Like many Arkansans, in the past several weeks I’ve seen the view from my office change considerably. I was on a conference call in mid-March the moment the news broke that the governor closed the schools, and as a mother of four kids in public school, I suddenly knew that I was about to see some major changes in how I practice law. By the end of that week, my law firm had sent out multiple emails to its hundreds of attorneys and staff across the country with instructions on using a VPN [virtual private network], how to keep communications secure and stern warnings to ensure that we all did our part to protect our clients’ information online.
Accountability, responsibility and security: these are the bare minimum we owe clients. There can’t be mutual trust without them.
Also like most Arkansans, I have very little expertise in what “cybersecurity” means, short of knowing that I probably shouldn’t respond to emails from foreign royalty trying to obtain my Social Security number in exchange for millions of dollars. In the weeks since this pandemic began, however, many Americans have received a crash course in the cybersecurity risks associated with a large remote workforce.
These risks were laid bare just this past week here in Arkansas when Governor Hutchinson announced May 16 that there had been an apparent data breach of the Arkansas Pandemic Unemployment Assistance Program website. The governor said that an applicant “illegally” accessed the system and was able to view other applicants’ private data. As soon as the breach was recognized, according to Hutchinson, the website was shut down so that fixes could be put into place to protect that private data in the future.
The next day, the Arkansas Democrat-Gazette’s front page headline was “Hacker shuts down state’s jobless aid site.” Characterizing the person who alerted authorities to the system’s vulnerability as a “hacker” does not fit the way most of us generally understand that term. The Arkansas Times, which broke this story on May 15, reported that the man is in fact an unemployed computer programmer who went to the website to apply for PUA benefits. As a technology professional, he recognized a vulnerability in the system that exposed Arkansans’ private data, such as applicants’ Social Security numbers, bank account numbers and other protected information. This individual attempted to notify the Arkansas Division of Workforce Services after he recognized the vulnerability and was told no one could speak to him. Undeterred, he then tried to notify the Arkansas State Police, who assured him someone would investigate the problem. Still concerned, he pulled the last lever available: He notified the press. Based on the timeline, it appears this last effort was the successful one, as the website went down shortly after the Times circled back to the Division of Workforce Services. Only then did the Times go public with its story.
As the story has continued to develop, cybersecurity experts have come forward to challenge the notion that the actions taken by this individual should be classified as criminal. As the Times reported, experts who work in computer security operate pursuant to a code of ethics that requires them to investigate and report suspected vulnerabilities. This code of ethics appears to have been a motivating factor in this case, where an individual who ostensibly had the tools at his disposal to manipulate or extract sensitive data instead opted to report the weaknesses at least three times.
This type of vulnerability testing and curiosity is not limited to the cybersecurity world. In fact, the U.S. military and law enforcement routinely encourages “vulnerability assessments” or “penetration testing” for the purpose of discovering vulnerabilities in their systems. These real-world tests are meant to be conducted by good actors who will report their findings so that the systems in question may be strengthened and improved so that bad actors are not able to exploit them. The key to such “pen tests” is not just the import of the initial report itself, but also the ability of the greater organization to absorb the knowledge gleaned from the breach and apply it to strengthen the unit or battle plan. Likewise, shouldn’t the state of Arkansas have a vested interest in encouraging good Samaritan computer programmers to report potential weaknesses in our state cyber-systems rather than either fearing to report because they might face retribution, or worse, choosing instead to exploit those weaknesses for their own gain? Why would the state of Arkansas create a public policy that prevents us from benefiting from specialized knowledge and expertise of Arkansas citizens who are willing to share their time and energy with the state to help protect private data?
The coming weeks will tell us whether Arkansans’ private information was, in fact, taken for improper and illegal purposes during the time it sat vulnerable on the web. Hopefully, thanks to the quick action of the person who alerted authorities to the problem, that disaster may have been averted. Either way, we will likely see important conversations in coming days about whether the contractor who built the PUA site did so securely, whether the state managed it appropriately, and whether there are lessons to be learned for improving cybersecurity for state websites in the future. However, none of those investigations will answer a more fundamental question that has been raised by the starkly different ways that the media and our elected officials have characterized the person who brought this issue to our attention: Is he an illegal hacker who should be prosecuted or a whistleblower who should be praised? And do we, as Arkansans, want some level of assurance that if we ever discover a similar problem in the way our government is operating, we can come forward without being labeled as … well, a criminal?
Americans spent the fall and the early weeks of 2020 hearing about whistleblowers of a different sort, as President Trump’s impeachment hearings marched on, and speculation raged as to the identity of the federal whistleblower who first reported the contents of that infamous “perfect” phone call between President Trump and Ukrainian President Zelensky. Indeed, whistleblowers have had a role in political intrigue for generations, on both sides of the aisle (Deep Throat and Linda Tripp both immediately come to mind), and they have routinely played an important part in holding those in power to account by informing authorities and sometimes the public of illicit, illegal or unethical activity. Whistleblowing has been deemed so valuable that we have enshrined legal protections in federal laws like the False Claims Act, the Freedom of Information Act, the Civil Service Report Act, the Sarbanes-Oxley Act and, naturally, the Whistleblower Protection Act. While each of these acts cover different types of protected conduct, the same thread runs through each: An individual with information demonstrating dangerous or prohibited conduct by someone in power may come forward to authorities and provide that information without fear of retribution or recrimination. In some cases, they are even given a reward if the information provided leads to successful prosecution or judgment against the guilty party.
So back to the PUA website. Applying the framework above, the individual who recognized the weakness in the DWS website and reported it to two state agencies before alerting the public should be entitled to whistleblower protections if investigation reveals that he is what he claims to be: an honest broker seeking to alert the state to a serious security breach. Assuming that there is no evidence that he obtained applicants’ personal data or intended to use it for illegal purposes, it is difficult to understand why the governor has suggested he acted criminally unless it was an attempt to deflect blame for the state’s faulty PUA system. The governor’s approach ignores the fact that cybersecurity experts operate both as … well, experts and also as daily consumers of internet content. Is there a difference between a “hacker” and a person who simply has the knowledge to recognize a security vulnerability when he sees one?
Unfortunately, the answer is that the law in Arkansas — and in most of the U.S., to be fair — has not caught up to the technology we all use every day. Despite whistleblower protections available to individuals in all kinds of other circumstances, there is currently no federal statute specifically designed to protect cybersecurity whistleblowers. Instead, cybersecurity whistleblowers must rely on a patchwork of state and federal laws that “kind of” protect them – which is no protection at all in many cases. As a result, people like the whistleblower in this case are left with the agonizing choice of whether to come forward with information that could help secure sensitive information knowing that they might well be prosecuted for their good deed.
Several states have begun to enact their own cybersecurity laws that protect whistleblowers. Delaware, for example, has a Responsible Disclosure Policy that allows people to quickly and safely report cybersecurity vulnerabilities via an online form on the state’s website. The policy clearly states that the Delaware Department of Technology and Information “agrees not to pursue claims against those who disclose potential vulnerabilities” as long as the person reporting the problem does not engage in fraudulent financial transactions, attempt to store or destroy data, compromise the privacy of Delaware residents, or intentionally cause harm to the state.
While Arkansas has recently enacted some laws directed toward enhanced cybersecurity, including Act 599 of 2019 (providing for the security of emergency service agencies) and Act 1085 of 2019 (enacting the Cyber Initiative Act, to reduce cyber risks and encourage economic development), we do not have a procedure by which a whistleblower can safely report cybersecurity vulnerabilities without fear of reprisal. Interestingly, while each of the 2019 acts acknowledges the vital importance of mitigating cyber-risks to the state, neither provides any sort of protected reporting procedure. Nor do we have an affirmative whistleblower defense to criminal prosecution for crimes such as “computer trespass” and “unlawful access of computers,” both of which can be felonies in Arkansas. But without adequate whistleblower protection, how will we know that these threats exist?
The PUA website breach this week was not a fluke. As we continue to distance and rely more on technology to stay connected, we can expect more breaches like this one. The Arkansas General Assembly is back in session in 2021, and we need a cybersecurity whistleblower protection act on the table. Unless we enact a policy that encourages disclosure of potential vulnerabilities, we will continue to simply stick our heads in the sand and pretend that such threats don’t exist.
Luckily, we don’t have to reinvent the wheel to accomplish this goal: the Arkansas Medicaid Fraud False Claims Act and the Arkansas Medicaid Fraud Act both provide explicit whistleblower protection against retaliation for reporting Medicaid fraud, and each allow for a reward based on recovery in certain cases. Likewise, the Arkansas Whistleblower Protection Act offers state employees protection from retaliation for participation in a government investigation or refusal to engage in illegal conduct. These frameworks provide a simple path our legislature could use to provide protections needed to encourage individuals to report data breaches before they harm Arkansans. Moreover, states like Delaware have already figured out how to adapt such protections to the unique realm of cybersecurity. Maybe we could even go as far as to offer “bug bounties” to reward people who find and report vulnerabilities, as some other public and private entities — ranging from the U.S. Department of Defense to Uber — have done.
This week’s data breach was a wakeup call, but that doesn’t have to be the end of the story. Arkansas could use this opportunity to shape one of the boldest, most comprehensive cybersecurity acts in the entire country, and as a part of that, ensure that whistleblowers are empowered to come forward and report these vulnerabilities safely. This isn’t just an issue of “cybersecurity”; it is an issue of public trust. Without accountability, responsibility and the very basics of cybersecurity, I can’t do my job as an attorney, and my clients can’t trust me. The same goes for the relationship between Arkansans and our government. Without government accountability and incentives for reporting cyber-vulnerabilities, our state’s government can’t do its job — and we’ll think twice before trusting it again with our sensitive data.
Ashley Hudson is a Little Rock attorney, mother and candidate for Arkansas House District 32.