I feel for the systems folks on the ground at Instructure dealing with the ransomeware attack of Canvas. I help run a hosting company, and what became clear for thousands of schools last week is that Canvas is as much a web hosting outfit as it is an edtech company. I can’t speak to what happened with the hack or the responses, so I’ll leave that to those who care. What I am particularly interested in is the cultural choices around higher ed and K12 that made such a hack so devastating. I haven’t really been able to communicate it other than a couple of platitudes a messaged to some friends, namely:
Make it enterprise, make it serious, make it a single point of failure. Fucking amateurs.
That’s not very useful, I admit, but it felt good to say it after witnessing endless ed techs cozy up with the LMS as inevitable and discount alternatives as “too much work.” It was lazy, and it de-professionalized a space that could have been beautiful—part of me lost faith in the field as a result. Instructure became a unicorn and every Tom, Dick, and Harriet in the educational space jumped on board and the LMS was not only alive and well, but more centralized and all-consuming than ever. But does all that make this Instructure’s fault?* Probably to some degree, reports that they never really took the ransomware seriously and hung their institutions out to dry is a bad look for sure, but on the other hand the institutions put themselves in this situation.
That’s what Tim Klapdor was able to articulate so clearly in his recent post “Why the Canvas Hack was Inevitable.” Rather than throw rocks when you live in a glass house (cPanel had a hell of a week for vulnerabilities), I appreciated how Klapdor focuses on the culture in higher ed’s management approach that made this inevitable:
[We] centralised onto AWS and equivalent virtual infrastructure because keeping it local was hard. We outsourced to external vendors. We decommissioned local server capacity and stopped local development because they were too hard (and because the consultants said so). We built a thoroughly networked world while retaining management approaches designed for a pre-networked one.
The complexity of the inter-connected third-party systems that institutions have become dependent on (and literally hostage to) points to the pendulum approaching the extreme limit of the race to the Cloud that started 15 years ago. As teaching and learning systems (and meh one’s at that) core to the institutional mission have been outsourced entirely, those same LMS cheerleaders have watched their roles disappear. The institutions that claim to be experts and shape the role of education for the future have found themselves entirely outside the systems wherein the learning happens. It’s like manufacturing in the Western world, we don’t do it anymore. We can no longer exercise those muscles of maintaining our own learning systems because they’ve grown atrophied as a result of neglect. In the race to save a buck on labor we outsourced our economy of teaching and learning.
The optimist in me wants to think that pendulum may start moving back towards co-located server setups with truly open source applications that teams on campus can become invested in once again. A return to a moment where edtech was more than vendor relationships, but an investment in groups helping to shape teaching and learning communities with tools crafted in the spirit of their organization. But as Klapdor notes, this is not the likely outcome in the wake of this incident. If my dealings with the average CISO tells me anything, it will be all about chasing the technical cause down a rabbit hole and further ensuring that the culture around security and trust is that much more adversarial to that of teaching and learning.
________________________________________________________
*I was not a fan of Instructure’s claim to being open source when at the same time they made the core elements you need for Cnvas to be functional (gradebook, etc.) proprietary add-ons. More than that, installing it is no simple matter. So while it’s technically “open source,” it’s a de facto a walled garden. They provide no documentation for running it as a self-hosted app and there’s no real community in this space to speak of, so open as in washing.
We were at least self-hosted for a time on Bb Learn from about 2009 up to early 2020 just prior to Covid when a provost finally made someone bite the bullet and spill forth the cash to move us to AWS-US-EAST1 in Northern VA where Bb was running all of it’s Bb Learn instances. The fear mongering we couldn’t handle the load of everyone going full online is what kicked us to the cloud.
And we’ve felt every outage since then,…
Try MoodleBox