Missouri planned to thank security journalist before governor called him a “hacker”

Missouri planned to thank security journalist before governor called him a “hacker”

Missouri Gov. Mike Parson speak from behind a podium during a press conference
Enlarge / Missouri Gov. Mike Parson speaks during a press conference on May 29, 2019 in Jefferson City, Missouri.
Getty Images | Jacob Moscovitch

Missouri state government officials planned to publicly thank a journalist who discovered a security flaw until a drastic change in strategy resulted in the governor labeling the journalist a “hacker,” while threatening both a lawsuit and prosecution.

As we wrote on October 14, St. Louis Post-Dispatch reporter Josh Renaud identified a security flaw that exposed the Social Security numbers of teachers and other school employees in unencrypted form in the HTML source code of a publicly accessible website. Renaud and the Post-Dispatch handled the problem the way responsible security researchers do—by notifying the state of the security flaw and keeping it secret until after it was fixed.

Despite that, Missouri Gov. Mike Parson called Renaud a “hacker” and said the newspaper’s reporting was nothing more than a “political vendetta” and “an attempt to embarrass the state and sell headlines for their news outlet.” The Republican governor said further that his “administration has notified the Cole County prosecutor of this matter,” that the Missouri State Highway Patrol’s Digital Forensic Unit would investigate “all of those involved,” and that state law “allows us to bring a civil suit to recover damages against all those involved.”

“We are grateful to the member of the media”

But only two days earlier, a government spokesperson was preparing a quote to publicly thank the journalist, as the Post-Dispatch reported today:

In an Oct. 12 email to officials in Gov. Mike Parson’s office, Mallory McGowin, spokeswoman for DESE [Department of Elementary and Secondary Education], sent proposed statements for a press release announcing the data vulnerability the newspaper uncovered.

“We are grateful to the member of the media who brought this to the state’s attention,” said a proposed quote from Education Commissioner Margie Vandeven.

The Parson administration and DESE did not end up using that quote. The next day, on Oct. 13, the Office of Administration issued a news release calling the Post-Dispatch journalist a “hacker.” And on Oct. 14, Parson held a news conference to rail against the Post-Dispatch and announce a criminal investigation by the Missouri State Highway Patrol.

“We will not let this crime against Missouri teachers go unpunished,” Parson said at the news conference. “And we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them.”

The Post-Dispatch obtained the October 12 email in a public-records request. The plan to thank the journalist was apparently scrapped by 1:18 pm on October 13, when “McGowin emailed Kelli Jones and Johnathan Shiflett, who both work in the governor’s office, to say Vandeven wanted her to meet with governor’s office officials,” the Post-Dispatch wrote. A draft news release emailed by McGowin at 3:46 pm, apparently after that meeting, referred to the journalist as an “individual.” A further revision emailed by Shiflett at 4:20 pm called him a “hacker.”

FCC kicks China Telecom Americas out of US, cites Chinese government control

FCC kicks China Telecom Americas out of US, cites Chinese government control

Illustration of the US and Chinese flags next to each other on a wall with a crack separating the two flags.

The Federal Communications Commission today voted to block China Telecom Americas from the US market, saying that the “US subsidiary of a Chinese state-owned enterprise” is “subject to exploitation, influence, and control by the Chinese government.” The telco “is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight,” the FCC said.

The vote was 4-0 with both Democrats and both Republicans approving the order to revoke and terminate China Telecom’s Section 214 authority to operate in the US. The FCC said its order “directs China Telecom Americas to discontinue any domestic or international services that it provides pursuant to its Section 214 authority within sixty days following the release of the order.”

The FCC pointed to a “changed national security environment with respect to China since the commission authorized China Telecom Americas to provide telecommunications services in the United States almost two decades ago.” The company’s “ownership and control by the Chinese government raise significant national security and law enforcement risks by providing opportunities for China Telecom Americas, its parent entities, and the Chinese government to access, store, disrupt, and/or misroute US communications, which in turn allow them to engage in espionage and other harmful activities against the United States,” the FCC said.

China Telecom made “inaccurate statements” about data storage and security

The FCC began its review of China Telecom after the Department of Justice recommended terminating the company’s authorization in April 2020. The DOJ at the time said that China Telecom failed to comply with a 2007 agreement with the DOJ and that it made “inaccurate statements… to US government authorities about where China Telecom stored its US records, raising questions about who has access to those records” and “inaccurate public representations… concerning its cybersecurity practices, which raise questions about China Telecom’s compliance with federal and state cybersecurity and privacy laws.”

The FCC today said that “China Telecom Americas’ conduct and representations to the commission and other US government agencies demonstrate a lack of candor, trustworthiness, and reliability that erodes the baseline level of trust that the commission and other US government agencies require of telecommunications carriers given the critical nature of the provision of telecommunications service in the United States.”

The China Telecom Americas website mostly advertises telecom and networking services for businesses and says the company has its headquarters in the Virginia town of Herndon as well as offices in Chicago, Dallas, Los Angeles, New York, and San Jose. The US subsidiary of China Telecom also offers mobile service called CTExcel, though the US mobile market is dominated by Verizon, AT&T, and T-Mobile. For US customers who need to switch mobile providers, the FCC said it “will issue a consumer guide after the order is released that explains this action and what other options consumers might consider for mobile services.”

We asked China Telecom Americas if it plans to appeal the FCC order today and will update this article if we get a response. “The FCC’s decision is disappointing. We plan to pursue all available options while continuing to serve our customers,” the company told Reuters.