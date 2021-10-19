Missouri Gov. Mike Parson is having a bad week.
On Tuesday he announced a major shakeup in his cabinet that included, among other things, the mysterious forced resignation of the commissioner of the powerful Office of Administration and the removal of the head of the troubled Department of Social Services.
That cabinet shuffle set tongues wagging and pundits and politicos spinning with speculation on what was really going on behind the curtain in the Parson administration.
That drama was overshadowed later in the week by a bizarre attempt by the governor to deflect blame for a cybersecurity flaw in a state website onto the reporter who discovered it.
In an ill-advised press conference Thursday, Parson accused the reporter of “hacking” and vowed to seek a criminal prosecution against him even though the reporter held off writing about the problem until the state could correct it.
“This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians,” Parson said.
Newsflash: The reporter didn’t steal anything, Governor. He did the right thing by notifying your team of a serious security breach on a state database.
Here’s what happened.
Earlier in the week, a reporter for the St. Louis Post-Dispatch alerted the state that Social Security numbers of school teachers and administrators were vulnerable to public exposure due to security flaws on a website maintained by Missouri’s Department of Education, according to the Missouri Independent.
The newspaper agreed to hold off publishing any story while the department fixed the problem to protect the private information of teachers around the state.
According to the Post-Dispatch, one of its reporters discovered the flaw in a web application allowing the public to search teacher certifications and credentials. No private information was publicly visible, but teacher Social Security numbers were contained in the HTML source codes of the pages.
That’s a huge security risk because source codes are easily accessible by right-clicking on public web pages. Any cybersecurity expert will advise against putting Social Security numbers or any sensitive private information within HTML. One of those experts called the state’s security flaw a “boneheaded mistake.”
The reporter did the state a favor exposing a design flaw that should have never occurred. But that’s not how Parson viewed it. He accused the reporter of committing a crime and attacked him and the newspaper in statements that quickly went viral and earned the governor nationwide condemnation for his suggestion that criminal conduct took place.
His comment even made fellow Republicans wince. State Rep. Tony Lovasco, R-St. Charles County, who has a background in software deployment and maintenance, tweeted, “It’s clear the Governor’s office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities.
“Journalists responsibly sounding an alarm on data privacy is not criminal hacking,” he added.
No, it is not. Not even close.
Parson is a good man, a man of character. He has been savaged by the press, perhaps unfairly, on any number of issues. It comes with the job. He knows that.
As a farmer, he also knows when you step in a creamy pile of cow dung, you need to clean things up. He should start by apologizing to the Post-Dispatch reporter. Then he should fire whoever created the website and the staff member who advised him on how web technology works.