Cyberattackers never slow down, but Missouri’s government is asleep at the keyboard

The crisis surrounding Missouri’s digital infrastructure is getting worse. Sadly, the state’s leadership seems unconcerned.

Each week brings another troubling headline about security breaches, balky computers and operational breakdowns in Missouri’s public offices. Gov. Mike Parson’s recent ham-fisted rant about the potential exposure of teachers’ Social Security numbers was, in part, confirmation of a broader issue: in Missouri, IT is BAD.

But it isn’t just a problem in Jefferson City. Slipshod security protocols are a growing problem for cities and counties, and that requires policymakers’ attention too.

Last week, Missouri State Auditor Nicole Galloway released a summary of internet security flaws in a handful of the state’s city halls and courthouses, where residents conduct essential business. It’s scary stuff.

Galloway found network passwords go unchanged for months or years. Simple passwords are routinely shared with outside users. In some places, former employees can still access government computers (that’s a concern in Kansas City, according to an April report from Doug Jones, the city’s auditor).

Computers remain powered up for hours after use. Some government computers, Galloway said, failed to lock out potential intruders even after several incorrect login attempts.

In Jackson County, network access logs were incomplete, increasing the chance that hackers would go unnoticed.

Galloway’s report is largely focused on rural cities and counties, where old technology is common and old habits die hard. But the threat to efficient government is clear in every community, big or small — and it needs the immediate attention of the legislature.

Government efficiency isn’t the only concern. Some 400 cities and counties in the U.S. have suffered so-called ransomware attacks since 2016, The Washington Post reports, and that figure may understate the problem.

In a ransomware attack, hackers invade a digital system and freeze access until a government or a business pays a hefty fee.

Atlanta, Baltimore and New Orleans have seen some of their digital services corrupted by ransomware attacks in recent years that caused major headaches for citizens and public officials alike. Even if governments decide against paying ransom to unlock their systems, costs for data recovery and repair can reach millions of dollars and take months.

Private businesses also are targets. Missouri hospitals have been hit; last week, Sinclair Broadcast Group, which owns several stations in Missouri, faced a massive ransomware attack that froze some newsroom capabilities. Russian hackers may be involved.

The warning lights are flashing in bright red. Strangely, Parson can’t see them: The Missouri Cybersecurity Commission, established by state law this year, has no members. The governor hasn’t appointed anyone to it.

Too busy hounding journalists, apparently.

State legislators must act where he has not. We’ve endorsed a suggestion by Republican state Rep. Doug Richey to use COVID relief money for IT security upgrades and repairs across the state. We repeat that support now, more urgently.

“There are solutions that exist,” Richey has told us. He’s right, although they may be costly: $100 million or more. It’s also clear those solutions should include help for local governments struggling with outdated protocols, as well as Missouri’s substandard digital architecture.

Lawmakers must make this a top priority in 2022. We live online. The digital threat environment is real, and can’t go unaddressed.