Editorial: District overreacts on computer security

But once the problem was identified -- as limited to one area of one unprotected server at the district offices -- the district should have tempered its response.

It now is overreacting to the problem and making everything worse when it comes to how people communicate via computers and the Internet within the school district.

Hamstringing the school networks in the name of perfect security would be a serious loss to a district located in the heart of Silicon Valley, as well as a serious impediment to the benefits computer-assisted communications can bring to schools in an era of budget cutbacks and the need to redefine priorities. The district needs all the communication help it can get.

The breach itself consisted of an unprotected computer server -- readily accessible to anyone through district wireless networks and to staff and students on classroom computers -- on which were files containing some student grades, addresses and phone numbers of students, photos and background of a half-dozen students with special health conditions, and (most serious of all) a psychological evaluation of a student.

This was a serious breach, which the Weekly reported to district officials before reporting the story, both to get a response and so the opening could be closed. The breach, because Palo Alto is Palo Alto, made news nationally, in print and on television.

But the district's reaction has gone far beyond the scope of the problem, in our view.

Coincidentally, at the time the breach was discovered the district had just adopted a new computer-security policy. That policy, in conjunction with new equipment, was to be instituted this summer. Buried in that policy -- completely unrelated to the security breach discovered by the Weekly -- was a provision that only district employees could have access to district servers.

The problem is that the new policy completely ignores the work of eight or 10 expert volunteers who helped build and operate the district's network over the past half dozen years. They were abruptly locked out -- both by password and physically -- and forbidden to have any contact with district servers, as reported in the Weekly last week.

Even if necessary, the sudden lockout seems to have been handled in a disrespectful manner, with little or no recognition of the value the expert volunteers have provided the district as it tried to expand and strengthen its information-technology staff in recent years. One volunteer even got his company to donate about $50,000 worth of computer-security equipment.

The lockout provision of the new policy seems highly questionable -- unless there are other factors the district has not disclosed. It appears to be a waste of community talent at a time when the district can use all the goodwill and help it can get.

The breach itself was a three-fold failure, primarily of paid district staff, (1) in allowing an unprotected computer server to exist in the first place, (2) in not adequately training teachers and other staff in security procedures, and (3) in failing to monitor an exposed computer to assure any information on it was harmless or generic.

It was essentially a human failure, not a technological flaw in the district's overall security system.

The breach also was not a "wireless network" problem, as widely believed inside and outside the district. The same wide-open server was easily accessed through computers in district classrooms. So "banning wireless networks" is also an off-target overreaction.

While there are risks with wireless networks, proper security at the server, computer, file and network levels can safeguard against penetration -- as many thousands of businesses across the nation know.

The breach is something that never should have happened. It was careless, serious and alarming. Yet it also was limited, not an overall security lapse of district computers. And it seems to have caused no one any permanent damage -- unless red faces can be classed as such.

But the district's Draconian response in shutting down all wireless networks and locking out experienced, qualified volunteers seems to be making the cure far worse than the problem.