A day after Missouri Gov. Mike Parson garnered national criticism for his push to prosecute a newspaper reporter who discovered a security flaw in a state website, a Democratic lawmaker is urging the governor to appoint members of a cybersecurity commission established by a bill he signed in July.
The St. Louis Post-Dispatch informed the state on Tuesday that Social Security numbers for tens of thousands of Missouri school teachers, administrators and counselors were included in the HTML source code of a publicly available website operated by the Department of Elementary and Secondary Education.
The newspaper notified the state and agreed not to publish any story until the problem was fixed and the Social Security numbers were no longer vulnerable to public exposure.
Parson reacted by calling the reporter a hacker and asking the Cole County prosecutor to file charges. In a hastily organized press conference Thursday, Parson said he didn’t know why the reporter was trying to access the website, but in the same breath accused the newspaper of simply trying to embarrass his administration.
Instead of attacking reporters, the governor needs to finally appoint members to the newly established Missouri Cybersecurity Commission, “something he has neglected to do since he signed the bill establishing it earlier this year,” said state Rep. Ashley Aune, D-Kansas City. Aune helped write the section of Senate Bill 49 that established the Missouri Cybersecurity Commission. Parson, a Republican, signed the bill into law in mid-July.
The commission would be tasked with identifying risk and vulnerability from cyberattacks of critical infrastructure in Missouri.
“Let’s get down to brass tacks: The Parson administration stored the sensitive, private, personally identifiable information of nearly 100,000 Missouri teachers on a public website, and it could easily be accessed by anyone with even a basic knowledge of the internet. That’s a terrifying fact,” Aune said. “This fiasco perfectly illustrates why Missouri needs to get serious about confronting 21st-century cyberthreats.”
Cybersecurity experts have universally panned Parson’s push for criminal charges against the reporter, saying the governor has a fundamental misunderstanding of how the Internet operates.
Republican elected officials contacted Thursday were not eager to join the governor in his attack on the media.
State Rep. Phil Christofanelli, R-St. Peters, reacted on Twitter by harkening back to a previous scandal involving Parson, in which his administration removed an LGBTQ-history exhibit from the state Capitol museum. After public outcry, the exhibit was moved down the street to the Lohman Building, which has far few visitors.
“There’s a simple fix here,” said Christofanelli, one of only a handful of openly gay Missouri lawmakers. “Let’s just move all the [Department of Education] social security numbers over to the Lohman Building so no one ever can find them again.”
Democrats, however, worried Parson’s call for prosecution of a journalist was not only misguided but dangerous.
“It smells a little fascist when a reporter identifies the mistake, alerts the administration and the governor threatens them with prosecution in return,” tweeted state Sen. Lauren Arthur, D-Kansas City.
State Sen. Greg Razer, D-Kansas City, tweeted that seeking criminal prosecution of a journalist who pointed out the vulnerability to the state is “an abuse of power.
“Also, it’s very embarrassing to call this a ‘hack,’” Razer said. “Moral of the story: Missouri has not adequately invested in IT infrastructure.”
Aune said in a news release: “In light of the events that have transpired this week, I believe the governor cannot wait any longer to appoint members to this commission so it may do the critical work of identifying and rectifying gaps in Missouri’s cyberinfrastructure.”
Aune accused Parson of a “smear campaign” against the Post-Dispatch journalist when it was Parson’s administration that stored the private information and left it unprotected.
An email message left Friday with Parson’s spokeswoman was not immediately returned. But during his news conference Thursday, Parson said the state was “working to strengthen our security to prevent this incident from happening again. The state is owning its part, and we are addressing areas in which we need to do better than we have done before.”
Ian Caso, publisher of the Post-Dispatch, said in a statement that the newspaper stood by the story and the reporter, who he said “did everything right.”
Orin Kerr, a law professor at the University of California, Berkeley, and an expert on computer crime law, said the fact that the Post-Dispatch journalist had looked at the HTML source code was not a crime.
“The Supreme Court has recently said the federal computer hacking law calls for a ‘gates up’ versus ‘gates down’ inquiry,” Kerr said. “And when you post information in source code on your website, on pages the public is supposed to access, that gate is ‘up.’”
This report is compiled from The Missouri Independent and The Associated Press.