A cybersecurity perfect storm has been brewing for years in Missouri’s state government computer systems under the supervision of a governor who clearly is clueless regarding computers and data. State computer systems and online data networks are antiquated, using programming languages that became obsolete decades ago. Recent comments by Gov. Mike Parson suggest he thinks that people in white coats with floppy discs and boxes of punch cards are what make those dang computers work.
The Office of Administration under Parson’s direction is not to be trusted with cybersecurity as long as the governor insists that he’s right and the rest of the world is wrong when it comes to identifying hackers. The Legislature and State Auditor’s Office should team up to devise an independent auditing system to ensure the sensitive personal data of state employees, contractors and students can’t be inadvertently exposed because of the governor’s willful incompetence.
The stakes are too high to trust that the executive branch won’t again blunder its way into another mishap like the one Post-Dispatch reporter Josh Renaud exposed in October. While reviewing online teacher-certification data, he discovered that teachers’ Social Security numbers were embedded in source code on a state website. He alerted state authorities and withheld publication of a story until the sensitive data could be secured.
Instead of thanking Renaud, Parson labeled him a hacker, ordered an investigation by state troopers and asked the Cole County prosecutor to consider criminal charges. The prosecutor was unable to justify wasting taxpayer dollars on it. A 158-page Missouri Highway Patrol report showed that Renaud hadn’t accessed anything that wasn’t publicly available. The kinds of sensitive data he stumbled across had been available via the website for at least the past decade, the report indicated.
Renaud, state investigators concluded, did not retain any of the sensitive data he uncovered but did verify with three teachers that the nine-number combinations he found were, in fact, their Social Security numbers. Yet Parson insisted on putting his computer ignorance out there for the world to see, wondering aloud on Tuesday, “Where’s that information at? What’d they do with those people’s personal information? We don’t know.”
Actually, we do know, as do investigators and state education authorities. Even members of the general public know.
Since at least 2015, State Auditor Nicole Galloway has warned of lax data security and warned that the state was also putting student Social Security numbers at risk of exposure.
The state executive branch’s Office of Cyber Security currently lists 10 “guiding principles” governing its operations, the first of which seems more attuned to reducing government input than guarding sensitive data: “We enable government services, not prevent them.” Principle No. 9 states: “Don’t be content with what you know and do today.” And No. 10: “Above all else, have fun; life is short.”
That’s the status of cybersecurity under Gov. Mike Parson.
Get opinion pieces, letters and editorials sent directly to your inbox weekly!