Arkansas Governor Frames Programmer Who Discovered PUA Data Breach As Acting Illegally

theodp writes: Arkansas Governor Asa Hutchinson had an odd way of showing his appreciation for the unemployed computer programmer who pointed out a vulnerability in Arkansas’s Pandemic Unemployment Assistance website, framing the programmer’s actions as illegal.

The Arkansas Times’ Lindsey Millar explains: “Beginning on Saturday at a news conference and continuing Monday, Hutchinson has framed the applicant who sounded the alarm as acting illegally. He announced Monday that the FBI was investigating the matter. He said he understood personal information had been ‘exploited.’ ‘We don’t believe that the data was manipulated,’ Hutchinson said. ‘In other words, where someone would go in and change a bank account number, which is what criminals would do. When you say ‘exploited,’ I believe that is a technical term of art that includes visual seeing of someone else’s data. That is a concern to us and that is what constitutes a breach.’ Asked about his rationale for framing the programmer’s actions as illegal, the governor said, ‘When you go in and manipulate a system in order to gain an access that you’re not allowed to have permission to access, that is a violation of the security that we want to have in place in these systems, and it would be a violation of the law as well, I would think (video).'”

Hutchinson is a member of Governors for CS (and a founding co-chair), who “share best practices for computer science and advocate for federal policies to expand computer science instruction” in partnership with tech-backed Code.org.

Andrew Morris, a cybersecurity expert with more than a decade of experience and the founder of GreyNoise Intelligence in Washington, D.C., said the governor’s framing of the programmer as acting illegally was “the wrongest way” to handle the situation.

“They’re shooting the messenger,” he said. “There are so many reasons why that is bad. It creates a culture where they’re punishing people for doing the right thing and trying to report the vulnerabilities and get them fixed. This person didn’t have to say anything.”