Missouri governor accuses journalist who warned state about cybersecurity flaw of criminal ‘hacking’

When a St. Louis Post-Dispatch journalist discovered that the Missouri state teachers website allowed anyone to see the Social Security numbers of some 100,000 school employees, he did what any reporter might do. He published a story about the security vulnerability — though not before warning the state and giving it time to remove the affected webpages.

A July 2020 file photo of Missouri Gov. Mike Parson, who called a St. Louis Post-Dispatch reporter a "hacker" after the discovery of a security flaw in a state website.

© Alex Brandon/AP
A July 2020 file photo of Missouri Gov. Mike Parson, who called a St. Louis Post-Dispatch reporter a “hacker” after the discovery of a security flaw in a state website.

Another official might have thanked the newspaper for spotting the flaw and giving a heads-up before publicizing it — or at least downplayed what appears to be an embarrassing government mishap. But Missouri Gov. Mike Parson (R) did the opposite: He called the journalist “a hacker” who may face civil or criminal charges for “decod[ing]” HTML code on the Department of Elementary and Secondary Education website and viewing three Social Security numbers.


Load Error

The journalist was “acting against the state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet,” Parson announced Thursday. He said that he had referred the case to the Cole County prosecutor and the Missouri State Highway Patrol’s Digital Forensic Unit.

The announcement immediately drew appalled reactions from the Post-Dispatch and other journalistic organizations.

“We stand by our reporting and our reporter who did everything right,” Ian Caso, president and publisher of the Post-Dispatch, said in a statement. “It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to DESE’s attention.”

Committee to Protect Journalists’ U.S. and Canada program coordinator Katherine Jacobsen called Parson’s legal threats “absurd.”

“Using journalists as political scapegoats by casting routine research as ‘hacking’ is a poor attempt to divert public attention from the government’s own security failing,” she told The Washington Post in an email.

A spokeswoman for…


2016 Presidential Campaign Hacking Fast Facts

CNN Editorial Research

Here’s a look at hacking incidents during the 2016 presidential race between Donald Trump and Hillary Clinton. For details about investigations into hacking and efforts to interfere with the election, see 2016 Presidential Election Investigation Fast Facts.


September 2015 – The FBI contacts the Democratic National Committee’s help desk, cautioning the IT department that at least one computer has been compromised by Russian hackers. A technician scans the system and does not find anything suspicious.

November 2015 – The FBI reaches out to the DNC again, warning them that one of their computers is transmitting information back to Russia. DNC management later says that IT technicians failed to pass along the message that the system had been breached.

March 19, 2016 – Hillary Clinton’s campaign chairman John Podesta receives a phishing email masked as an alert from Google that another user had tried to access his account. It contains a link to a page where Podesta can change his password. He shares the email with a staffer from the campaign’s help desk. The staffer replies with a typo – instead of typing “This is an illegitimate email,” the staffer types “This is a legitimate email.” Podesta follows the instructions and types a new password, allowing hackers to access his emails.

April 2016 – Hackers create a fake email account and use it to send spear-phishing emails to more than thirty Clinton staffers, according to investigators. In the emails, the hackers embed a link purporting to direct the recipient to a document titled “hillaryclinton-favorable-rating.xlsx.” The link directs the recipients’ computers to a website operated by the hackers. That same month, hackers use stolen credentials to access the Democratic Congressional Campaign Committee computer network, stealing data with malware. They ultimately access 33 DNC computers and anonymously register a website called DC Leaks to publicize the release of documents.

May-June 2016 – The hackers steal thousands of emails from the DNC server and begin to conceal their efforts.

June 12, 2016 – During an interview on British…


Purdue researchers create ‘self-aware’ algorithm to ward off hacking attempts

WEST LAFAYETTE, Ind. — It sounds like a scene from a spy thriller. An attacker gets through the IT defenses of a nuclear power plant and feeds it fake, realistic data, tricking its computer systems and personnel into thinking operations are normal. The attacker then disrupts the function of key plant machinery, causing it to misperform or break down. By the time system operators realize they’ve been duped, it’s too late, with catastrophic results.

The scenario isn’t fictional; it happened in 2010, when the Stuxnet virus was used to damage nuclear centrifuges in Iran. And as ransomware and other cyberattacks around the world increase, system operators worry more about these sophisticated “false data injection” strikes. In the wrong hands, the computer models and data analytics – based on artificial intelligence – that ensure smooth operation of today’s electric grids, manufacturing facilities, and power plants could be turned against themselves.

abdel-kahlik-groupPurdue researchers have developed a novel self-cognizant and healing technology for industrial control systems against both internal and external threats. The project is led by Hany Abdel-Khalik (center) with Yeni Li, a nuclear engineering postdoctoral associate (right) leading the anomaly detection work and third-year nuclear engineering Ph.D. student, Arvind Sundaram, the covert cognizance algorithms implementation. (Purdue University photo/Vincent Walter)
Download image

Purdue University’s Hany Abdel-Khalik has come up with a powerful response: to make the computer models that run these cyberphysical systems both self-aware and self-healing. Using the background noise within these systems’ data streams, Abdel-Khalik and his students embed invisible, ever-changing, one-time-use signals that turn passive components into active watchers. Even if an attacker is armed with a perfect duplicate of a system’s model, any attempt to introduce falsified data will be immediately detected and rejected by the system itself, requiring no human response.

“We call it covert cognizance,” said Abdel-Khalik, an associate professor…


Famous former computer hacker shares his expertise on cyber security