BY MARK LANTERMAN
Almost 10 years ago, the health insurance marketplace for Minnesotans, MNsure, was launched. Like many undertakings of its size, some security issues marked the website’s release. In particular, it was discovered that simple attacks could easily compromise personal information submitted by users. The problem and its solution were both fairly straightforward. But in trying to communicate with the officials in charge, I quickly found that bringing the problem to the attention of those in a position to fix it proved more challenging than expected. Instead of welcoming the information and suggestions for improvement, MNsure personnel received the news with denial and frustration.
A recent headline out of Missouri made me remember this incident. Missouri Gov. Mike Parson is planning to prosecute the St. Louis Post Dispatch for reporting a security vulnerability in a state education website that exposed Social Security numbers.1 Instead of taking the warning to heart and being grateful for the opportunity to proactively prevent future breaches, the governor is retaliating with the threat of legal action. He views the research that documented and publicized the vulnerability as a hack, stating that, “Not only are we going to hold this individual [reporter] accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them.” The governor believes that the vulnerability was reported with the purpose of embarrassing the state and selling papers, not to remediate a glaring security issue that could continue to expose the personal information of educators.
The episode has led many critics to point out the long-term effects of silencing security researchers, not to mention the repercussions of trying to control and intimidate the press. It has also been noted that the paper acted ethically and in accordance with guidelines in reporting on the vulnerability. According to an account published in Wired, “The Post-Dispatch seems to have done exactly what ethical security researchers generally do in these situations: give the organization with the vulnerability time to close the hole before making it public.”2 It would seem that the paper did not act inappropriately or with malicious intent in its reporting. Rather, like many individuals trying to bring about improvements in cybersecurity, the reporters were shot for being the messengers. An expensive witch hunt to penalize those who spoke up will further complicate the issue by utilizing resources that could be spent to improve security infrastructure and culture; the governor has provided an estimate of $50 million for dealing with the “hack.” It is unclear what the cost of fixing the security vulnerability alone was, nor is it apparent how the $50 million estimate was calculated. It should be emphasized that the vulnerability itself has already been fixed.
Though what happened in Missouri represents an extreme example, this kind of reaction is not entirely uncommon. Many security professionals and IT departments are faced with this kind of behavior when cybersecurity vulnerabilities are discovered. Deflection, anger, denial, minimization of the threat, and an instant resort to the blame game often follow an earnest attempt to inform upper management of a security concern. Attempting to divert attention away from the problem at hand by blaming the individuals who brought attention to it is unproductive at best.
Within organizations, this might be a good example of how not to address and remediate security issues. While there might be written policies in place on reporting cybersecurity concerns to upper management, employees or the IT department may feel apprehension when it comes to actually providing information. Knowing beforehand that concerns will be disregarded or that negative consequences will result are common deterrents. Instead of blaming individuals for trying to improve security, organizations should openly encourage information-sharing and communication. All reports should be investigated properly before any action (including denial that there is any issue) is implemented.
Security professionals are not responsible for the vulnerabilities they unearth, nor should they be discouraged or punished for bringing these problems to the public’s awareness provided they follow proper ethical guidelines. Security research is an important part of proactively countering cyber threats and the risks that accompany them. Within organizations, it is important to take security reporting seriously and to encourage improvement. Whether that’s the IT department informing upper management of a vulnerability or an employee with a concern about email safety, security issues should be addressed with a mindset of remediation and advancement.
MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.
NOTES
1 https://www.npr.org/2021/10/14/1046124278/missouri-newspaper-security-flaws-hacking-investigation-gov-mike-parson
2 https://www.wired.com/story/missouri-threatens-sue-reporter-state-website-security-flaw/