Earlier this month, a report from the St. Louis Post-Dispatch revealed that Missouri’s Elementary and Secondary Education’s website had security flaws that left the Social Security numbers and other personal information of thousands of education employees vulnerable.
Since that report, Gov. Mike Parson has launched a criminal investigation against the reporter and others involved in the report. The vulnerability has also led to calls to invest more in web security in the state, including appointing members of a newly established cybersecurity commission that Parson signed into law in July.
St. Louis Public Radio’s Sarah Kellogg spoke with Joe Scherrer, director of Washington University’s Cybersecurity Strategic Initiative, about government cybersecurity, whether states and other forms of government are putting enough resources into defending against cyber threats and the importance of the found vulnerability.
This interview was edited and condensed for clarity.
Sarah Kellogg: Overall, what was your impression of the vulnerability that the St. Louis Post-Dispatch found in the Missouri-run department of education website?
Joe Scherrer: It was a bit of a nothing burger in my view, the reporter went through just steps that anyone in the public could have taken and found the exposed information. I wouldn't call it a breach, by any stretch of the imagination, it was just the more of a data exposure, related to really I would call poor coding and quality assurance processes. And it's not just the state of Missouri that has this issue. Practically every organization in the world has this problem.
Kellogg: So does this cause concern about possibly other vulnerabilities and security of Missouri-run sites?
Scherrer: Immediately after the event, they went through and they did a check of all their web or their public-facing websites. And I would be pretty confident that if they thought if there were any other incidents of this type of thing, that they were able to perfect it.
Kellogg: Looking at this particular instance, this vulnerability that was found, could it have led to something larger if it hadn't been found earlier? Do you think this is just an isolated incident?
Scherrer: Well, the biggest thing that resulted as a result of this attack was the personally identifiable information that was exposed. So, if I were a teacher, that would make me very uncomfortable, if not angry, some of my personally identifiable information, Social Security number or whatnot, was out there, addresses. That's not a good thing. And, in fact, governments and organizations are required to protect that. So it's a matter of having a strategy where you're protecting, what I call the crown jewels.
Kellogg: And do you think that this may be a sign for Missouri to reevaluate how it builds its pages or is kind of a reckoning moment in a way?
Scherrer: There's never a bad time to do it. The good time to do it is when something like this happens.
Kellogg: And is this a larger problem beyond Missouri. Are states doing enough to protect themselves from vulnerabilities like this?
Scherrer: My sense is that at the state level, most states, if not all states, are going to have some level of resources dedicated to this. Where the real issue is in municipal and county government, where there are much fewer resources involved. Where you just don’t have the dollars available. And also it’s very difficult to hire people in.
Kellogg: So what can be done policy wise, then to help prevent this?
Scherrer: Well it’s a matter of priorities. So, board of aldermen and commissioners, they get elected on an agenda. Normally high up on those are public security, basic services. How often does cybersecurity get prioritized as part of an issue that voters are concerned about? So unless and until voters decide that cybersecurity is a priority, it's gonna be very difficult for elected officials to be able to allocate resources to do it.
Even despite that challenge, the rule of thumb is, if you have an IT budget, let's say of $1 million, 10% of that should be allocated to cybersecurity. That's a decision that can be made at, say, the city manager level or at a policy level that’s just in my view, table stakes, and it's absolutely the responsible thing for any official to be doing.
Listen to the interview here.