Three months after creation of a commission to identify cybersecurity risks in state government, Missouri Gov. Mike Parson has yet to appoint any members. A state lawmaker said Friday that vulnerabilities exposed on a state website prove the need for just such a panel of experts.
Democratic state Rep. Ashley Aune, of Kansas City, helped write the section of Senate Bill 49 that created the Missouri Cybersecurity Commission. Parson, a Republican, signed the bill into law in mid-July.
“In light of the events that have transpired this week, I believe the governor cannot wait any longer to appoint members to this commission so it may do the critical work of identifying and rectifying gaps in Missouri’s cyberinfrastructure,” Aune said in a news release.
A St. Louis Post-Dispatch journalist uncovered a security flaw on a Department of Elementary and Secondary Education’s web application that allowed the public to search teacher certifications and credentials. The newspaper found that the Social Security numbers of perhaps 100,000 teachers and other school officials from around the state were in the HTML source code of the pages involved.
The Post-Dispatch alerted the department on Tuesday and the agency removed the pages. The Post-Dispatch said it gave the state time to fix the problem before publishing a story on Thursday.
But Parson on Thursday announced a criminal investigation, alleging the newspaper journalist was “acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet. We will not let this crime against Missouri teachers go unpunished.”
Aune accused Parson of a “smear campaign” against the Post-Dispatch journalist when it was Parson’s administration that stored the private information and left it unprotected.
“This fiasco perfectly illustrates why Missouri needs to get serious about confronting 21st century cyberthreats,” Aune said.
An email message left Friday with Parson’s spokeswoman was not immediately returned. But during his news conference Thursday, Parson said the state is “working to strengthen our security to prevent this incident from happening again. The state is owning its part, and we are addressing areas in which we need to do better than we have done before.”
Ian Caso, publisher of the Post-Dispatch, said in a statement that the newspaper stands by the story and the reporter, who he said “did everything right.”
Orin Kerr, a law professor at the University of California, Berkeley, and an expert on computer crime law, said the fact that the Post-Dispatch journalist looked at the HTML source code is not a crime.
“The Supreme Court has recently said the federal computer hacking law calls for a ‘gates up’ versus ‘gates down’ inquiry,” Kerr said. “And when you post information in source code on your website, on pages the public is supposed to access, that gate is ‘up.’”