ISC2 Associate Justine Guyau looks at some of the challenges facing cybersecurity professionals in France tasked with securing key education IT resources following an uptick in threats.

Justine GuyauVigipirate is the French national security alert system. Created in 1978, it is a five-level alert system ranging from Level 0 (White) when no dangers exist, up to Level 4 (Scarlet) when a definite threat is perceived or there is a proactive effort to prevent a major attack.

The French Government declared Vigipirate Level 4 after the March 2024 Moscow concert hall attack. At the time, schools all over France received bomb threats via the national academic internal email system. In response, French Minister of Education Nicole Belloubet opted to temporarily suspend the email system to prevent further misuse.

In an already tense education sector, how can we build a secure solution that takes as many situational parameters as possible into account?

A Series of Threats

On March 21, 2024, some 30 high schools in the Paris area received terrorist threats accompanied by a graphically violent video allegedly linked ISIS. The message was sent via the ENT platform, an online space and messaging platform used nationally in education that allows to send students homework or parents to ask questions. The message explained that a bomb had supposedly been hidden in the school and included a call to arms for students to commit heinous acts.

It was quickly established that these messages were empty threats and that no explosive devices had been planted in the targeted schools. However, one week later, over 300 more suspicious messages of the same type were reported, this time all over the country. Given attacks in recent years that resulted in the death of teachers including Samuel Paty and Dominique Bernard, the series of threats were both extremely concerning and taken very seriously.

Suspension of the Messaging Service

On March 28th, 2024, a week after the first wave of threat emails were received, Belloubet announced that all communications via t the ENT platform would be temporarily suspended, to allow the government time to develop a way to further secure it.

No official statement has been made regarding what measures are being considered. However, the implementation of two-factor authentication to connect to ENT will probably be one of the key measures the Ministry of Education will deploy.

The investigation of the March 21 incident led to the arrest of a 17-year-old who revealed he was able to send the threats by hijacking the identity of students and parents within the academy of Paris. To collect this data, the individual sent several phishing emails asking targets to retrieve their ENT account. On this basis, a multifactor authentication solution would be a sensible step, in theory.

A Challenging Implementation

The reality of the situation inside French schools would make two-factor authentication pretty impractical. Teachers would need to confirm their identity by receiving, for instance, a text message, which would be impossible in some facilities because they are located in areas with no mobile phone service. This includes schools in rural countryside locations, but also urban institutions, particularly those with basement levels where mobile signals are often limited.

Even more problematic is access for students. Two-factor authentication would require students to use their phone when such use is strictly forbidden in a large number of middle schools and in some high schools. On that basis, should policies be changed to allow the limited use of phones in specific cases, such as two-factor authentication for educational platforms like ENT? If they were changed, it risks creating difficulties for teachers, who would face trying to engage and control a class of students, even more distracted than before.

Even if the state implements technical solutions to improve the security of academic platforms like ENT, arguably the focus should be elsewhere. The March 21st incident was a phishing attack, but there are other ways these services can be compromised, such as packet sniffing and open Wi-Fi connections. Even if the motivation for increased security has shifted from the time students tried to give themselves better grades by tampering with the platform, this was not the first time such a breach occurred, it will not be the last.

Ideally, the focus needs to shift to educating students, parents and teachers about cybersecurity. Measures such as password awareness workshops, phishing simulations, roundtables with professionals etc. Social engineering attacks can be avoided, or at least significantly reduced, through better education, yet they remain commonplace.

As a final note, is there a better way to avoid cyberattacks than… by avoiding the use of digital tools? In an increasingly digital education and classroom environment, online platforms will always be useful for uploading lesson plans, coursework or grades. As for the email platform, can’t parents and teachers set up appointments with teachers through written communication, as they did just a few years back? The use of the ENT platform grew during the pandemic, as it became one of the only ways to maintain a link between teachers and some students. Now that lockdown is over, many teachers have reverted to their old ways and don’t use the tool anymore.

On that basis, why not go back to the good old school diary as a link between teachers and parents?

Justine Guyau is a cybersecurity student passionate about CNI security and cyber resilience. She became a ISC2 Associate by passing the CISSP exam in February 2024.