people panicking about AI taking their jobs away, but if your work output is a statistically likely configuration of words, then you’re not applying much of your vaunted human intellect to the task at hand and probably should be replaced by one of these meh AIs. But if you’re one of those humans who actually thinks, even this stunted AI can be a powerful ally. In a fight for intellectual supremacy who would you think would win?
an empowered hybrid of the two
The move here during this awkward adolescence of artificial intelligence where we’re faking it until we make it is to leverage the tool to best effect. If effective use of AI speeds up our ability to gain actionable information in the chaos of data that surrounds us, then we can more quickly move on to the next real steps in technology evolution.
The other day I described AI as we currently define it as a hack to keep classical computing ahead of the data tsunami we’re living in. At the time I was surprised by how I described it, but classical computing is reaching the limit of what it can do. For the past few years we’ve been finding speed in parallel processing such as adding computing cores to CPUs rather than making faster CPUs. We’ve also been finding efficiencies in how we manage data such as creating more organized memory caches to better feed our processors. Ultimately, I feel like generative AI in 2023 is another one of these patches. It’s a way to make our overwhelming data cloud more functional to us.
This is from a presentation I’ve been giving that attempts to bring people into a better understanding of the hype. AI (even this meh one) will replace you if you let it, so don’t!
Digital technologies aren’t going to go anywhere, but they are a ‘low resolution’ way to compute. There is also the problem of reducing the complexity of reality to ones and zeroes. Mathematical concepts can help us understand relationships, but they will always be inherently reductive; they’re never the thing itself but a simplified abstraction of it. Digital reduces the world to ones and zeroes and at some point we’ll realize that this isn’t the way.
When we run out of nanometres like we have with electronics, the next step is a big one, but it’s one we’re working on globally as a species right now. In the next decade we’re gong to figure out how to use the building blocks of nature itself to compute at speeds that classical computers can’t imagine. What will this do for our data clogged world? One of my hopes is that it will process much of that data into usable information, information that we can then use to solve this mess we’ve gotten ourselves into.
I’ll weather the current AI hype storm, but if you ask me what I’m really excited about it’s artificial intelligence realized on a faultless quantum computer. The future beyond that moves in directions I can’t begin to guess, and that is exciting. imminent and absolutely necessary if we’re going to prevent a global collapse of human civilization. Some people might get panicky about that, but they’re the same ones who think a cloud based statistical guessing machine will replace them.
Cybersecurity is one of the more challenging subjects to try and bring into classrooms, even though every one of them depends on it every day to function; everything from attendance to lesson content happens via networked computers in 2023.
Few people have advanced digital media fluency when it comes to using software and hardware, but that’s just the tip of the iceberg with cybersecurity. It also depends on skills from many other technical subjects that don’t get much attention in K-12 classrooms, such as software development, networking, information technology, IoT and programming, but not just high level stuff, you also need to be comfortable looking at firmware and low level coding.
Cyber skills aren’t just about leveraging these interdisciplinary technologies though, they’re also about discovering, understanding and resolving the many points of failure inherent in them. This is something most people feel very uncomfortable doing. For the vast majority of users, when technology goes wrong it’s someone else’s problem. Even for the people who build and maintain networks, the dark arts of cybersecurity cause great unease.
One of my hobbies is restoring old motorbikes. There is a strange parallel to cybersecurity in this. Many mechanics won’t touch old machines because they don’t lend themselves to modular parts swap fixes, which is how all modern shops work – technicians don’t fix things, they replace them. Diagnosing an old machine takes patience and sensitivity that many mechanics haven’t learned in our digital world of part numbers, modular engineering and timed repairs to maximize profit. I’ve talked about this before in relation to Matt Crawford’s books and I think there is a corollary with IT and cybersecurity. Many of the people who build and maintain our systems aren’t interested in how they might break, they are only interested in keeping them running as cheaply as possible. That’s good for running your enterprise system as long as there are no surprises, but not so good if you want to build something bespoke or prepare for the many nasty surprises out there.
I was thinking about this challenging situation after attempting to convince school board IT departments from coast to coast about the technical requirements of the CyberTitan/CyberPatriot competition. I’ve been told again and again by people struggling to provide IT support in schools that they won’t run VMWare or Cisco’s Packet Tracer simulator because they:
1) are viruses (they aren’t, though they are a great tool for safely examining them)
2) pose a threat to their systems. They don’t – they actually do the opposite, but training people in the arcane cyber arts scares many of the people managing IT in education.
Virtual machines are used in cybersecurity (and network building) to test software and network environments. By examining a virtual machine cyber operators can explore how a machine has been compromised and what they might try to repair it in a safe (virtual) environment. VMWare is one of the biggest players in this field, and cleaned up at last year’s cybersecurity awards, yet many board IT departments declared it a hazard. I suspect the hazard is in teaching ICT and cybersecurity best practices, and isn’t that a tragedy?
I sympathize with the IT departments I’ve communicated with. They are responsible for running complex enterprise systems that support hundreds or even thousands of users with varying levels of system access (administrators, office staff, teaching staff, building maintenance, and more). That’s more than many IT departments manage in other industries, but educational IT also has to serve tens of thousands of vulnerable sector clients (students), all of whom are coming at them with a staggering array of hardware and software without any real training on it. To make it even worse, most of them will be connecting to these systems using out of date and possibly compromised machines.
An attack surface is a concept that helps cybersecurity types better understand how a bad actor might exploit their network. The software you’re using, the hardware it runs on, the network you’re logging in from, other software installed on your device, the operating systems you’re using, and the systems that connect it all together along with all the cloud based stuff you depend on are all components of a modern attack surface, and the education one is particularly complicated.
One of the last big network installs I did before I went into teaching was at Glaxosmithkline in the early zeroes. This was a network of hundreds of desktops, hard wired via ethernet into an onsite server that provided all the ‘cloud’ they needed. The desktops all ran the same operating system and software on identical hardware. No one on this network had internet access, closing down a massive headache in terms of attack surface (internet access in a world experiencing a digital skills crisis is a nightmare!). This kind of simplicity is a distant memory in 2023. With our rush to the cloud, attack surfaces now include all the online managed systems we so gleefully replaced our secure networks with. BYOD and off-site work only pile more complexity on.
Comparing that GSK network to any modern education network is an apples to fruit salad comparison. On any day at dozens of school and administrative sites across a board you’ve got a nearly infinite number of different devices logging in, from phones with varying software packages (most of which are probably out of date and may well contain malware) to other personal technology (tablets, laptops, etc) all peppering your network with requests that may be school related or (more often) not.
To try and mitigate this complexity inflation, many boards have dumped computers that do onsite computing (like desktops and laptops) in favour of an easier to manage (because it can’t do much) chromebooks. These simple machines can’t get infected like a fully interactive operating system can, but you’re still susceptible to fake browser extensions and compromised websites. This is usually solved by preventing users from customizing their chromebooks with extensions, further reducing what they can do.
With all this in mind, I was struck the other day by the idea that educational IT departments are missing a key component: a department focused on enabling technology empowered pedagogy (the reason we have schools… remember?). Early on in the edtech revolution we had OSAPAC in Ontario, which vetted software and created a provincial bank of safe to use software for learning digital skills in classrooms. With the rush to cloud based systems, OSAPAC evaporated and most school systems fell in with multi-nationals offering ‘walled gardens’ such as GAFE (Google Apps for Education) or the Microsoft equivalent. As this migration happened, teachers and students lost access to essential digital media literacy opportunities, especially when it comes to advanced digital skills such as 3d modelling, game design or cybersecurity.
A way to combat this skills deflation would be to create local IT support units dedicated to providing teachers with digitally enhanced student learning opportunities instead of starving us of them. I’d go a step further and suggest that the messy enterprise side of things that is such a headache should become the responsibility of the Ministry. Many cost savings and security enhancements could occur from centralizing these systems. It would also mean that students and staff moving between boards would be able to migrate more easily because everyone would be on the same systems. There would also be opportunities to collect provincial data more easily that would support better education policy, not that we like to collect data before making education policies in Ontario.
This does not mean the end of regional school board IT departments. Instead of chasing the tail of impossible enterprise expectations with insufficient funding, they would be provided by a central provincial authority with the secure standards and proper support. Imagine how much we might save if every board in Ontario isn’t reinventing the wheel over and over again with varying degrees of success.
Local school board IT departments would be entirely focused on working with their teachers to find the best hardware, software and cloud based learning opportunities based on the needs of the programs they are running. Instead of saying no and reducing technology access to enhanced pedagogical learning opportunities in our classrooms, our local IT departments would become sources of local technical expertise focused on helping public education close an ongoing digital skills crisis.
I’m writing this in a hotel room in the north end of Toronto the night before attending the Ontario Public Sector Cybersecurity conference. I want to believe that the people at this event are taking the challenges of technology enhanced education, including the tremendously difficult task of engaging with cybersecurity learning, seriously in 2023, but I fear it’s going to be all cartoons and platitudes. Here’s hoping.
I’ve been lucky enough to find myself in Canadian classrooms from St John’s to Vancouver over the past year. Canada is the only developed country in the world without a national education strategy, so this isn’t something many educators get to experience. The only people who do span our country are the edtech companies that have surged into being to resolve a digital skills gap that doesn’t look to be going anywhere any time soon.
At its heart the widening digital divide is a inclusion and equity problem. Students who can’t afford tech at home lack familiarity and fall behind when schools bring it in with no training for staff or students. It would be more productive if education in Canada did more than talk about DEI, but that would require vision which we lack.
In my travels I’ve come across many edtech ‘solutions’. These often involve off-the-shelf technology that has has been branded to meet a specific need in a ‘turn-key’ way so learning essential digital skills doesn’t actually require any on the part of the instructor. Of course, this all comes with a huge bump in price. I love seeing $15 open source Arduino microcontrollers paired with $10 in sensors and called a ‘climate change’ edtech kit, yours for $80! In many cases a hard sell accompanies these kits that are guaranteed to teach the STEM skills you don’t have. UNESCO has something to say about this global phenomenon:
The frustration around this has been gnawing at me and when I woke up this morning I had the edtech hockey stick floating in my mind, so I made some marketing for it:
It’s satire, it’s supposed to be over the top or it won’t land the satire.
The hockey metaphor (I hope) brings home the absurd nature of the edtech dance we’re in. Anyone who actually plays hockey will take one look at it and laugh. It looks like it might work like a player goalie stick, but it will actually do neither job – it’s the product catering to ignorance.
The actual solution is to learn digital technologies and media from the ground up instead of implementing patches like Chromebooks, the edtech hockey stickest of them all. This is a one trick pony that ties learning to a single multi-national’s browser and cannot provide any locally processed content. The cloud is where edtech solutions thrive because you can easily monetize access. The hard sell for strapped school IT departments is that Chromebooks don’t give you network headaches because they can barely do anything. Like the edtech hockey stick they look like they can do it all.
There is no such thing as “Canadian Education”. The PISA results everyone waves the flag about happen on the back of the four largest provinces. If you’re elsewhere in the country you may be below the world average.
“PISA results show each of the Big Four provinces of Ontario, Quebec, Alberta and British Columbia achieving significantly higher average reading scores than all G7 member countries except, of course, Canada. The Big Four also outperformed five of these six G7 countries in math and science (the exception being Japan, which scores below Quebec in math and below Alberta in science).”
“…if we only consider PISA results for the remaining smaller six provinces, Canada fares much worse, placing 17th in reading (below the United States, the United Kingdom and Japan), 18th in science (again, below Japan, the U.K. and U.S.) and 30th in math, just below the OECD average.”
That edtech companies are feeding off this siloed inequity is part of a larger problem. Next round of PISA is looking at digital skills (because we’re in a global shortage). I’m curious to see how that gets politicized. Wouldn’t it be something if we actually did something about it?
To my surprise I made the finalists list out of hundreds of applications from across the globe (Netacademy runs in almost every country in dozens of languages – it’s a truly global platform). When I read about some of the other finalists I was thrilled just to be included with them.
On August 15th I was driving through the countryside to the University of Waterloo, listening to the awards being announced on spotty cell phone coverage. It cut out just as the innovation architect award was announced and then came back for the next award, so I didn’t hear I’d won when it happened.
At CEMC at UWaterloo I took a room full of computer studies teachers through cyber-range activities and while that was going on we heard that I didn’t just win the Innovation Architect Award, but also the Shooting Star grand prize which has me in NYC in mid-September for the Global Citizen Festival.
.As part of the prize Cisco gave me some communications and asked for shoutouts, and there are many. Innovating can often feel like a lonely exercise where most of what you’re doing seems to aggravate management, but it’s really a collaborative exercise, otherwise you’re by yourself in a room doing cool things that no one else knows about. The idea of a lone inventor hidden away working on their own is a fiction.
I could never have built the program I developed without getting my school board onside. There are two people in particular who became supporters and advocates for the unique work we were attempting. Charles Benyair was our SHSM lead and he provided the resources that my school would not to get us in motion, and Sandro Buffone in our IT department made a point of understanding what I was trying to do and helped clear away the technical bureaucracy to let it happen.
Convincing students to take on an international competition in a subject we’d never studied before was a challenge, but Cam, Cal, Nick and Justin were seniors in 2017 and bravely jumped into cybersecurity with me. We learned new concepts and got a handle on things to such a degree that we discovered we were going to the first Canadian national cybersecurity finals in Fredericton. Three of those students had never left the province or been on a plane so you can imagine the impact.
As the teams gathered for a photo I happened to be standing next to Sandra Saric, the vice-president in charge of CyberTitan at the Information & Communication Technology Council (ICTC). As the photo got taken she said under her breath, “where are all the girls?” Out of seventy odd students only a handful were girls. That observation put me on a mission.
Sandra went back and established a program for encouraging all-female teams to sign up and I went back to my junior computer technology classes (the exacting gender expectations of our rural high school make sure that there were no girls in senior computer tech classes) and cajoled six girls to give it a try. That next year we had three full teams instead of two-thirds of one. I encouraged them to find a name that speaks to their experience and the girls came up with the Terabytches (terabyte with a twist).
Those six pioneers faced derision from our school and when they went to nationals a member of one of the other all-male teams said to one of them, “you’re lucky you’re pretty, because you suck at this.” That year emphasized for me how important it is to give girls their own space away from the often corrosive male culture that forms around technology.
In a radio interview in Ottawa at those finals Rachel said something that stuck with me. “We used this name so that it couldn’t be used against us.” 2019 was an incredible year for getting my head around diversifying access to technology learning, particularly in the hyper-male dominated field of cybersecurity. But it was also a year of finding allies. Joanne Harris at the school board enabled us to attend nationals by coming along as our female chaperone and I got to meet Diana Barbosa, Sheena Bolton and Hayley Heaslip who ran the competition.
That summer Philippe Landry from Cisco Canada got in touch and asked if I’d be interested in working toward my CCNA Cyber Operations Instructor qualification. My last I.T. certification was CompTIA’s Network+ way back in 2002, so this would be my first run at a technical certification in seventeen years, and in a subject I’d only been looking at for a couple of years. Claude Foy at FTI in Quebec was my instructor and he was patient and very giving of his time. Over the summer I became familiar with Wireshark and all sorts of other cyber-tools and in September I wrote the exam and became the first K12 teacher in Canada qualified to teach cyber operations – I think I am still the only one five years later. Yes, innovating can sometimes feel a bit lonely.
Attending Cisco Live in the fall of 2019 I was again reminded of just how cloud based (and cybersecurity dependent) things have become. I also attended my first University of Waterloo Cybersecurity & Privacy Institute conference (bringing a bus load of students with me) which opened my eyes to the current state of networked technology where we’re barely hanging on. To underline that I had my local OPP detachment asking if I could forensically analyze digital evidence for them because they weren’t resourced to do it themselves.
We ground through the pandemic but CyberTitan was one of the few events that never cancelled on us. The diverifying of our teams in 2019 led to a richer and more effective co-ed senior team. Some of the girls wanted to join the best of the boys and that mix of skillsets led to a string of top five finishes including a top defender award. The girls team also continued, missing nationals in 2020 but earning top wildcard spots in the ’21 and ’22 finals.
In 2022 I discovered that I had been seconded to ICTC for the year to advocate for and support cybersecurity education nationally. In this role I’ve been in classrooms from Newfoundland to British Columbia and many points in between. I’ve supported two new provinces in joining the competition and continue to bang my drum for recognition of essential Twenty-First Century digital skills that are so often ignored in our school systems, like cybersecurity.
This spring I joined Katina Papulkas’ Dell K-12 Education Innovation Accelerator, Part of that program was an opportunity to mentor with someone in the edtech space and I was lucky enough to be placed with Julie Foss, who helped me re-contextualize myself in my first role out of the classroom in two decades.
The experience empowered me to apply for the Cisco award. Had I remained lost at sea in terms of understanding how to do what matters in my new role, I would never have done it.
Innovation is often lonely work. It can antagonize status quo types who are intent on maintaining a system that put them in charge, but innovation is also thrilling and can empower those not privileged by that status quo. If you’re serious about diversity, equity and inclusion, innovators aren’t people you want to be labelling as troublemakers, they’re simply committed to finding a better way.
The other nice things about innovation is that you meet the most interesting people. From Ella in UBC to Kyle at Inspiretech to Eric George at the CPI, I’ve had the opportunity to meet some fascinating people who don’t status quo anything and are always looking for that better way. Cisco, both as a company and as individual employees, have been wonderful enablers of innovation, providing me with resources in a subject that everyone uses all day every day in every classroom, but almost no one teaches. Being acknowledged as an innovator by such a forward thinking organization makes me think that I’m on the right track, even if annoys some of the powers that be.
Imagine you’re buying a car from a reputable manufacturer. That manufacturer doesn’t build all the components itself. It partners with other reputable manufacturing specialists and works with them to tight tolerances so that all the bits fit together and work properly.
In a tightly controlled supply chain like that you end up with complex systems that can take you hundreds of thousands of kilometers through extreme environments with only regularly maintenance. When engineering is taken seriously like this, amazing, resilient machines are the result.
If your car was built like the cloud infrastructure your business/school/government depends on to operate every day, your ‘manufacturer’ scours the internet looking for free bits and pieces of code that will do a job that they can’t be bothered to code themselves. This freeware, often taken without consent and seldom supported, becomes part of a stack of under engineered software that makes your magical, money saving cloud infrastructure work. Any time someone decides they want additional functionality, another piece is patched into this mess.
Imagine if your car was built like this. Every tire would come from a different manufacturer with different specs but they all got chucked onto the car because they filled a need at that particular moment. Some of the tires come from tire manufacturers, some came from a guy who thought he could build a better tire in his shed, and they’re all different makes and sizes. Some are tested for safety, some aren’t even legally tires. The other parts of your franken-car would also be sourced like that, with simplistic needs met but with little thought for integration or upkeep. Some parts of your rolling nightmare are updated regularly, others never have nor will be, meaning what fit together this week might not next.
One day your engine bolts might update themselves and suddenly the motor won’t start because nothing fits. The horn that got installed might not actually be a horn but a fire hazard waiting to burn your new car to the ground when you press the button. You might be running a 1990s transmission with a 2023 chassis that only superficially work with each other but will fly apart the first time you take a corner.
If there were any consistency in how open source software is integrated into business systems, this might work, but in most cases complex cloud based information management systems are cobbled together collections of corporate systems and under-resourced open source freeware. Why would this chaos suit some companies?
The stack of hardware and software your data passes through to use the internet is staggering. On your computer (laptop, smartphone, whatever, they’re all computers) you’re using a browser likely made by one company on an operating system made by another. The drivers that run the hardware that connects you online are a third company and in all three cases they may well have ‘grabbed’ some open source software to make their piece of the puzzle work. Once your data actually leaves your device it hits your router that is running another bunch of hardware and software before getting fired out to your internet service provider (ISP), who is running goodness knows what (but probably with ample amounts of ‘free’ open source software). From your ISP your data bounces from server to server on its way to its destination. If you’re reading this through social media connections you’ve now picked up all their bad habits (Twitter, Meta, Google, though notice that they all make monetizing free software like a community service). In many cases they throw trackers on your network traffic so they can sell to you.
This mad hack-fest is how the internet works and it’s how the cloud based programs everyone finds so convenient are built and maintained. Your ‘mission critical’ new cloud based accounting software depends on the slap dash engineering to work… all day, everyday. This approach almost begs to be abused, and it is.
How can we possibly secure this mess? Well, it’s nearly impossible, which is why you see so many criminals taking to this new frontier. The people using this technology are now decades into a digital skill crisis that shows no signs of ending, so the people who drive these terrible cars don’t have the skills to know just how bad they are. Our information and communication technology illiteracy also affects management who make ill informed decisions about how to integrate technology with resilience and best engineering practices first.
Imagine that you are the under-resourced mechanic for that franken-car. When something breaks you may find that it doesn’t fit into what the car has changed into as other parts got upgraded. You might find that the intention of the part you need to replace was misunderstood and it wasn’t the right thing to use in the first place. Whenever you open the hood you’re not expecting to see branded parts that were designed to be engineered together, you’re seeing a hodgepodge of bits slapped together to work in a given moment. Your maintenance of this car becomes a panicky grab at anything that might make it work, which only makes things worse.
That under-resourced mechanic has a lot to do with cybersecurity specialists. When I read an article like this scattered piece in the Globe and Mail I get a sense of just how panicky and clueless management is. What’s particularly galling in that article is the insinuation that many cybersecurity experts are somehow untrustworthy criminals because they’re able to recognize the under resourced mess we’re sitting with. Incredible.
Cybersecurity is an uphill struggle. You can expect the systems you work on to be cobbled together messes, your operators don’t know what they’re doing and the people working against you (many with organized crime or foreign government support) only have to get it right once while you have to get it right (on a nightmare software stack) everyday. It’s no wonder we’re in a decades long shortage of cyber-talent and seeing burnout becoming a major factor.
The decision to start taking online security from software development up seriously is going to take a revolution in thinking. Perhaps the coming quantum disruption to encryption in cybersecurity will prompt this change. The hacked together mess we’re working with today is begging to be burned down and redone properly.
“Talking Points – Canada was short on cybersecurity workers five years ago and the problem has only worsened – One in six jobs goes unfilled in protecting data and critical infrastructure – the cybersecurity workforce is older, whiter and more male than the general population”
When things get hacked in school boards, the learning stops pretty quickly as most now depend entirely on networked education technology to communicate lessons and learning. Cybersecurity also underlies the supply chains that provide the fuel and food we depend on and the financial systems that grease all those wheels. You’d think support of it would be obvious.
It’s Twitter though so self interest will always trump the collective kind – until there is no food, gas or electricity because our critical infrastructure is crippled in a cyber-attack. What struck me about this response was how insulated the thinking is.
The response that education shouldn’t chase job training is a common one in education. As a poor immigrant kid whose family struggled to make ends meet, it’s also one dripping in old settler generational comfort and privilage. If you are so sheltered that you can spend your time in public education finding yourself, then good for you; the rest of us are trying to feed ourselves.
Perhaps watching my family crash through bankruptcy while I was in high school put a unique spin on my experience. I dropped out and went to work because it’s what I had to do. A bit more time in class helping me find what I’m good at and then directing me into it would have been appreciated. It doesn’t all have to be about job preparedness, but stubbornly refusing to acknowledge it at all feels politically self serving.
When I started teaching in my mid-thirties, one of the senior guys in the department asked at lunch, ‘do you know why you never see a guidance councillor looking out the window in the morning? Because then they’d have nothing to do in the afternoon.’ I’d only just started teaching and didn’t know many guidance councillors, but my experience as a student with them wasn’t positive. What I can say after 20 years in public education is that guidance is one of those roles that you never see people leave. Classroom teaching is tough. You seldom even have time to go to the toilet. You’ll see a lot of people try it for a couple of years and then bail on the profession entirely. You’ll see others work their way into ‘support’ jobs outside of the classroom as soon as they can. Bright eyed twenty-something VPs are a fine example. My litmus test for if those jobs are easier than the classroom is how often I see people move back to teaching to get out of them. The answer is: you don’t.
A few weeks ago I found myself at dinner with a very smart person who is a leader in educational training. They said something that stuck with me. The problem with the education system is that it’s mainly populated by people who have never done anything else. The vast majority of educators attended K-12 schooling (where they felt very comfortable), went straight into university, got their undergraduate degree and then bachelor of education, and then immediately returned to K-12 education. They have never been in any other circumstance beyond the education system. They have never worked in a non-unionized environment. If we’re wondering why education has trouble evolving, this is at the core of it.
That insolated world view is where you get comments like, ‘education isn’t job training!’ Perhaps that should read, ‘education was job training for me, but it isn’t for you!’ That explains the politically self-serving piece.
A quick fix would be to require all teacher candidates to have at least one year of life experience beyond the education system they’re so comfortable in. Perhaps then the status quo wouldn’t seem quite so inevitable.
Back in 2014 I had one of those strange moments when I suddenly found myself freed from the day to day necessities of the classroom and thrust into a space where I had time to think about pedagogy. I once had an administrator tell me, “what does pedagogy even mean anyway? It’s one of those words that doesn’t mean anything.” I’ve never felt that way but perhaps that’s because I’ve focused my career on teaching rather than getting out of the classroom at the earliest opportunity. Throughout that career I’ve clung to moments of pedagogical best-practice in a sea of compromises.
The main purpose of schools is to run a schedule that has students in set places at set times to the benefit of adults. You can call it daycare if you want to, many people treat it like one. Order and regularity are the primary functions of school organization, not learning; hence that astonishing observation from someone who is focused on managing it. Being a teacher committed to teaching has often put me at odds with this reality.
I hesitated to get into education for a long time because I found it a dehumanizing experience as a student.
This is the expectation people have around technology integration – it’s supposed to improve learning! But scores continue declining.
Over the Easter long weekend in 2014 I was invited down to the ASU/GSV Summit in Phoenix. Stepping out of the moribund but relatively well funded Canadian education system into the ‘breaking bad’ of America where teachers live just above the poverty line and everyone is fixated on common curriculum success dictated by standardized testing (you don’t get to be the 25th best education system in the world by chasing pedagogy!), I wasn’t sure what to expect, but there were a lot critical thinkers at this summit.
One that really rocked me was Brandon Busteed who stated (to the astonishment of everyone present) that, ““Educational technology has failed to move the needle on either cost effectiveness or student success in the past ten years.” He then showed statistically significant drops in literacy and numeracy even as the buzz around educational technology as an answer to everything was at a fever pitch. You’d think we’d have come around to a sensible integration of digital technology in learning nearly a decade later, but post pandemic things are even worse.
PISA Results from that time show statistically significant drops in learning. Things haven’t improved even with accelerated technology use. On top of that, COVID proved that we were unable to leverage ICT even during an emergency to preserve essential learning.
Post COVID we’re in a recovery situation because we couldn’t leverage technology to work through pandemic lockdowns. We had the tools but most people in education (children and adults) have no idea how to use technology to actually improve (or even provide basic) learning opportunities. On the back of forced rapid technology integration due to the pandemic, our learning outcomes have gotten even worse. Our information revolution has made data so much easier to access and manipulate, but not in education where we used digital to imitate the paper based systems we clung to long after the rest of the world had moved on.
Looking back over a teaching career spent in the middle of an ‘education technology revolution’, I’ve been frustrated at how technology has been applied in the classroom. Coming out of information technology into education in 2004, I found that classrooms were a decade or more behind the businesses I’d just been supporting. I was even more surprised to see schools going out of their way not to engage with digital learning opportunities – banning them for the longest time before reluctantly adopting them with no training or education (for staff or students) around their use. This delay resulted in educators being LESS digitally literate than the students they serve. As a result, digitally delayed teachers weren’t thinking about how edtech could enhance pedagogy because they were some of the least capable of doing so. Delaying digital integration has damaged both staff and students.
We’ve fumbled one of the greatest opportunities to improve education in the past century and have integrated technology so poorly that it actually reduces student success rather than amplifying it. We turned generic, paper handouts into generic, online documents, ignoring opportunities for collaboration and individualization that fluid digital information systems offer.
That rush to imitate paper based education on screen resulted in a drop in photocopying budgets which thrilled administration, but what we lost in printing costs we more than made up for in having to buy screens for everyone (something we still struggle with). Neither way is particularly environmental, but the screen route produces more waste and uses far more energy while reducing learning outcomes in digitally illiterate classrooms where students taught on home entertainment systems can only see digital devices as toys. This shell game of showing small cost reductions moving away from paper while ignoring the massive costs of edtech has further diminished our ability to focus on pedagogical best practices. Less money in the system is less money in the system.
We’re facing a generational digital skills shortage that highlights our failure to engage with digital literacy in a meaningful way. Teachers are less digitally literate than the general public because they’ve been working in this moribund system determined to ignore the benefits of digitally enhanced pedagogy. We have digitally oblivious teachers depending on students who have been told that they are digital natives and don’t need to learn how technology works because they can turn on an X-Box. You don’t need to look hard to understand why education makes such a juicy target for cyber-criminals. When I reach out in my current capacity as a cyber-focused educator I’m told by ministries of education across the country that online safety is covered in health class. Yes, you heard that right, phys-ed teachers are covering cybersecurity training for our students (or more likely skipping it).
What we’re heading towards if we continue to ignore digital pedagogy! This was made with the Dall-E 2 AI image generator!
How would this educational technology revolution that never happened have gone down in a better world? We would have started integrating digital technologies as they emerged and teaching cross curricular digital media literacy as soon as we began using the technology. Rather than offloading digital fluency to home life and creating a skills gap that widens inequity, we would have taken responsibility for the technology as we adopted it.
As digital media literacy improved, teachers wouldn’t be behind the rest of society in terms of technical fluency and would have worked towards developing digitally empowered pedagogy that uses the benefits of easily accessible and malleable information to create a radically individualized approach to learning that produced truly equitable learning outcomes for all. This targeted approach to learning also streamlines the industrial education system into a more efficient and agile format.As cloud based technology emerged, these digitally fluent teachers engage data science to produce deep understandings of each student’s learning journey. These personalized data clouds are leveraged to produce bespoke learning outcomes. Instead of using digital technology to imitate class based, low-resolution lessons from the age of paper, we leverage our ICT revolution to take advantage of the fluidity of digital information. As we move away from the old, low resolution model we start to see astonishing efficiencies in student learning.
Our schools have evolved in the past two decades from age-based 19th Century storage units to smaller, agile, digitally empowered community learning centres where students work towards their own learning mastery. This individualized learning environment empowers students to take control of their own educational journey. School is no longer something being done to them but something they discover about themselves.
That education system resiliently leveraged digital empowered pedagogy to individualize and empower students across all interests and subjects. During the pandemic this education system leveraged its digital expertise to connect students, reduce social anxiety and keep learning alive by using our networked world effectively rather than treating our illiteracy in it as an excuse to quit.
Rather than being an easy target for cybercriminals, education is fortress of cyber-fluency where staff and students demonstrate exemplary digital awareness and integration. Instead of being the most likely to click on a phishing email, teachers are the least likely to infect their own networks. Schools are community centres of digital excellence that support their community families and local businesses in terms of technology support.
This better education system is agile and responsive, offering learning opportunities and variations in support for every student based on a detailed understanding of their needs. As a result, resources are applied in targeted, financially effective ways Low resolution reporting processes like report cards are a quaint memory. Learning reaches demonstrated thresholds of understanding leading students to graduate through curriculums at their own pace. Parents can access this data in real time and are partners in their child’s learning rather than arms-length critics. Some students would graduate in their early teens, others later, but everyone would graduate with mastery knowledge of the fundamentals including the digital fluency needed to succeed in the world beyond school.
Education delayed engaging with digital technology for as long as it possibly could, putting it and everyone in it at a distinct disadvantage in the modern world. This frustrates parents and anyone else outside of education systems to no end.
The delay in digital engagement has resulted in entire generations of teachers and students who are less digitally literate than the general population.
When digital adoption finally took hold education used it to replicate the same lack of individualization that characterized the paper based learning that proceeded it.
Technology integration in the classroom depends on digital familiarity at home because many teachers were less digitally familiar than the general population and most schools still struggle to provide equitable access to hardware.
The digital divide has grown because of this ‘leave it to the parents’ approach because some simply can’t provide this essential media literacy.
Classroom management headaches due to students misunderstanding that digital technology is a tool and not a toy are the direct result of this approach.
I was listening to CBC’s The House a few weekends ago. In it Scott Brison described the federal service as “offering BlockBuster service to a Netflix clientele”. We’ve been Dancing in the Datasphere in an ongoing information revolution for over two decades. Education has missed opportunity after opportunity to meaningfully engage with technology itself and the digitally enhanced pedagogy that should have grown from it. As it falls behind our schools feel less and less relevant to the society they claim to serve. As Brison suggested on Day Six, education isn’t the only government service struggling to integrate technology in a manner that citizens have come to expect. It’s particularly impactful in education because we’re hurting the people who need digital fluency the most: students facing a future immersed in it.
Instead of developing coherent digitally enhanced pedagogies and designing our schools around them, we use technology to stuff as many students as possible into an eLearning class that most of them don’t have the digital fluency to navigate. The eLearning course will likely be created using paper based, classrooms lessons converted to a digital format. If technology is engaged with at all it’s usually as a way to save money, but never to rethink how we might produce better learning outcomes.
It’s never too late to start developing digital mastery in a coherent, curriculum wide context. It’ll be an uphill struggle swinging one of the most backwards institutions around to catch the digital wind and sail into the future, but it could still be done…
“We’ve all become used to thinking of Gen Z as the first truly “digital native” generation. They were born when the internet was available to everyone and don’t remember a time when it wasn’t normal to carry a smartphone wherever they go and document their lives on TikTok and Instagram. Unfortunately, it turns out that this form of digital native might not translate to being able to work with the tools and technologies that are expected to shape the 21st century.”
The digital skills gap is an ongoing concern, but in building a successful digital skilling program over the past two decades I’ve trial and errored my way to an efficient process for getting students from thinking they have digital fluency to actually having it. Here’s how:
Step 1: Start Where People Are Most Familiar (I.T.!)
Information Technology (or I.T.) is where most people have regular contact with digital technology, though many people don’t know what I.T. stands for. The devices we live our lives on in 2023 all depend on digital infrastructure and incredible engineering to do what they do. To unpack all that and make people aware of how this technology works, you build it!
RCT Ontario is the local branch of the Computers For Schools national program that takes off-lease technology and gives it to schools and others in need. They are all you need to get hands on with digital technology. I’ve found that building a desktop computer from scratch is a great way to get past the bluster of self-professed computer experts (aka: students who have been told they are digital natives) and let them show what they actually know.
All digital technology follows the same basic foundation of hardware, firmware, operating system, software. The desktop is a modular, relatively easy to assemble example of this architecture, but everything from laptops to smartphones to ATMs to Teslas uses the same stuff in the same way.
By building their own PCs from scratch, students who have some experience fill in gaps and students with no tech background find that they have a clear understanding based on hands-on familiarity. This also does a lot to clear away misconceptions and myths around digital tech (like that digital native one).
Another good resource is PC Part Picker that lets students theorize their perfect PC. Once they have an understanding of the hardware and how it goes together, suddenly customization becomes a possibility and the generic tech that most people live with isn’t enough. Many of my grade 9s have built their own PC at home by the time I see them again in grade 10.
Cisco’s I.T. Essentials course is available for free on Netacademy and offers media rich, current online learning support for this hands on I.T. exploration. It also makes students aware of the world of industry certifications out there in information technology. Students starting in I.T. Essentials can work towards their CompTIA A+ computer technician certification which is the first step towards moving in many directions in the industry.
Once everyone has their hardware worked out, it’s time to get into operating systems. Like I.T. hardware, people have experience with OSes but seldom get under the hood. A good way to expand familiarity and get students interested in OS options is to have them build a multi-boot system on their DIYed PCs.
Our record OS stacks in grade 9 had many operating systems ranging from various versions of Windows (XP, 7, 8, 10, server, etc) along with multiple Linux distributions (an OS most students haven’t touched but one that runs behind a lot of the tech we use) all bootable off one desktop. Familiarity with many different operating systems is a powerful step forward from the ‘we just use Chromebooks’ approach many schools have adopted (Chrome OS is actually a version of Linux).
We can usually do the PC builds and OS stacks in a week of classes (about 6 hours of instructional time). In an intensive course you could get everyone hands-on and familiar with the architecture of computers and operating systems in a day (6-7 hours).
Step 2: Use Your DIY TechTo Scale Down and Explore Electronics & Coding With Arduino
The Arduino micro-controller is a simple digital device that does a great job of showing the basics of how computer code performs with hardware. It also introduces students to circuits and the electronics fundamentals that drive all digital technology.
Arduino is open-source (like Linux) and doesn’t usually come in a pre-fabricated activity/kit from your friendly neighborhood edtech for-profit with pre-set lessons and learning outcomes (a sure way to fail at developing real digital fluency).
With relatively small outlay you can collect together Arduino microcontrollers and basic electronics like LEDs and resistors and facilitate a hands-on understanding of the electronics that make the modern world work. Kits with many parts cost less than $80 and if you’re crafty, far less). We always used Abra Electronics in Montreal to keep it Canadian.
There are piles of Arduino projects that students can try, but we always worked through the ARDX Arduino circuits to get everyone familiar with how breadboards and circuits work first. The Arduino plugs into the student-built desktops with a USB cable and then runs software that lets students explore both coding and circuit building in a very real way.
This is another area where the bluster gets cleared away by demonstrated mastery. If a student tells me they already know all about electronics, I tell them that they only have to do circuit number five and then can go right into designing their own project. A few can show what they claim to know, but many struggle and then I gently redirect them to doing the circuits as a ‘refresher’. By the end of the Arduino unit everyone has tactile knowledge of the basics in circuit building and coding.
Introducing Arduino and running through the basic circuits typically takes about a week of high school classes, so it would be another day (6-7 hours) if students were in focused training to quickly develop these real digital fluencies.
Step 3: Using Your DIY Tech to Scale Up And Explore Connectivity & Networking
To get students the Arduino software and access to circuits on their desktops, you would have to connect them to the internet. After Arduino, students are more comfortable with their PCs and how they work, so it’s time to go upstream and tackle networking!
This is another intimate aspect of people’s lives that is often misunderstood. By having students build local networks with each other’s machines and pass data across, they again benefit from direct, tactile, experiential learning.
We then connect these local networks together into a class-wide network and watch data travel across it in real time, but the favourite part is stress testing the network to see how much data it can handle. Tools like LOIC (low orbit ion canon!) can be used to DDOS machines off the network by overloading them with data. At this point complex, multi-disciplinary specialities in digital technologies (like cybersecurity) start to glimmer in the distance. Anyone trying to teacher cyber from a place with none of these foundational understandings in place is going to have trouble.
Another good stress test is to set up an older LAN based game which requires inputting IP addresses and other details. It’s not often students have playing a multi-player game as a classroom learning target. You can guess how popular that is.
Tools wise, Cisco offers their Packet Tracer network simulator for free (you can become a Cisco Network Academy at no cost, which makes dozens of introductory ICT, networking and coding courses available). Packet Tracer lets students build complex theoretical networks and then push data through them to see if and how they work.
The networking unit typically takes another week of high school classes, so could be managed in a single 6-7 hour day. By the end of it students are experimenting with their DIY desktops on their DIY networks. The learning doesn’t get any more genuine than this and the result is students who are tangibly developing real digital fluency.
Step 4: Using Your DIY Tech to Explore Data Management and Programming Through an Introduction to HTML and How the Web Works
Coding takes time to develop, but an introduction to web design typically takes about a week to get students to the point where they know enough syntax to build a simple webpage. What’s nice about HTML is that there is an immediacy to it. You put in a command and immediately see the result.
Step 5: PLAY!
When you’ve got foundational digital fluency, you can chase down NASA complex projects! Here CyberTitans Vlad & Wyatt (also a 2x Skills Ontario medalist in IT & Networking) are building a Beowulf supercomputer!.. out of ewaste!
I’d run this in adult up-skilling as an intensive week of digital fluency training. The final day would be a student directed mini-project. For those who dug PC building, they can build something to a specific purpose. For those who dug the Arduino and electronics, opportunities to explore await, and for those intrepid few who enjoyed networking and data management/programming, they can chase down more complex connectivity or web development.
When I did my A+ training way back during Y2K it was an intensive week which gave me enough context to chase down my certification in a few months of practice and study. I’ve had a few students manage to get A+ certified as a computer technician while still in high school, but it’s a challenge due to the breadth of material. I.T. techs need to be familiar with older tech and newer tech as well as what’s current. That experience takes time, which is why my seniors do in-school I.T. support. Being dropped into real world technology complications helps they hone the skills they need to be an effective technicians.
Why Do this?
This level of hands-on technical familiarity could be established in 35 instructional hours. When I see Ontario dedicating more time to mandatory courses like ‘Career Studies’ I shake my head. This kind of digital fluency would actually lead to a career, but instead we have grade 10s, most of whom have no idea what they want to do for a living, spinning in circles for half a semester (it’s also one of the most failed courses in the curriculum). We could be delivering digitally competent students and close the digital skills gap, but instead we mandate mandatory eLearning, then we’ll wonder why that didn’t work either.
For those tackling adult re-skilling, I see a lot of cybersecurity ‘bootcamps’ that assume much of this digital fluency (much like K12 does) and then wonder why their dropout rates are so high. Cybersecurity is a multi-disciplinary specialization within ICT and you can’t get to it directly any more than you can expect an illiterate adult to tackle romantic poetry; you need foundations skills before you take on that kind of complexity. It isn’t an impossible ask, but it is one that needs to recognize the need to start from where people are at, which is further back than we think they are.
Resolving the digital skills gap and providing everyone with the fluency they need to operate effectively in digital spaces isn’t an option in 2023, yet we still treat it like one. Here’s the fix.