Districts cracking down on 'hackers'

In recent months, dozens of students have been prosecuted under state laws dealing with identity theft and unauthorized entry into computer databases.

Leslie Conery, deputy chief executive officer for the International Society for Technology in Education (ISTE), says students’ growing access to computers has opened up a new avenue for misbehavior.

“I think school districts and school boards need to expect that students will push the limits and push the boundaries,” she says. “And there’s a likelihood that more [student hacking] will crop up.”

School officials tend to view tampering with school computers as a serious crime -- not a harmless prank.

That reality came crashing down on three California high school students last year after they repeatedly hacked into school computers of the Elk Grove Unified School District. Originally charged with multiple felonies, the students agreed to plead guilty to misdemeanor charges, and each will perform up to 100 hours of community service.

The school district had requested $67,000 in damages to cover the cost of investigating the incident and implementing new security measures, and a judge will decide how much the students will be responsible for. The students also must pay for the mailing of notices, as required by a state identity theft law, to 70,000 students and teachers whose personal information was compromised.

The incident was one of three in the school district in the past year, says district spokesperson Jim Elliott. At least four students already have been expelled, and all have been charged by police or are facing possible prosecution.

“What might have been a game 10 years ago now can hurt us,” he says. “There is a lot of information [to protect]. We take any breach of security or change of data very seriously.”

Another group of students -- nicknamed locally the Kutztown 13 -- also faced felony charges after misusing school-issued laptops to download inappropriate material from the Internet, monitor staff use of computers, and attempt to hack into their school in Pennsylvania’s Kutztown Area School District.

Although some students and parents complained that criminal charges were an overreaction, school officials say they were given no choice. Despite repeated warnings, students continued to misuse equipment, and lesser disciplinary actions -- including detentions, suspensions, and removing their computer privileges -- did not deter the misbehavior.

Most students were offered deals to reduce the charges. And, despite the need to call police, Superintendent Brenda Winkler says school officials will continue to rely first on school disciplinary measures to respond to student hacking. But the district’s acceptable use policy for computers has been amended to include possible expulsion in the future.

Not every school district has flexibility on its response. In Panama City, Fla., three high school students started the school year facing felony charges after hacking into a high school computer to improve their friends’ grades.

Disciplinary actions usually are confidential, but one family asked for a public disciplinary hearing, and the result sheds light on how school officials wrestled with an appropriate response to student hacking. According to Tucker, the superintendent recommended expulsion for two years, but the school board opted for a lesser penalty: expulsion until the end of this semester.

Talk of student hackers prompts visions of computer whiz kids using sophisticated skills and tools to break into computer networks. And, in some cases, that’s been true: In Elk Grove, students used decryption software downloaded from the Internet and a keystroke recording device that identified passwords as teachers typed them onto keyboards.

But other incidents involved average kids who simply took advantage of a lack of vigilance: One student found a teacher’s password taped to the back of a computer monitor; another sat down at the desk of a teacher who left the classroom without logging off the district network.

Where student hackers have hit, school administrators have made a point of reminding staff to be smarter about security. Greg Lindner, director of technology services in Elk Grove, says employees were warned to reread security protocols and “take passwords seriously.”

But Steven E. Miller, director of cyber security for the digital district program at the Consortium for School Networking (CoSN), says tough rules on passwords, new computer firewalls, and other security measures are a lot like metal detectors: They work, but a better defense is to create a school climate that makes appropriate behavior important to students.

School officials need to do more to educate students about the responsible use of computers -- and why they’re important, he says. Students also are far more likely to follow appropriate use policies if they’re allowed to set some of the rules enforced in their schools.

“It doesn’t do any good to post the Ten Commandments of cyber behavior on the chalkboard and assume everyone knows what they mean and will obey them,” Miller says.

Conery agrees, noting that ISTE has developed technology standards that call for students to have a good understanding of the legal and ethical responsibilities in computer use.

There is a new generation of increasingly sophisticated “cybercriminals” who are hacking into the online financial networks, according to a recent report commissioned by McAfee Inc., an Internet security firm. Gangs of criminal hackers last year stole as much as $400 billion worldwide through Internet fraud, identity theft, and money laundering.

Although a far cry from the more modest -- and usually more innocent -- behavior of local students, such activity underscores the reality that hacking is a phenomenon of modern society.