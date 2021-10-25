Gov. Mike Parson continues to stumble badly in his efforts to deflect blame for a cybersecurity flaw in a state website onto the reporter who discovered it.
Parson was widely ridiculed for an ill-advised press conference last week where he accused a St. Louis Post-Dispatch reporter of “hacking” and vowed to seek a criminal prosecution against him even though the reporter held off writing about the problem until the state could correct it.
The design flaw exposed the Social Security numbers of teachers in Missouri through the plaintext HTML source codes in the pages on the state website. Anyone could find the sensitive personal information simply by right-clicking within a browser and hitting “View Page Source” on the application webpage. The personal information should never have been there in the first place.
The story blew up as technology and cybersecurity experts across the country blasted Parson’s lack of understanding of how websites work and for his attempt to characterize the reporter’s actions as criminal conduct. Press advocates, understandably so, were less kind.
Our governor stepped in it. His actions made himself and our state look foolish. Yet instead of pivoting from the blunder, perhaps by apologizing to the reporter and moving on, he appears to be doubling down on his malevolent absurdity.
An attack ad produced by a political action committee that promotes his political agenda began circulating this week. Calling the incident “Fake News,” the ad states the St. Louis Post-Dispatch “is purely playing politics,” saying, “Exploiting personal information is a squalid excuse for journalism.”
Huh? The only one playing politics in this incident is Parson. Sometimes you have to hug a bad deal in politics; this isn’t one of those times. Our governor is calling in fire on his own position. It’s not helping him.
The reporter did the state a favor by exposing a design flaw that should never had occurred. In the real world, if you find and report a security flaw to a company, you’re normally thanked; sometimes you even receive a reward, according to cybersecurity experts. The teachers we’ve heard from are grateful the security issue was discovered and fixed. They also are wondering who put their personal information at risk in the first place. They aren’t pointing fingers at the press on this one.
Parson should be wondering the same and not wrongly blaming the press. Instead, he continues to float the notion that it will cost taxpayers $50 million to respond “to this one incident alone and divert workers and resources from other state agencies.”
That’s ludicrous, according to Parson’s critics and state officials, who are scratching their heads as to where the governor came up with that number.
But if this incident did anything, it exposed the fact that the state’s technology and cybersecurity needs a thorough review across every department and agency. Where there’s smoke, there’s fire. Our guess is if the department of education’s website is deficient, so are others.
Instead of attacking reporters, as state Rep. Ashley Aune, D-Kansas City, noted, the governor should appoint members to the newly established Missouri Cybersecurity Commission, something he has been dragging his feet on.
Or he could heed the advice of U.S. Sen. Ron Wyden, D-Oregon, who joined the chorus of Parson’s critics — yes, even U.S. senators are weighing in on this issue. “Journalism isn’t a crime. Cybersecurity research isn’t, either,” he said. “Real leaders don’t unleash their attack dogs on the press when they expose government failures. They roll up their sleeves and fix the problem.”
The governor needs a reset on this issue. There is no spin, no deflection, no alternate theory of this incident that can get around the fact that he misplayed this incident.