Who responsible for child cybersecurity

Saving the megapolis, taking a picture with a robot, and defeating a hacker

Six-year-olds and fourteen-year-olds — what can they have in common? It's very simple: they are all just children who need protection. One of the most important aspects of protecting children in the modern world is ensuring their cybersecurity. The child grabs the gadget when even barely walking. This means that he immediately faces all the dangers existing in the cyber world.

To tell a child what cybersecurity is, what threats are only for him, but also for his entire environment, what the basics of digital hygiene are — this is an approximate range of tasks that the organisers of the children's stand-off set themselves on the run-up to Positive Hack Days forum. While the adult hackers, divided into “ours” and “not ours”, competed with each other in the framework of the adult stand-off, the children were fascinated by the grandiose layout of the megapolis. It clearly showed who was winning — “good” or “evil” hackers. When an attack on one of the systems of the megapolis was successful, it was immediately reflected on the layout: the big wheel would stop, the lights in the houses would go out, the railway would stand up.

Despite that the children themselves did not directly participate in hacking the city's systems, an amazing adventure was arranged for them. They were divided into several teams and sent to conquer the stations of the interactive quest (the tasks were stylised as saving the megapolis). On one of them, they had to figure out how to protect their social media page from hackers. Another clearly explained how to filter out fake news from real news. The third offered a simulator of the road network: children used tablets to restore the operation of traffic lights, and then they were asked to drive cars at speed from the control panels.

There was a platform dedicated to career guidance in the digital world, and there was one that told about cryptography... And all this in the format of a game-competition.

The teams were formed from children of different ages. Here is a kid of about six years old reading the news by syllables, trying to figure out whether it is real or fake. Here are 14-year-old teenagers are arguing among themselves about who should be the team captain, because one already knows how to develop applications for Android, and the second wins children's programming contests. Here's the guys are taking pictures with glowing robots — “good” and “evil” ones...

Child is the weak link

While the children were running around the quest sites, the adults — experts and journalists — talked about how to protect the younger generation from numerous cyber threats. One must say that there are still more questions in this topic than there are answers.

By the results of the year, according to statistics collected by Positive Technologies, the total number of unique incidents (attacks) involving adult population increased by 51% compared to 2019. Moreover, 70% of the attacks were focused. The most popular method of attack remains social engineering, which includes phishing emails and messages. It is logical to assume that children, among whom every first person uses the Internet, are attacked by intruders no less often, and even more often, than adults.

Vladimir Dmitriev, the head of Cyber Art cybersecurity services direction at Innostage Group, confirms the statistics collected by his colleagues and paints quite apocalyptic pictures that explain in detail the dangers of the digital world:

“One of the main vectors of threats aimed at individuals is social engineering, an attempt to fraudulently gain trust, impersonate someone else, and get their own benefit. We know that the elderly and children are the most vulnerable segments of society, and in the field of cybersecurity, the situation is exactly the same. The target of the attackers can be not only the child itself: it can be used as a weak link through which they can reach the parents — this will be a continuation of the attack. And if parents are employed in important sectors of the economy, this chain can continue to attack critical objects. That is, through the child, they can infect the parent's home computer. Then, if he or she works remotely, take the threat outside the perimeter of home network. Then attackers can cause damage not only to an individual, but also to the whole state.”

Yulia Kuklina, the head of the department for youth work at Rostelecom, reminded about less global but also unpleasant consequences of children's digital illiteracy. Let's say a child is playing a game on a tablet, and then he is offered to buy some game artifact. Parent's credit card is very often tied to a tablet, and what does a child who is not versed in digital hygiene do? That's right, money begins to uncontrollably flow off to the game developer. Technically, there is no fraud in this, and the money is often impossible to return. But you can teach your child what buttons to press under no circumstances. And this will also be the basics of digital security.

The target of the attackers can be not only the child itself: it can be used as a weak link through which they can reach the parents — this will be a continuation of the attack

The child is also threatened by phishing in social networks — kids are gullible, and under the guise of a good friend, a completely unkind enemy can get access to their information and personal life. Password theft, trolling and bullying, fraud of various kinds… In general, the Internet, if used incorrectly and if basic digital hygiene is not observed, can turn from an invaluable tool into a thing that significantly complicates life.

Maria Sigaeva, the director of educational programmes for Positive Technologies projects, summarises: if an adult already knows about most of the dangers that the digital world brings, then a child does not yet have such skills. And the direct task of adults is to explain how to live properly online.

“Prohibiting and not allowing” or teaching and controlling?

During the discussion in the audience, the question arose: maybe it makes sense to restrict children's access to the Internet until they reach adulthood? And then there will be no problems at all: children will not be able to write nonsense on the Internet, make purchases there, will not pick up false information, will walk in formation, clean, innocent and in general not affected by the pernicious influence of harmful technologies. No internet — no problem.

Of course, experts had hostile attitude to such radicalism. Vladimir Dmitriev explains the impossibility of such solution to the problem:

“We have long been living in a changed world. If we want to live in a comfortable state, in a comfortable environment, then digitalisation, no matter how this term is blurred, is something that will always haunt us. You're not going to refuse your car and ride a donkey right now, are you? In the same way, we cannot abandon the Internet now and keep children out of it. Do we want to raise a child in a sterile flask, so that they can't safely exist outside of it? As parents, we want our children to be competitive in this world and know everything there is to know about it. This includes knowing how to resist hackers and cybercriminals and how to behave on the Internet.”

In the audience, there was another question, less radical, but quite controversial: up to what age should one control all the activities of the child in the Network? Where do personal boundaries end and escape from the dangers of the digital world begin?

When we teach a child the rules of the road while they are young, we hold his hand on the street. It is the same in the Network: one needs to take the first steps together with them

Here the experts are very cautious in their recommendations. Oddly enough, the main one is not related to cybersecurity, but to family psychology. The thing is that it is impossible to control every step of the child on the Internet — personal boundaries still have to remain with them. But it is necessary to build close relationships in the family — so that a teenager or a kid always knows that they can turn to the parents for help or advice — this is the only valid recipe.

Yulia Kuklina cited an example. When we teach a child the rules of the road while they are young, we hold they hand on the street. It is the same in the Network: one needs to take the first steps together with them. But soon enough, we have to let the child go. By this time, the child should already know the basic rules of movement on a road full of dangers.

Who responsible for child cybersecurity

And here arises a serious question. Who should teach children digital literacy? Apparently, it turns out that the skills of cyber-hygiene should be instilled in kids at about the same time as introducing them to a toothbrush, this analogy is given by Vladimir Dmitriev from Innostage. So, everything should start with the parents.

Before you carry information security to children, you must first bring it to parents and teachers

But after the parents, there is a kindergarten, school, university… And at all these levels, cybersecurity skills must also be developed — all experts agree on this. Maria Sigaeva from Positive Technologies reasonably says:

“We, when hiring a person, do not expect that people who can not read and write will come to us. And cyber-hygiene is basic knowledge of the same level. After all, IT is the natural habitat of modern human. So we all need to have the basic skills to live in this environment and understand the rules by which it exists.

Yulia Kuklina from Rostelecom decomposed it into a logically understandable chain:

“Children can be segmented as a target audience. And each segment will be in the area of responsibility of a certain institution, which, in turn, will strengthen each other. For example, children up to the first grade should be taught cyber-hygiene skills by their parents. It is necessary to convey to the child what buttons can not be pushed. The next segment is school students. Teachers alone cannot convey the basics of cyber-hygiene to children. We need serious strengthening on the part of the state — it should help with the teaching methodology. It is necessary to explain to children what the requirements are, why they are exactly like this, to talk about the models of the attackers' work. In other words, it is not enough to instruct children to come up with complex passwords — it is necessary that the person understands why this is necessary. Finally, talented high school students — they need to competently be taught information security at the level of a separate discipline. This discipline should be taught at school!”

Everyone present agreed with this. Separately, there was the idea that large businesses operating in the IT sector should also take this issue under their control. This, as Maria Sigaeva says, is the social responsibility of businesses: since there are technology giants in Russia that are directly engaged in the development of software in the field of information security, they should help the state with education. To develop training programmes, get in touch with talented children, organise specialised courses, olympiads, and clubs for them…

In short, it is necessary to teach a child cybersecurity at all levels at once, and everyone should participate in this: parents, schools, the state as a whole, and large businesses. “We, the adults, are all responsible for this together," Yulia Kuklina said.

But who will teach the teacher?

It sounds beautiful. But Russia is a very large country, and the conditions in it are very different. Of course, Russian schools do not yet have a centralised cybersecurity teaching programme. The correspondent of Realnoe Vremya argues: if you drive away from any megapolis for a few kilometres, we will get to an ordinary rural school, many teachers from which only in the pandemic were forced to finally learn the basics of working on the Internet. What kind of mass cybersecurity training for children can we talk about in the environment where teachers and parents often need to be educated in this regard themselves?

Experts agree with this. Maria Sigaeva answers:

“Indeed, before we carry information security to children, we must first bring it to parents and teachers. Somewhere in the regions, companies take on this task, but not all of them do it. There is no single consolidated tool for the whole of Russia yet, which could convey this knowledge to everyone. And this is an important state task. There is no escape from digitalisation in the country.”

The expert said that the federal ministry of finance is also planning a number of programmes: they are developing recipes for how to work with adults. But in the ministry of education, everything is more complicated: the training programme must be certified and tested, so its development is not a matter of several months. From time to time, universities are also involved in the work, which in some regions take on the issues of teacher education.

“Constant dropping wears away a stone, and for our part, we are now choosing approaches for a regular basis," says Sigaeva. “This leap in figures happened abruptly and suddenly, and it is impossible to stop it. And at this turning point, we want to do a lot. But not immediately — everything is going gradually.

In other words, metaphorically speaking, the pandemic has led to that we were all forced to sit in a spaceship, but the instructions for its operation have not been distributed to everyone. And right now, the whole country is trying to write this instruction. But it should be done faster, since businesses and universities are already ready to help in this. When all efforts are consolidated, then the very question of why digital hygiene is needed and how to popularise knowledge about information security for children will disappear. After all, we're not asking why teach a child to brush their teeth?