Hacks of AI learning platforms pose a bigger challenge

The ABC reported today "Australian educational facilities impacted as 'criminal' hacks Canvas learning platform" (Scout Wallen & Monty Jacka). Fortunately Learning Management Systems (LMS), such as Canvas, don't contain much personal data about the students. They have the names, student numbers & email addresses, but other data about the student is stored in separate systems. There will be the content of the student's assignments and comments posted to discussion boards, but these are usually not very personal. Also there will be messages sent between students and staff, again, these don't contain much personal information. Students often overshare when applying for an assignment extension or regrade, but this is usually handled by a separate administrative system. What is of concern is where AI tools are used to personalize student learning. These will have access to more student data, making them a prime target for hackers.

VR and Virtual internships and VR for Crisis Management

The Australian Crisis Simulation Summit at the Australian National University has wrapped up after a successful week's hard work. One reason I volunteered to mentor, was to see how this was done. I have done some training at Australian Staff College, back in the days when bits of paper were used, and wanted to see how teaching in this area has evolved. Some of these techniques might be used for computer students.

What was most striking about the ACSS, was the use of video conferencing for a hybrid mode. Base of operations was in Canberra, but with groups of students, and some presenters, distributed around Australia, and a couple of US universities. This format fitted well with the subject matter. The students at each remote site were playing the role of a government agency crisis team. In reality, each team would be communicating with their counterparts electronically. Those in the main venue were in separate rooms, and also used electronic means to communicate.

Conducttr crisis simulation software was used for the simulated news items, and social media. Zoom was used for 24 hour news service. Microsoft Teams was used for team to team video. Google dos was used for group document preparation. It might be worth considering the use of a tool such as Slack, which could incorporate all these functions. However, the use of the tools which are used in the real workplace is worthwhile.

It might be interesting to include specialist technical students in the simulations. This one features cyber security, satellites, submarines and other defence related technology. One of the problems experienced in a real crisis is to quickly get usable, understandable, relevant advice from experts. It would be useful to have teams of law, computer, and engineering students practicing providing time critical advice. 

A professional media company, Shoelace Creative, was brought in to produce live TV news for the simulations, using a student with media experience as the interviewer.  For smaller scale events, this might be replaced with an AI newsreader.

A difficult question is if such simulations could be incorporated into the curriculum. This requires assessment. There is a risk that assessing the simulation would take the fun out of it for the students, and the external mentors. I suggest this could be handled in a similar way to internships: documents generated as part of the process are used for group assessment, plus an individual personal reflection. Rubrics can be used to reduce the burden of assessment for staff. 

Some VR and AR might make the simulations more realistic. One gimmick demonstrated at EduTech 2023 Australia recently was a hologram-like booth, which showed a remote presenter. A simpler form of this could be done by positioning a conventional flat screen behind a podium, so the presenter appears to be standing there. 

Cyberwar Breaks Out at Australian Crisis Simulation

ACSS Domestic Briefing, 
in the ANU Moot Court.
Photo by Tom Worthington CC-BY 2023

Greetings from the Australian Crisis Simulation Summit at in the Moot Court at the Australian National University in Canberra. Game play became very interesting in the last round, when one team took a fake news item as real and spread it through the government agencies, causing confusion and consternation. The game masters discussed intervening. I suggested letting the game run as this was a very realistic possibility and a good learning experience. But this was disrupting the play, and so a mentor provided some advice to teams to get things back on track. 

ANU Moot Court  tea urn & banana, 
Photo by Tom Worthington CC-BY 2023

Today is "domestic" with a focus on crisis in Australia, rather than the region. Ominously, the head game-master quoted General Dwight D. Eisenhower's Order of the Day (1944) "You are about to embark upon the Great Crusade, toward which we have striven these many months. ...". Amidst this drama I noticed the ANU's Moot Court was equipped with a tea urn, and a banana. ;-)

More drama occurred at the start of the domestic simulation, with a system glitch. This required the team to reschedule, and also was a useful learning experience of what happens when you depend on a computer based system.

Last night there was a celebration with Canberra participants, and sponsors. This was a slightly unusual combination of glamour event, with representatives from allied government, and displays from secret government agencies (who recruit the students). 

Cyber Crisis Simulated

James Weatherman interviewing
Tom Worthington on SBC. CC-BY 

Greetings from the Australian Crisis Simulation Summit at in the Moot Court at the Australian National University in Canberra. A scripted simulated cyber attack has just happened, and the pretend company representative is being interviewed on the fictional SBC (Summit Broadcasting Corporation). I thought the student playing the role was putting on a fake american accent, but it turns out they are in a team at a US university. Earlier in the day I was interviewed. The fake news channel is being provided by Shoelace Creative, with one of the studnts providing the news anchor. 

This infrastructure takes a lot of work. A lower effort way to do this would be with a synthetic newsreader, working from a prepared script.

Back to the Conference Face to Face

I’m planning to attend to EDUtech Asia in Singapore, 8 to 10 November. This will be my first big conference face to face since the pandemic started in early 2022. I will be going early for the Singapore Fintech Festival, 2 to 4 November, and the Predict22 Singapore Summit, 1 to 2 November.  I have decided to not to volunteer to present on the large stages at conferences, but happy to speak at a university, or professional meeting (let me know if you would like a talk). So far I have one uni talk booked on work integrated learning, and a small talk on Innovation for sustainabile computing in the EduTech show-and-tell.

Cyber-attack Targets Australian Universities

Countries with targeted universities.
Source: Secureworks

Greetings from the Australian Computer Society conference in Canberra where Alex Tilley, Senior Security Researcher (eCrime) Secureworks warned of a cyber-attack targeting universities around the world. This has been labeled COBALT DICKENS. This appears to be a state  attempt to steal intellectual property, as well as identities. 

Training for Australia's Offensive Cyber Capability

In the Australian Strategic Policy Institute paper "Australia's Offensive Cyber Capability" ( May 2018), Fergus Hanson an Tom Uren, ask how to build and use the capability. Part of this is simply having trained IT professionals, in and out of uniform available. As well as running courses in "Defensive Cyber Security Operations" (COMP3701), the Australian National University also offerers "Offensive Cyber Security Operations" (COMP3702):

"Offensive Cyber Security operations introduces and exercises a complete range of reverse engineering techniques and attack patterns. Students will also learn and exercise analysis of systems based on minimal information. This is a complete course in cyber attacks which enables students on successful completion to identify and test systems for vulnerabilities without full knowledge or direct access."

As part of the ethics training for ANU IT students I offer a hypothetical on Cyber Warfare over the South China Sea.

Cybersecurity Degree Guidelines

The Association for Computing Machinery (ACM) have released a draft "Cybersecurity Curricula 2017: Curriculum Guidelines for Undergraduate Degree Programs in Cybersecurity" for comment by 14 February 2017. The security areas focused on are: Data, Software, System, Human, Organizational and Societal. Discipline areas ares: Computer Science (CS); Computer Engineering (CE); Software Engineering (SE); Information Technology (IT); Information Systems (IS); and Mixed Disciplinary majors (MD). This draft has not got to the point of setting hours for knowledge areas, but is a good start.

I have submitted this comment:

"The Cybersecurity Curricula is well thought out. The only surprise for me was section 5.1 "The Academic Myth" (p. 33). This polemic against the value of baccalaureate degrees and assessment standards is not appropriate. If the authors believe that a first degree does not provide the skills required for Cybersecurity, then they should be preparing a curriculum which includes a mandatory graduate component. If the authors truly believe that "... having a degree is not sufficient to secure employment.", then they should set down the curriculum for the additional non-degree training and education required.

Setting out to specify a baccalaureate curricula which does not meet the required need seems a pointless activity. In my view a baccalaureate degree is a vocationally useful qualification. However, no single qualification will provide everything everyone needs. The authors of the Cybersecurity Curricula should not set themselves an impossible task. Such a curricula will be useful when designing educational programs, at the sub-degree, degree and also graduate levels. I suggest deleting section  5.1."