The state of Missouri has an Office of Cyber Security.
It鈥檚 really good at what it does, or used to be, anyway. So said the leaders of the Chief Security Officers Awards in 2017, which for a program by which it purposely examined government and business websites across the state looking for vulnerabilities and then reported to those organizations what it found.
If you go to the state of Missouri鈥檚 website today, you can find a headline that is supposed to link to an explanation of the program, titled 鈥淯sing Public Data to Alert Organizations of Vulnerabilities.鈥 Just click on the Office of Administration site, navigate to the , and on the right, under news, at the top, there is the 鈥淯sing Public Data鈥 headline.
People are also reading…
But there鈥檚 a problem.
The link is dead. I found that out this week after Gov. Mike Parson held a news conference accusing a colleague of mine, newsroom developer Josh Renaud, of breaking the law. The governor called him a 鈥渉acker鈥 and a 鈥減erpetrator鈥 and said he was referring him to authorities for possible criminal activity.
What did he do? Well, as he reported in a story in the Post-Dispatch, he used public data to alert an organization (the state of Missouri) of a vulnerability. What used to be worth a national award is now, according to Parson, a crime. Go figure. There鈥檚 a reason state government officials used to do (or maybe still do?) the sort of thing a Post-Dispatch reporter was doing. It鈥檚 good cybersecurity practice.
That鈥檚 what the news release with the dead link says. I copied and pasted the link into an internet site called the 鈥 which captures websites in real time so that when future links go dead for whatever reason, the information is still archived. Here鈥檚 what it says about why state workers looked at publicly available HTML code at government and private business sites:
鈥淭he program identifies high-risk systems that, if left insecure, could lead to disruptions within critical infrastructure or significant data loss, and contacts the owners of the impacted systems to mitigate risks. ... The primary business goal of this program is to protect the critical infrastructure belonging to governments, businesses, utilities, and academic institutions across the State of Missouri. Critical infrastructure provides the foundation of many life sustaining services such as healthcare, government, public safety, energy, transportation, communication, food/agriculture, and manufacturing. Keeping these services available around the clock are critical to today鈥檚 way of life. A secondary business goal is to safeguard the data belonging to Missouri citizens, students, and customers. Our data lives online as much as we do, and to safeguard it has become essential to prevent identify theft, financial loss, and brand reputation impact.鈥
This is the same sort of motivation that drives data journalists to check state websites, and, when they find something that could lead to citizens鈥 personal information being insecure, letting government officials know of the potential weakness. That鈥檚 what Renaud found out. He discovered the state鈥檚 Department of Elementary and Secondary Education was storing Social Security numbers of teachers in publicly available HTML code. Then he told the state about it so it could fix the problem.
The former state employee who was in charge of the state鈥檚 award-winning cybersecurity program, Michael Roling, explained its challenges in an interview he gave at an information technology conference in 2017. Sometimes, he said, the people who you inform of their internal cyber weaknesses don鈥檛 react so well to the information.
鈥淪ome of the reactions were even a little irate at first. That鈥檚 the initial human response when you鈥檙e told something bad,鈥 who worked for a website that covered government information technology issues. 鈥淏ut when we explained that this was not an audit or playing a game of 鈥榞otcha鈥 with them, the tone changed completely. They were happy with the actions we were taking.鈥
A few years later, it鈥檚 Parson who responded to the bad news with a reaction that seemed at least a little irate.
鈥淲e will not let this crime against Missouri teachers go unpunished,鈥 the governor said in his news conference in which he didn鈥檛 take questions.
In time, I suspect Parson will wish he could get in his own wayback machine and erase his ill-informed attack on the free press. But until that time comes, perhaps he could direct the employees at the Office of Administration to fix the links on the Cyber Security website.
Missouri citizens, teachers especially, need to know how important it is to use public data to alert organizations of vulnerabilities.