The domino effect of human error on technology systems—including those used by K-12 schools—showed its disruptive power in July when global cybersecurity company CrowdStrike issued a faulty software update.
The speed at which that mistake paralyzed all kinds of companies and organizations around the world that use Microsoft Windows systems was startling. Airlines delayed or canceled thousands of flights, hospital operations were jeopardized, hotel personnel had to personally escort guests to their rooms because key cards did not work, and 911 emergency systems in some places were not operational.
It was the perfect storm of technology chaos, prompting comparisons to Y2K, the techie acronym for predictions that chaos would erupt at the turn of the century as computers had trouble migrating from “1999” to “2000.” Those predictions did not materialize. But a headline in Time magazine shortly after the CrowdStrike/Microsoft tech meltdown reignited those fears: “Y2K Sent a Warning. The CrowdStrike Outage Shows We Failed to Heed It.”
This time, schools were lucky. Most were not in session except for some summer programs. But what would happen if something similar occured in the middle of a regular school week? That is a question school districts are grappling with in an age when just about every part of operating school buildings and teaching students is connected to their online networks.
The CrowdStrike tech disruption “is a reminder of how critical technology has become to both the learning and the business operations of the school system, and how loss of technology now can threaten the ability for schools to even operate,” said Steven Langford, the chief information officer for the 38,000-student Beaverton public schools in Oregon. “It becomes a tremendous challenge due to the safety supports that technology affords access to, and how connected it is to how students learn.”
Consider just a small sample of all the things schools use that are connected to the internet:
- student and teacher laptops,
- electronic hall passes,
- learning management systems,
- student information systems,
- security cameras and door access controls,
- food service payments,
- building temperature controls, and
- in some cases, even vending machines.
In Langford’s district, the connection from the school system to the internet is now 8,000 times larger than it was a little more than a decade ago.
Even for districts like Langford’s that do not use CrowdStrike, the ripple effects of such a tech meltdown could still hurt them, especially if they use the services of a vendor—such as the provider of a learning management system—that uses the cybersecurity service. That logic extends to other big technology providers and services that schools use, such as Amazon Web Services, Google for Education, and Microsoft Azure.
The CrowdStrike meltdown is prompting school district technology leaders to prepare
“Errors can happen. It doesn’t get the attention that cybersecurity does because of the malicious component of cybersecurity, but change management and being aware of the impact of potential failed changes” is very important, said Amy McLaughlin, the project director for Cybersecurity and Network and Systems Design Initiatives for the Consortium of School Networking, or CoSN.
CrowdStrike would not disclose how many K-12 schools or districts use its services. But a company spokesperson said in an emailed statement to Education Week that the company “proudly protects a significant number of K-12 schools, colleges, and universities across the country. We’ve taken a number of steps to prevent this incident from happening again.” The spokesperson said those steps are outlined on the company’s Guidance Hub.
But assurances from tech companies are unlikely to prevent the next global tech meltdown.
Don Ringelestein, the executive director of technology for Yorkville Community School District 115 in Illinois, knows that all too well.
His 7,200-student district was affected by the July CrowdStrike mistake because it uses a lot of Windows-based computers. Fortunately, he said, regular school was not in session, so the IT staff was able to get most everything up and working again within two days. But if this had happened during the school year, he said, it would have rattled teaching and learning plans, and disrupted the school district’s attendance and HR systems. Plus, IT staff would have been under much greater pressure to get everything back online as fast as possible.
Even so, Ringelestein emphasizes that “teaching and learning happened a long time before every student had a Chromebook. So, typically, teachers have a plan B so they can pivot to that in the event that their technology goes down.”
The pivot to analog systems is the exact opposite of what teachers did in March 2020, when the pandemic shut down school buildings. In the case of a tech meltdown, schools would have to take attendance with pencil and paper and hand-deliver those lists to the main office. Lessons that use online curricula would need to be replaced by printed materials or maybe an impromptu class discussion. Adaptive online quizzes in math would need to be postponed in favor of pencil-and-paper skill-building exercises or other low-tech approaches, and computer science classes would need to turn to physical manipulatives to teach about computer coding concepts.
The important thing, chief technology officers and tech experts emphasized, is that no matter where you fall on the technology literacy scale—whether you consider yourself a Luddite or a tech-savvy teacher—you need to have a Plan B. And, as tech consultant Melissa Tebbenkamp says, you need to be able to answer this question: “What does the classroom look like on Day 3 when there’s still no internet?”
Tebbenkamp, a former director of technology for the Raytown public schools near Kansas City, Mo., who now works as a technology leadership consultant with a focus on data privacy and cybersecurity, said when educators start to consider those types of questions is “when we start embracing this preparedness and understanding that it’s not just an IT issue, it’s a whole district challenge and risk that we need to mitigate as a leadership team. Can we leverage [what we know] to help decide what we’re going to do if we don’t have internet for a week on campus?”
Kris Hagel, the chief information officer for the 8,800-student Peninsula schools in Gig Harbor, Wash., is starting to have those kinds of conversations with people in the school community. He, too, worries about human errors that can ripple worldwide or cyberattacks that can shut down a school district network. But over the past two years, what has him more on edge are the wildfires that keep getting closer to his suburban Seattle community, including one that came within 10 minutes of his home.
Because of that threat, the possibility is rising that the local power grid could be temporarily shut down to help prevent the spread of wildfires. That, in turn, could mean shutting down most technology-driven operations for the school district. He has already had a conversation with a local fire chief about how the community is planning for the potential of extended power outages.
“As the climate changes, we’re going to have to adapt and come up with, what are those new realities going to be moving forward?” he said.
Hagel’s story is representative of the increasing concerns of school district tech leaders nationwide. The percentage of school district tech leaders who say they are implementing “incident response plans” for tech-related crises increased from 34 percent in 2022 to 53 percent this year, according to a CoSN survey.
Schools have important lessons to learn from health care and other industries
The helpful news is that companies, governments, and schools all over the world are grappling with similar challenges. Many are now engaged in sophisticated scenario planning to determine how to keep their organizations running in the event of a human-error-created tech meltdown; debilitating cyberattack; natural disaster such as a tornado, hurricane, or wildfire; or intentional or accidental damage to the fiber cables used to connect to the internet.
Peter Kennedy is a managing principal of the Futures Strategy Group who specializes in scenario-based strategic planning. He has consulted for companies in the automotive, airline, health care, financial services, telecommunications, and consumer products industries as well as government clients such as FEMA, NASA Aeronautics, the U.S. Coast Guard, and the U.S. Department of State.
Much of his more recent work has focused on the health care industry—which, similar to K-12 education, is a people-driven sector that has seen its reliance on technology grow exponentially. Scenario-based strategic planning, he emphasizes, is about building the capacity to adapt—it is not about having a specific response to every imaginable scenario. He said many health care organizations, for instance, are doing scenario-based planning around the possibility of another pandemic and how they would operate. They now have some experience in that realm to build smarter plans.
Much like for health care and other people-driven organizations, Kennedy recommends that schools do a complete “vulnerability inventory” that examines important factors that put them at risk, such as student and teacher safety, the disruption to normal teaching and learning, communication with parents, and even the morale of teachers, who can get frustrated and demoralized when a well-crafted lesson falls apart because of a tech meltdown. Then schools should establish plans to address those vulnerabilities in the event of a crisis.
But Kennedy cautions to not become too wedded to a plan. “The paradox of contingency planning is that you really should have a plan, but you should also be prepared to ditch the plan. It’s the old saying from the military, ‘the first casualty of war is the plan.’ And I think that very much holds true here.”
Those kinds of lessons are not lost on William Brackett, a former teacher who is now the director of IT services for Oak Park Elementary District 97, a school system with 5,800 students near Chicago.
“I am an advocate to always learn from everything,” Brackett said. “So even if [the CrowdStrike event] didn’t hurt us, the next one could. And if we throw away this day and say, ‘Oh, it didn’t bother us, and we can just go on our merry little way’ and not study it and learn from it, then I am not being as thorough as I could be as a technology leader.”