Slashdot Mirror
Pennsylvania CISO Fired Over Talk At RSA Conference
An anonymous reader writes "Pennsylvania's chief information security officer Robert Maley has been fired for publicly talking about a security incident involving the Commonwealth's online driving exam scheduling system. He apparently did not get the required approval for talking about the incident from appropriate authorities."
Must have not got the memo..
~Mekkah
What's the story here? He blabbed on a security issue without approval, and got his ass roasted.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Firing the guy will absolutely convince the public that you've fixed your security problems.
(had to make sure I hit the "Post Anonymously" button...)
I'm one of many server administrators for LUTX, the (US) Federal Government IT "swat team" that was put in place during the Clinton Administration. One day I was working on a code-blue 456 system using the X-K-Red-27 technique and suddenly a bunch of drunken Canadian's broke in and try to SSH the HTTPS server. Well, as you can imagine, all hell broke loose and we had to double-slot the uranium deuteride fast on the flip-flop before the Russkies could notice.
I hope I don't get fired for sharing this amazing story with Slashdot
Yep, he is hitting what I call "legacy" PR, which is based on controlling the message.
Seeing as careless talk can lead to image problems and/or lawsuits (or harming your case if prosecuting them). If you're in a senior position and you talk publicly in a work-related context, you talk on behalf of the organisation whether you intend to or not. OTOH if you are "blowing the whistle" on wrongdoing, there is a specific procedure for that which offers protection.
has always worked
except on windows xp...
Are they hiring now?
Who fired him? Sounds like he made the wrong people look bad. Rules are rules, I suppose, but if the problem has been fixed, isn't talking about security and attack vectors generally a good thing?
Now all your remaining security issues will fix themselves. But, don't worry, I'm sure Robert Maley will be happy to help you out - at 5 times what you were paying him.
Pain is merely failure leaving the body
The important paragraph in TFA:
"Maley's dismissal comes amid ongoing budget and staff cuts at Pennsylvania's IT security organization, the source said. Over the past 18 months to two years, the administration has cut information security budgets by close to 38%, and staff by 40%. They also put a "lockdown" on talking about cybersecurity, the source claimed."
Now there's a good plan: If you don't talk about it, no one will know you have a problem, and you can save all that money you were spending on those annoying security types.
From TFA: Over the past 18 months to two years, the administration has cut information security budgets by close to 38%, and staff by 40%. They also put a "lockdown" on talking about cybersecurity, the source claimed.
So instead of paying people to fix our security holes, we're just not allowed to talk about them?
If I were him, I'd start spilling all the info I ever had on security for the state. No amount of money or threats would stop me.
I mean any and every item. I'd expose every stupid supervisory move that compromised security and my ability to protect the network. EVERYTHING would be exposed.
Nothing worse than people getting their panties all in a wad over a "talk" about a well publicized incident, of which all the bad guys already knew about.
There is only one thing these people understand, and that is how to look good. Ruin it for them.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Another telling fact from the article is that the security staff and budget have both been cut by upwards of 40%...no wonder they don't want anybody talking...
Cluetrain Manifesto.... Dead. Slashdot Confirms.
I'm personally not interested in what comes out of any organization's public orifice because it always looks and smells like BS.
When they shut down their non-public orifices they become more and more useless. They lose value. real, actual dollars value.
In a way I'm more worried about this from a public organization because they have a monopoly on governance
and when they're doing it wrong they can keep doing it wrong a lot longer than a private company.
I'm simply rehashing the same thing I wrote over at SC Magazine's site:
We do not know all the facts behind the termination, but if was based primarly on his RSA appearance, that's a shame. There are so many variants of qualitative and quantitative risk assessment, that regular meetings with your peers seems to be just as critical with regards to understanding the important controls which need to be put in place. The days of leading with FUD appears to be in our rear view mirror, and building up a positive outlook in security by learning from the past and attempting to stay ahead of the curve is imperative to our support of the business or the public entity. What was the common theme with all the CISO's at RSA? Information sharing is critical and we're way behind. We don't share information, we put ourselves on "lockdown" and don't get invited to the table anymore as security professionals. We're seen as roadblocks, as negative drags on the bottom line. Something has to change or else we're going to lose ground as a country. In fact we already have.
Sharing information with other professionals is now critical to any InfoSec career. We do need to account for privacy, so a balance must be achived. Maley may have violated a confidentiality component of his employment, but that doesn't make the spirit of what he did wrong in any way. If anything, some clear guidance on what types of information is shared behind closed doors at peer review and group meetings at RSA should be discussed. You can't vette everyone who attends the meetings, but openness is a good thing, not a bad thing. More transparency is needed across the public and private sectors. More openness is needed among security professionals. The state of PA has it wrong. Lockdown is not a way to progress forward out of this losing battle with regards to properly securing the infrastructure while allowing the inevitable growth of technology and information.
Many Shuvs and Zuuls knew what it was to be roasted in the depths of the Slor that day, I can tell you!
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
If this were a private company I'd be of the opinion that their internal security is their concern but this is a government office and the people who pay the bills have a right to know what's going on.
If the internal security failure lead to your private information being leaked and the possibility of financial loss to you, I think that you might be of the opinion that there should be legislation which deals with disclosure. Actually, there is such legislation in many jurisdictions. And you also have Sarbanes–Oxley stuff which is supposed to encourage whistleblowing.
Some "internal" things are more internal than others....
lucky not to be in jail as other who have came out with info on security incidentes / holes have been locked up.
Who fired him?
According to public records having to do with reporting structure, he would have been fired by Brenda Orth, CIO (Chief Information Officer) in the OA (Office of Administration, Commonwealth of Pennsylvania). The reporting chain is easily verifiable using either the Google cached copy of their page, or the Internet Way Back Machine.
She basically reports to the state Governors staff, so there's no telling how far up hill you'd have to go to find the source of the firing, but as his immediate supervisor, whe would have been the one to pull the trigger.
-- Terry
Didn't he know that you're only supposed to talk at conferences when A) you have something to sell, or B) you're being paid in a round-about way to promote a product while appearing to have no conflicting interest?
No one does a post-mortem of ACTUAL issues that matter to ACTUAL people, anymore.
However, she contested several media reports that have described the incident as a hacking attack, and said that as far as the the department was aware, there had been no hack or breach of the system.
Don't you hate it when people imply that their system was not "hacked" simply because they didn't provide the proper precautions to stop the leaking of internal data or changing database information in a way it was not intended?
According to our current definitions... IT WAS A HACK. Whether something is a hack is not determined by the ease in which they are preformed or the impact size of the damage no matter how minimal.
She is describing "hack" in terms of ramifications.
This is concept is almost as silly as attempting to make breaking DRM code illegal without considering the quality of code or logic/math behind it. For example, I could take code an increment each character. ie: a => b, b => c, ... z => a. and then call this "DRM". Now if any pre-teen tries to run this through their decoder ring to "break it"... they get a free pass to jail.
The first rule of Commonwealth's online driving exam scheduling system is: You don't talk about Commonwealth's online driving exam scheduling system.
#DeleteChrome
And exactly how do you think most whistleblowers get their start?
Every whistleblower ever gets painted first as a "disgruntled employee crying for attention." When that doesn't stick, they move on to "violating security by disclosing classified information."
The problem is, we never find out about bad behavior covered by secrecy from people who are happy and secure within the organization. Criminal enterprises both in and out of government usually get uncovered when they try to screw over one of the lower guys who still knows enough about where the bodies are buried.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
-dB
"It if was easy to do, we'd find someone cheaper than you to do it."
The story is that it is extremely undesirable for that to be the policy. It is in the public interest that government employees blab a lot, especially about things that have gone wrong.
BTW, it's the same where I live, in New Mexico. Only the Ministry of Truth (actually, I think the title is something else, "Public Relations") is allowed to say anything publicly. Any grunt who happens to know about massive, overwhelming inefficiencies or incompetence, isn't allowed to talk to the press. That's a firing offense and I can't imagine how many millions of dollars per year it is costing the taxpayers; I just know how much I hear off-the-record you-can't-quote-me-or-I'll-be-fired from just one person alone (my girlfriend, a state employee). Really hurts because I work for the press. Every few weeks she tells me mindblowing stuff that the public never finds out about, and would be insanely furious if they did.
The amount of money being wasted is just amazing. Seriously, if only you knew. And they claim to have budget problems!!
The government is made of cockroaches and badly in need of light.
"Maley's dismissal comes amid ongoing budget and staff cuts at Pennsylvania's IT security organization, the source said. Over the past 18 months to two years, the administration has cut information security budgets by close to 38%, and staff by 40%. They also put a "lockdown" on talking about cybersecurity, the source claimed."
They're gutting my budget and staff, cracking us wide open to attacks such as this one, and putting a gag-order on us to hide their downright malicious mismanagement.
Sounds like a whistle-blower to me...
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
You are totally right, I'm also not personally interested what comes out of any organizations public ORIFICE. It's smelly business at its finest!
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
A C-level executive is expected to speak at conferences, and in the case of security conferences, to talk about security.
His management probably didn't realize they had authorized him to speak about matters that might make them look bad.
As it happens, if the case has gone beyond investigation and is before the courts, it's now a matter of public record
--dave
davecb@spamcop.net
I went to one geared towards security for people in physics. Essentially only the people from CERN were willing to give talks where they discussed actual incidents. Everyone from DOE labs was unable. I had the sense that other labs were under rules like that as well. It was ridiculous because of that nothing could be shared, hence nothing could be learned. We were all admin types at the labs, it was not open to the public or anything of that sort.
There's a pending criminal investigation into the incident: of *course* he's not supposed to talk about it without prior approval. This isn't whistleblowing, there was no coverup: just a security breach which is presumably fixed and a company that may have exploited it.
Not trying to karma whore, but I had already written about this in a previous comment.
What I have linked to is both the original article from our local paper as well as two other articles from blogs which covered this subject.
As you can see from some of the comments in the original article, there are those who have some inside information to what went on as well as what type of person he was.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower