Advertisement

Parson livid at IT security report, but Missouri also used public data to spot cyber problems

After a reporter this week uncovered a security issue on a Missouri state website that left Social Security numbers of teachers open to disclosure, Gov. Mike Parson threatened criminal charges.

But Missouri has deployed its own program to root out cyber vulnerabilities.

Called “Using Public Data to Alert Organizations of Vulnerabilities,” the program in the Office of Administration (OA) relied on a research platform that scanned the entire internet. In turn, OA’s Office of Cybersecurity used the information to identify weaknesses and then notified the agencies or businesses affected.

Missouri’s own embrace of scouring public information in search of security gaps stands in marked contrast to how Parson reacted Thursday to the discovery made by the St. Louis Post-Dispatch, which used HTML source code on a website maintained by the Department of Elementary and Secondary Education, or DESE.

In an angry appearance outside his Capitol office, the Republican governor announced he had referred the reporter and the newspaper for criminal investigation and accused them of accessing the Social Security numbers out of a “political vendetta.”

“This individual did not have permission to do what they did,” Parson said. “They had no authorization to convert or decode. So this was clearly a hack.”

The source code is accessible with a couple of key strokes to anyone with a web browser. The newspaper, which says it stands by its reporting, found that Social Security numbers of upwards of 100,000 were potentially at risk of exposure.

Cybersecurity experts called the newspaper’s discovery of Social Security numbers in the DESE web pages’ source code a concerning and common programming flaw.

“I really chalk this up to sloppy coding,” said Joe Scherrer, a cybersecurity expert at the Washington University of St. Louis. “If someone is enterprising to do that right-click and check the code and find this information, that’s readily available … If I was a teacher I’d be upset because the state government didn’t properly protect my information.”

On Thursday afternoon, Parson tweeted that “this DESE hack was more than a simple ‘right click.’” He said the data had to be taken through eight steps to generate a Social Security number, but didn’t detail the steps.

While the OA program was focused on scanning for outdated and unsecured systems, as opposed to identifying potentially exposed personal information, the principle appears to have been largely the same: looking at and analyzing public data for vulnerabilities in order to fix them.

“The program identifies high-risk systems that, if left insecure, could lead to disruptions within critical infrastructure or significant data loss, and contacts the owners of the impacted systems to mitigate risks,” OA said on its website in 2017.

A page about the program has since disappeared from the agency’s website, but was archived by the Wayback Machine. But OA was proud of the program, and a separate page still online boasts about how the agency received a cybersecurity award.

In providing an example of how the program helped, the webpage said the Office of Cybersecurity “promptly called the organization to make them aware of the privacy and security concerns of their current configuration or business practice.”

It’s unclear if the program is still in operation. An OA spokesman didn’t immediately respond to a request for comment.

“In today’s cybersecurity climate, we are all under a constant threat of attack,” Mike Roling, then Missouri chief information security officer, said in a 2016 statement.

“This program has enabled us to leverage public data across a variety of industries in a way that had not been done before to quickly minimize risks and better safeguard IT systems and data,” said Roling, who departed state government in 2018.

Audits contained warnings

Parson’s explosion of anger at the Post-Dispatch has not only raised concerns about press freedom, but has also drawn attention to cybersecurity weaknesses within state government. It comes after the state received warnings in recent years that DESE data may be vulnerable.

A 2015 audit of DESE found that the agency’s system that contains student information allowed for the collection of Social Security numbers, even when it wasn’t necessary. The audit said that placed “students at risk should a data breach occur.”

The report, which took place while Democratic Gov. Jay Nixon was in office, also found that DESE hadn’t established a comprehensive data breach response policy. The agency promised at the time it would put one in place by the end of 2015.

A 2016 audit of school districts found a lack of “comprehensive data governance” programs in many instances.“Without a comprehensive data governance program, there is less assurance the data management and protection procedures in place are effective in reducing data privacy and security risks due to unauthorized access or misuse of data,” the report said.

This year, Parson signed legislation to establish a cybersecurity commission that would examine the state’s vulnerability to cyberattacks. Office of Administration and the State Highway Patrol officials were to serve on the commission, along with members appointed by Parson.

On Wednesday, DESE called the Post-Dispatch journalist who examined the website HTML, and reported the data vulnerability to the department, a “hacker.”

But Gary McAlum, a former chief security officer for the U.S. Air Force and a board member of the National Cybersecurity Center, said the discovery did not sound to him like a criminal hacking, which would involve someone penetrating a secured system using tools “above and beyond normal access to a website.”

“In this case it sounds like a data exposure or a data incident versus a hacking,” McAlum said. “In this particular case the state government agency, they should be thankful, say ‘Thank you for letting us know, this could have been an exposure that could have been out there a very long time.’”

Post-Dispatch stands by reporting

Parson said he was referring the matter to the Cole County Prosecuting Attorney and that the Highway Patrol would investigate. The decision drew widespread criticism.

“We stand by our reporting and our reporter who did everything right. It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to DESE’s attention,” Post-Dispatch Publisher Ian Caso said in a statement published on the newspaper’s website.

Rep. Tony Lovasco, an O’Fallon Republican, said it was unfortunate “journalists who are ostensibly trying to blow the whistle on a major flaw in a state website are being threatened with prosecution.”

“It’s something anybody could have stumbled upon, which makes the security vulnerability all the more concerning,” he said.

The National Cybersecurity Center runs a training program for state governments. It is commonplace, McAlum said, for institutions to have programs encouraging or hiring outside parties to scan their websites to detect cyber vulnerabilities and report them.

The state’s Office of the Administration, which oversees the state’s IT systems, said after it was notified of the DESE vulnerability it had hired third-party testers to scan the state’s websites and examined “all public facing web applications across all state agencies.”