These days, I stand in front of audiences and engage in what is politely called “public speaking” more often than even Mr. Gentry could have imagined when I showed up at the door of his desk 55 years ago with a wide-eyed expression of concern.
Mr. Gentry was a guidance counselor at Davis County High School. He was responsible for the class schedule. What brought me to his door was noticing that I would be taking a “speech” class that semester.
Before I could say anything, however, he said with foresight, “You’re probably wondering about the speech class. You will thank me one day. This “one day” has arrived. You were right, Mr. Gentry.
Public speaking occupies an important place in my professional life. I have spoken to groups large and small as an advocate for citizen engagement in state and local government. Speeches are an important way to get my message across to many people. But it’s just as important to hear what they think when I invite them to ask questions.
When the audience is made up of elected officials and government employees, I expect them to spice me up with tough scenarios about public meetings and public documents. I haven’t spoken to any school groups recently. But when the opportunity arises, I expect them to grill me with some of the real challenges faced by school administrators and their governing boards.
Such a real headache is going on in the Cedar Rapids Community School District. It played out a year ago at Des Moines Area Community College. And the Linn-Mar Community School District in Marion may also have the same headache.
The problem is cybersecurity and ransomware attacks which are carried out by unknown criminals. These individuals hack into an institution’s computer network and attempt to steal personal employee information and possibly private student information.
The Cedar Rapids District was hit by such an attack on July 2, forcing the cancellation of summer school the following week. A month later, the Linn-Mar District announced it was investigating the source of a problem that shut down its phones and knocked out its computer systems.
At DMACC, a cyber incident in the summer of 2021 forced Ankeny College to shut down parts of its computer network, end online classes, delay student enrollment in new classes, and cut service. Internet for several weeks.
It should come as no surprise that cybercriminals attack government institutions and attempt to obtain a ransom. Businesses in Iowa were also affected in this way, costing them a lot of money and extra labor.
There is, however, an important difference between private companies and government institutions. One belongs to the people of Iowa. The other no.
The Cedar Rapids School District paid a ransom in an effort to protect the personal information of its employees — 8,790 people in total. Information that may have been compromised includes employees’ full names, social security numbers, driver’s license numbers, bank account and routing numbers, and their personal medical information.
My government transparency radar goes off when I hear that school officials have refused to disclose the amount of the ransom, who it was paid to, or how it was paid. The school offers a free year of credit monitoring services to employees to see if their personal information is being used.
The attackers who hit DMACC last year also demanded a ransom payment. The college refused. But administrators are now also refusing to tell the Cedar Rapids Gazette how much ransom was demanded or how much the college actually spent on combating the security breach — for outside experts, for new equipment and repaired equipment, and for higher cyber insurance premiums.
Linn-Mar officials did not say whether personal employee or student information was compromised. They didn’t even confirm if a cyberattacker was responsible for the computer problems in this district.
If I stood before the Iowa school administrators or the Iowa School Boards Association to address their members, I would expect to be grilled like a cheap steak about my position on the board. Intersection of Iowa Public Records Laws and Information About These Cybersecurity Incidents.
I remind these officials that the Iowa Public Records Act permits school districts or other government entities to keep their cybersecurity procedures and emergency response procedures confidential. It’s just common sense.
No one expects them to be required to make public what the Records Act describes as vulnerability assessments performed on their computer networks, information contained in security and response plans, or the words passwords and security codes needed to access certain parts of their computer networks.
But it also makes sense that administrators should be required to make public, upon request, basic information of interest to taxpayers: this would include the amount of ransom that was demanded or paid in response to an intrusion by cybercriminals, as well as a tally of how much a school district or community college paid to clean up its computer networks after a cyberattack.
It would be detailed enough for the public to determine whether their local school district or college is taking all reasonable precautions to guard against such an attack. The public has the right to know if their local school is able to adopt the recommended safety measures.
After all, the cybercriminals who hit Cedar Rapids School District computers already know how much ransom they received and how they were paid. The only people now kept in the dark are the district’s taxpayers and the parents of its 15,800 students.
Even if a school’s lawyers show how these details could legally be kept confidential, I would remind school officials that secrecy is never a good way to build public confidence in the management of a district or school. ‘a middle-school.