WRONG QUESTION: Hutchinson said the issue with the programmer who alerted, through the Arkansas Times, alerted the state to a vulnerability on the PUA website, was whether he saw an issue or found an issue. That's not an appropriate distinction, security experts say.

Governor Hutchinson has made expanding computer-science education in Arkansas a top priority of his administration. In December, he announced a Computer Science and Cybersecurity Task Force to enhance cybersecurity education in the state. But in recent days, the governor himself has been out of step with cybersecurity best practices, according to experts. 

On Friday, I notified the Arkansas Division of Workforce Services of a vulnerability in the state’s Pandemic Unemployment Assistance website that exposed the Social Security numbers and bank account and routing numbers of some 30,000 applicants. The state took the website offline shortly after the Arkansas Times emailed the Division of Workforce Services about the issue. I learned of the vulnerability after a computer programmer applying for the assistance alerted the Times to the flaw. He contacted the Times only after reaching out to two state agencies and getting nowhere.

Advertisement

Beginning on Saturday at a news conference and continuing Monday, Hutchinson has framed the applicant who sounded the alarm as acting illegally. He announced Monday that the FBI was investigating the matter. He said he understood personal information had been “exploited.” 

“We don’t believe that the data was manipulated,” Hutchinson said. “In other words, where someone would go in and change a bank account number, which is what criminals would do. When you say ‘exploited,’ I believe that is a technical term of art that includes visual seeing of someone else’s data. That is a concern to us and that is what constitutes a breach.”

Advertisement

Asked about his rationale for framing the programmer’s actions as illegal, the governor said, “When you go in and manipulate a system in order to gain an access that you’re not allowed to have permission to access, that is a violation of the security that we want to have in place in these systems, and it would be a violation of the law as well, I would think.”

But the programmer didn’t manipulate the security of the system. He was a PUA applicant himself, who gained access to the admin portal by simply altering the website’s URL, which suggests that basic security protocols were lacking or nonexistent. Through an API (application programming interface) the site was using to communicate with a database, he saw that personal data had been left unencrypted.

Advertisement

I asked Hutchinson more broadly if he had concerns about the message he’s sending about when citizens should report web vulnerabilities. 

“Well the question is, do you see a vulnerability or did you find a vulnerability? I think we’ll let the investigation speak for itself on those points.”

Advertisement

Christopher Wright is an information security professional with Sullivan Wright Partners in Little Rock. He has more than a decade of experience in cybersecurity, including work with the U.S. Air Force and federal government. “That sort of ‘don’t probe this’ kind of thing doesn’t translate very well from the physical world to the online world,” he said. Curiosity is one of the qualities he’s looking for when he trains next-generation cybersecurity experts, he said.

“When you have somebody who has the mindset, ‘This is a website I use. I want to help,’ that’s the kind of people you want. You’re always going to have people who are nefarious or malicious, and they’re going to be trying to do those on their own. If the vulnerability is out there, we don’t want to bury our heads in the sand.”

Advertisement

Philip Huff, an assistant professor in UA Little Rock’s Department of Computer Science with 15 years of private-sector cybersecurity experience, echoed Wright. 

“If any security professional comes across a vulnerability, then they have an ethical obligation to report that in a responsible manner and do so in a way that minimizes damage,” he said. “The more vulnerabilities are hidden, the more advantage adversaries have in performing their malicious activity.”

Advertisement

Increasingly, major corporations have embraced the idea that it’s better to be proactive about identifying vulnerabilities, Wright said. “Bug” bounties have become prevalent, where hundreds of corporations and even the federal Department of Defense will pay people monetary rewards to people who identify vulnerabilities. Bentonville-based Walmart pays bug bounties in certain cases.  

Andrew Morris, a cybersecurity expert with more than a decade of experience and the founder of GreyNoise Intelligence in Washington, D.C., said the governor’s framing of the programmer as acting illegally was “the wrongest way” to handle the situation.

“They’re shooting the messenger,” he said. “There are so many reasons why that is bad. It creates a culture where they’re punishing people for doing the right thing and trying to report the vulnerabilities and get them fixed. This person didn’t have to say anything.” 

Based on his understanding of Arkansas Times’ reporting about the flaws in the pua.arkansas.gov site, Morris said, “It doesn’t really get much worse from a data security and data protection perspective and a risk and severity perspective.” If Arkansas was paying a bug bounty to the programmer, he would be entitled to the highest amount offered, Morris said.

Advertisement

“Every website on the internet — every single server on the internet — is subjected to millions of automated attacks literally every day, all day every day,” Morris said. “There’s a question of resilience here. Machines that are on the internet need to be resilient to a certain baseline attack. This attack falls so far below that baseline that it’s completely insane to say that the onus or the responsibility falls on this actor who perpetrated this action. At some point, the site has to have some baseline of security, and this tells me they fall way below that.” 

Ben Hood is an Arkansas native with cybersecurity experience at EndGame in Washington, D.C., who now works for another technology company in Washington. Regarding Hutchinson framing the programmer’s action as illegal, he said, “He needs to nip that kind of language in the bud. He needs to make damn sure he is not saying something that prevents people from alerting authorities if they see something going wrong like this. That would be the absolute worst thing that comes out of this, if he prosecutes this good Samaritan.”