As the vendor that administered Tennessee’s glitch-filled standardized testing last week blamed the problems on a cyberattack, lawmakers and students were left wondering how the system could have been hacked.
But attacks on online testing systems and school networks, in general, are relatively common, said Doug Levin, president of EdTech Strategies, a cybersecurity consulting firm in Arlington, Va.
The reported failure in the computer system used by Questar Assessment Inc., which administers the tests, was the latest crisis in a series of foul-ups that marred the start of TNReady testing across the state. Thousands of students were booted from the computer system, some couldn’t submit answers and others were blocked from logging on altogether.
Levin said, Questar was likely the victim of a denial-of-service attack, which can disrupt service and block access to the site rather than steal data. In such cases, a website is flooded with so many fake requests that it can’t respond to any of them.
Denial-of-service attacks are typically short and frequent, he said. So there may be disruptions for 20-30 minutes, then issues are seemingly resolved. When people return to business as usual an hour or so later, the system is attacked again.
The TNReady attack could have been carried out by students, educators, another testing vendor, or by someone making a political point about online testing or testing in general, Levin said. “It’s illegal of course, and highly risky and requires some technical sophistication, but if this is what I think it is, it is not a sophisticated attack.”
And it’s so common that it’s the sort of attack that should have been expected, Levin said. The hosting provider usually redirects traffic to other servers if an attack occurs.
“My question for Questar would be, if this indeed was a denial-of-service attack, what was the magnitude of the attack and did they have a plan in place to deal with it?”
Wayne Camara, chief researcher for test-maker ACT, said hacking into testing systems, versus school networks, is rarer in his experience.
“That’s pretty unusual because the kind of data in those computer-based systems is not usually of intrinsic value unless someone really wants to corrupt the system or embarass the testing program. There’s really no large motivation to do it,” he said.
A greater concern with computer-based testing in school districts, Camara said, is cheating. “Quite frankly because in most states the schools do not have enough equipment to test everybody on one date…you have a very long testing window.”
Questar officials are convinced its testing platform was attacked. The chief operating officer, Brad Baumgartner, has said the attack was “external,” but the company has said little else. Questar has a $30 million annual contract with Tennessee’s Department of Education that expires this year.
Testing has resumed, and Questar continues to take steps to prevent a repeat attack. We will be diligently monitoring. There is absolutely no evidence that student data or information has been compromised. 1/3— TN Dept of Education (@TNedu) April 17, 2018
Tennessee was one of seven states affected by the attack, Baumgartner said. Tennessee, New York, Mississippi, Missouri, and South Dakota were the hardest hit.
“Our data systems did what they were supposed to do,” he told lawmakers grilling him this week about the situation. “They shut the system down.”
Officials have said no student information was compromised.
Because other states were also affected by the attack, Levin said it could mean that all those states’ data were sitting on the main server. “So one attack gets everything.”
There have been more than 300 cyber security incidents on schools across the country in the last two years, Levin said, targeting student records, teacher employment data, school websites and networks, as well as ransomware, and phishing attacks.
In 2015, Florida’s school testing system was hit by a series of attacks. The Florida Department of Law Enforcement found that the attacks were from outside the country, possibly China. Investigators closed the cases without identifying a suspect.
That same year, testing contractor Pearson reached a $5 million settlement with the state of Minnesota after a cyberattack sidelined student-testing there.
“There are so many pieces that have to go right for it to work,” Levin said of online testing.
The testing vendor needs servers that can handle large numbers of concurrent student testers logging in from the networks of hundreds of schools in dozens of school districts across the state. “Failures can happen anywhere in that spider web of connection,” he added.
It’s possible the attack could have been of a magnitude and sophistication that they couldn’t have foreseen it, Levin conceded. “I think that’s unlikely, but without additional information it’s hard to know.”
Though officials have asked the Tennessee Bureau of Investigation to investigate the attack, because of jurisdictional issues, the matter may have to be handled by authorities in Minnesota, where Questar is headquartered.
Finding the culprit is likely to be challenging. Although politically embarrassing and massively disruptive, it’s not likely that a lot of resources will be used in the investigation, especially because lives or millions of dollars weren’t at stake. “Unless the perpetrator was pretty sloppy, it’s unlikely that the perpetrator will be found,” Levin said.