Laurie Salvail, executive director of Cyber.org, spoke with EdTech about what the National Cybersecurity Strategy means for schools and how students can learn necessary cybersafety skills as early as kindergarten.
EDTECH: What impact is the National Cybersecurity Strategy having on K–12 schools?
SALVAIL: There’s always this balance in cybersecurity of convenience and security. IT teams need to find where that balance is for their district and for their students. It’s really challenging our IT directors to step back and think of these best practices in cybersecurity, even for something as simple as updating students’ email passwords and the passwords students use to get into their different accounts.
What I love about having a national cyber strategy and having these concrete approaches is the ability to determine what matters. Our schools are being attacked left and right with technology, and we need to come together as a nation and develop these best practices.
To have these higher-level officials strategize what’s appropriate at what levels — so that students, as they go to different states and as they change schools, are still set up for success — is really changing the American culture. It’s creating a set of individuals who know what the scams are and who know how to protect themselves.
EDTECH: Why is it so important to teach these cybersecurity skills at the K–12 level?
SALVAIL: As we give these devices to students, we have to prepare them to use the tech safely and in a way that empowers them to learn and become active citizens in the future.
Whether or not their job title has “cybersecurity” in it as an adult, they need the cybersecurity skills as U.S. citizens. It can help us protect the U.S. and ourselves, so this is a real-life skill for students.
By taking this skill and breaking it up in small ways, we can start to integrate these things into every classroom across the U.S. We don’t need full, hour-long courses about it, but talking about it periodically for 10 minutes is really important.
EDTECH: As teachers integrate these skills into every classroom, how can they teach cybersecurity to very young elementary students?
SALVAIL: I’m a past teacher. I taught for over 10 years in the classroom, and my first teaching position was in kindergarten.
We are giving kindergarteners devices. They are using them at school. Most of our schools now are close to a 1-to-1 ratio, even in kindergarten. But even if they’re not, students are using smartphones when they’re at home.
What are we telling them about these devices they’re using? Because they’re running into things that they shouldn’t have to run into, they need to know how to stay safe and secure. Malware attacks and phishing scams are things that 5-year-olds now have to deal with.
When they go to a site they didn’t mean to go to or something pops up on their screen that they don’t want to see, we need to help them understand that it's not something they did wrong. It happens to all of us.
They’re playing games with people, but when these little kids interact with an avatar or a cartoon character, they often see it as a computer, not as a person. So, if a computer is asking them for information about where they live or what their real name is or anything that we would tell kids not to tell strangers, they see it as a computer asking or as a friend from one of their games. They don’t think of it as a stranger asking.
There are age-appropriate cybersecurity skills that 5-year-olds and 6-year-olds can learn in a way that gets them excited about technology and that protect them. We can scaffold that learning and get them in a situation where they are going to become our future workforce.
EDTECH: How can schools maintain this excitement about cybersecurity with older students and teach them age-appropriate skills?
SALVAIL: As soon as school’s not real life, students’ interest fizzles because they don’t see a purpose. But the cybersecurity topics are very concrete.
Right now, we have Cyber.org Range, which is a virtual environment where students can practice cybersecurity skills safely. They can go and launch attacks. They can try to defend their system against those attacks. They can see what happens when they open a phishing email and click on the link and what kind of data a malicious actor can get from these types of attacks. It really lets them practice true skills.
As students analyze what makes a good password, we start running password strength testers to see how long it would take for someone to guess a password or brute-force into it. Before you know it, you’ve got students who put their district passwords into a system like that, and they realize it’s good for three months, or maybe it even says two or three years. But they’re now in fifth grade and got it when they were in kindergarten.
It's very different than someone simply telling them to change their password regularly. They can see how easy it would be for someone to get in and be a malicious actor, and that changes the perspective.