10358106
story
Comments: 147 + - Your Rights Online: Pennsylvania CISO Fired Over Talk At RSA Conference on Thursday March 11, @05:07PM
background: url(//a.fsdn.com/sd/topics/topiccensorship.gif); width:44px; height:55px;
censorship
background: url(//a.fsdn.com/sd/topics/topicgovt.gif); width:57px; height:80px;
government
An anonymous reader writes "Pennsylvania's chief information security officer Robert Maley has been fired for publicly talking about a security incident involving the Commonwealth's online driving exam scheduling system. He apparently did not get the required approval for talking about the incident from appropriate authorities."
Related Stories
Submission: Pennsylvania CISO fired over talk at RSA by Anonymous Coward
"Why are we importing all these highbrow plays like `Amadeus'? I could
have told you Mozart was a jerk for nothing."
-- Ian Shoales
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
DANG TPS Reports.. (Score:2, Funny)
Re: (Score:2)
Motormouth failed his talking test? (Score:4, Insightful)
Re:Motormouth failed his talking test? (Score:5, Insightful)
The same reason I don't want nuclear regulators getting fired for admitting when there was a heavy water leak into an aquifer.
Parent
Re:Motormouth failed his talking test? (Score:5, Insightful)
If this were a private company I'd be of the opinion that their internal security is their concern but this is a government office and the people who pay the bills have a right to know what's going on.
Parent
Maybe sometimes, but not always (Score:5, Interesting)
If this were a private company I'd be of the opinion that their internal security is their concern but this is a government office and the people who pay the bills have a right to know what's going on.
If the internal security failure lead to your private information being leaked and the possibility of financial loss to you, I think that you might be of the opinion that there should be legislation which deals with disclosure. Actually, there is such legislation in many jurisdictions. And you also have Sarbanes–Oxley stuff which is supposed to encourage whistleblowing.
Some "internal" things are more internal than others....
Parent
Re: (Score:2)
The same reason I don't want nuclear regulators getting fired for admitting when there was a heavy water leak into an aquifer.
Apples and oranges, one is a health risk, one isn't.
Re:Motormouth failed his talking test? (Score:4, Insightful)
Apples and near-apples from my perspective. Both types of problems can have negative consequences if allowed to continue due to lack of public scrutiny. And in neither problem type is there a compelling public interest in secrecy.
Parent
Re:Motormouth failed his talking test? (Score:5, Insightful)
Public outcry over the situation is one way to increase the 'have to' value.
Also, keeping problems secret has always been a major dodge for not having to deal with an issue.
Parent
Re:Motormouth failed his talking test? (Score:5, Insightful)
There is a distinction between "acknowledgment" of an already known problem and the "announcement" of a brand new one. Hackers know about the problem already, and apparently it was widely known how to game the system, so this was only an acknowledgment. The CISO didn't reveal anything new, although it was apparently new to this particular audience.
By making future CISOs afraid for their job, the governor has poisoned the CISO's ability to actually perform their duties.
Parent
Re:Motormouth failed his talking test? (Score:5, Funny)
Apples and oranges, one is a health risk, one isn't.
Which one is it?! Who knew picking from the fruit basket would be like playing russian roulette?
Parent
Re:Motormouth failed his talking test? (Score:4, Funny)
Simple, take the banana and shoot the guy holding the basket.
Parent
Re:Motormouth failed his talking test? (Score:4, Funny)
But what if he has a pointed stick?
Parent
Re:Motormouth failed his talking test? (Score:5, Funny)
Ooh, ooh, ooh; want to learn how to defend yourself against pointed sticks, do we? Getting all high and mighty, eh? Fresh fruit not good enough for you, eh? Well let me tell you something lad! When you're walking home tonight and some great homicidal maniac comes after YOU with a bunch of loganberries, don't come cryin' to me!
Parent
Re: (Score:3, Insightful)
...He just yapped without checking.
Which is just sloppy corporate citizenry.
Except his employer isn't "corporate", they're a U.S. state, funded by taxpayers. As a taxpayer, I demand to know if there are security (or "configuration") holes that have been actively exploited at the institutions my taxes fund, unless the dissemination of such knowledge would hurt an ongoing police investigation. There is no mention in the story of such a request from the police, just a general indication that the police are investigating.
Re:Motormouth failed his talking test? (Score:5, Insightful)
The firing seems heavy-handed. Don't you want your Chief Information Security Officer participating in industry security conferences, selectively sharing the experiences of your organization with security professionals so as to help find long term solutions? Who knows... maybe he shared some sort of special classified/secret/private data that he really ought not to have, but it sounds like good old bureaucracy + control freaks at the top who think it's all about militaristic need-to-know.
Parent
Re: (Score:3, Interesting)
The firing seems heavy-handed. Don't you want your Chief Information Security Officer participating in industry security conferences, selectively sharing the experiences of your organization with security professionals so as to help find long term solutions?
Do you want this happening while there is apparently an on going investigation? There are reasons why there are approval rules and they aren't about old bureaucracy and control freaks
Re: (Score:3, Informative)
Re: (Score:3, Funny)
Re: (Score:2)
You really don't see the story? This is a security breach involving a public computer system THERE SHOULD BE NO SECRETS WHEN TAXPAYERS' MONEY IS INVOLVED.
Do you really want the taxpayers having the root password?
Re:Motormouth failed his talking test? (Score:5, Insightful)
Do you really want the taxpayers having the root password?
I'll give them to you. There are actually two root passwords to the Constitution: "terrorism" and "child pornography". By using either password, you can bypass any of the security protections or protocols built into the document, and you can invalidate its signatures.
Parent
Re: (Score:3, Funny)
Just a practical note from personal experience. Screaming "child pornography" at the top of my lungs did not let me undo the Constitutionally granted power of the Executive Branch to create law enforcement agencies to enforce federal laws while agents of said agencies were hauling me away. Quite the opposite in fact.
Re:Motormouth failed his talking test? (Score:5, Insightful)
This is probably one of the most specious arguments anyone ever trots out about someone breaking (or overlooking) a rule, especially in organizations known for coming up with rules for every single thought or action one engages in (e.g. a bureaucracy). Unless the incident was actually ongoing, or had the potential to risk the security or integrity of the systems it was his job to oversee, talking about a past incident germane to the topic of the conference is what people do at conferences. That's the entire point. Yes, he violated a minor rule. "Oh lordy lordy, who will he kill next?" is not really the best response to the situation.
Parent
Re: (Score:3, Interesting)
I agree 110%. The stories I've seen broadcast about events I had personal knowledge of made it so I trust the media story about as much as I'd trust a junkie with the safekeeping of a kilo of heroin.
I was mostly responding to the theory that if someone screws up once in a (seemingly) minor way they are untrustwort
Re: (Score:3, Insightful)
If the CISO treats one rule casually, what is the dolt liable to ignore next?
Not every slope is a slippery one.
Good job... (Score:5, Insightful)
His story is NOTHING to my story (Score:5, Funny)
(had to make sure I hit the "Post Anonymously" button...)
I'm one of many server administrators for LUTX, the (US) Federal Government IT "swat team" that was put in place during the Clinton Administration. One day I was working on a code-blue 456 system using the X-K-Red-27 technique and suddenly a bunch of drunken Canadian's broke in and try to SSH the HTTPS server. Well, as you can imagine, all hell broke loose and we had to double-slot the uranium deuteride fast on the flip-flop before the Russkies could notice.
I hope I don't get fired for sharing this amazing story with Slashdot
Re:His story is NOTHING to my story (Score:4, Funny)
(had to make sure I hit the "Post Anonymously" button...) I'm one of many server administrators for LUTX, the (US) Federal Government IT "swat team" that was put in place during the Clinton Administration. One day I was working on a code-blue 456 system using the X-K-Red-27 technique and suddenly a bunch of drunken Canadian's broke in and try to SSH the HTTPS server. Well, as you can imagine, all hell broke loose and we had to double-slot the uranium deuteride fast on the flip-flop before the Russkies could notice. I hope I don't get fired for sharing this amazing story with Slashdot
Its times like this that I really want to apply a Post Humously moderation
Parent
Re: (Score:2)
did you catch my Fish Called Wanda reference?
Re: (Score:3, Funny)
a bunch of drunken Canadian's
-1: redundant
reasonable? (Score:5, Insightful)
Seeing as careless talk can lead to image problems and/or lawsuits (or harming your case if prosecuting them). If you're in a senior position and you talk publicly in a work-related context, you talk on behalf of the organisation whether you intend to or not. OTOH if you are "blowing the whistle" on wrongdoing, there is a specific procedure for that which offers protection.
Re: (Score:3, Insightful)
"You don't get given authority to say what you please, you get given authority to apply policy."
Point being he was the CISO. He is the very one not to apply but to *create* the policy in regards to IT security incidents.
If you don't want somebody to have such power you don't get to create the role.
C Level Sec Exec is Fired? (Score:4, Interesting)
Re: (Score:2)
Obviously, his manager doesn't read /.
He was fired by Brenda Orth, CIO in the OA (Score:5, Informative)
Who fired him?
According to public records having to do with reporting structure, he would have been fired by Brenda Orth, CIO (Chief Information Officer) in the OA (Office of Administration, Commonwealth of Pennsylvania). The reporting chain is easily verifiable using either the Google cached copy of their page, or the Internet Way Back Machine.
She basically reports to the state Governors staff, so there's no telling how far up hill you'd have to go to find the source of the firing, but as his immediate supervisor, whe would have been the one to pull the trigger.
-- Terry
Parent
Good move dumbasses! (Score:5, Insightful)
Now all your remaining security issues will fix themselves. But, don't worry, I'm sure Robert Maley will be happy to help you out - at 5 times what you were paying him.
The key paragraph (Score:5, Informative)
The important paragraph in TFA:
"Maley's dismissal comes amid ongoing budget and staff cuts at Pennsylvania's IT security organization, the source said. Over the past 18 months to two years, the administration has cut information security budgets by close to 38%, and staff by 40%. They also put a "lockdown" on talking about cybersecurity, the source claimed."
Now there's a good plan: If you don't talk about it, no one will know you have a problem, and you can save all that money you were spending on those annoying security types.
Re:The key paragraph (Score:5, Insightful)
Howard County, Maryland (back when I was living there -- might be many other places like this, too) decided to make the local parks "trash free." By removing the trash cans. I leave the results as an exercise for the reader ;)
timothy
Parent
Easy fix? (Score:4, Insightful)
So instead of paying people to fix our security holes, we're just not allowed to talk about them?
Re: (Score:2)
So instead of paying people to fix our security holes, we're just not allowed to talk about them?
It's a hell of a lot cheaper that way. (Except for the parts where the bad guys break-in and steal your stuff; yeah, those are kind of expensive, but fixing them doesn't come out of the CIO's paycheck.)
Therefore this is all your fault for complaining about your taxes. You said to your lawmakers "we want less state services and lower quality workers" and there you go! You got exactly what you voted for.
Spill the rest of the beans (Score:5, Interesting)
If I were him, I'd start spilling all the info I ever had on security for the state. No amount of money or threats would stop me.
I mean any and every item. I'd expose every stupid supervisory move that compromised security and my ability to protect the network. EVERYTHING would be exposed.
Nothing worse than people getting their panties all in a wad over a "talk" about a well publicized incident, of which all the bad guys already knew about.
There is only one thing these people understand, and that is how to look good. Ruin it for them.
Re:Spill the rest of the beans (Score:4, Insightful)
Compromising your own ethics for revenge is a net loss. A vengeful, spiteful CISO would have about 0.00% chance of a new job that paid anything above "volunteer" wages.
Remember, CIO already jokingly stands for "Career Is Over." I don't think he needs to pile on "Career Is So Over" limiting moves by acting like a 13-year-old dumped by his first girlfriend.
Parent
Re:Compromising your own ethics for revenge (Score:4, Insightful)
A whistleblower reveals secret information to right a wrong. Perhaps there's a safety issue that is going uncorrected, or an unfair pay gap, or workplace racism, or where the bodies are buried. Those are kept secret to keep costs down at the expense of human health, or to protect the criminally negligent or guilty.
The GP said:
If I were him, I'd start spilling all the info I ever had on security for the state. No amount of money or threats would stop me. I mean any and every item.
There are plenty of legitimate secrets a CISO is expected to keep. Plans for upgrades that reveal current deficiencies but can't be implemented yet due to budget constraints. Ongoing operational security tasks. Or command and control structures: a list of the three key people without whom an emergency response would fail would provide a juicy target list for a serious attack. The identities of sting or honeypot operations. Those are all perfectly legitimate security items that should be kept secret.
A whistleblower is trying to correct an inequity. A traitor provides secret information only to damage an organization. See the difference?
Parent
sounds like an invitation (Score:2, Informative)
Cluetrain... (Score:3, Insightful)
Cluetrain Manifesto.... Dead. Slashdot Confirms.
I'm personally not interested in what comes out of any organization's public orifice because it always looks and smells like BS.
When they shut down their non-public orifices they become more and more useless. They lose value. real, actual dollars value.
In a way I'm more worried about this from a public organization because they have a monopoly on governance
and when they're doing it wrong they can keep doing it wrong a lot longer than a private company.
"Lockdown" is the problem with Security (Score:3, Insightful)
I'm simply rehashing the same thing I wrote over at SC Magazine's site:
We do not know all the facts behind the termination, but if was based primarly on his RSA appearance, that's a shame. There are so many variants of qualitative and quantitative risk assessment, that regular meetings with your peers seems to be just as critical with regards to understanding the important controls which need to be put in place. The days of leading with FUD appears to be in our rear view mirror, and building up a positive outlook in security by learning from the past and attempting to stay ahead of the curve is imperative to our support of the business or the public entity. What was the common theme with all the CISO's at RSA? Information sharing is critical and we're way behind. We don't share information, we put ourselves on "lockdown" and don't get invited to the table anymore as security professionals. We're seen as roadblocks, as negative drags on the bottom line. Something has to change or else we're going to lose ground as a country. In fact we already have.
Sharing information with other professionals is now critical to any InfoSec career. We do need to account for privacy, so a balance must be achived. Maley may have violated a confidentiality component of his employment, but that doesn't make the spirit of what he did wrong in any way. If anything, some clear guidance on what types of information is shared behind closed doors at peer review and group meetings at RSA should be discussed. You can't vette everyone who attends the meetings, but openness is a good thing, not a bad thing. More transparency is needed across the public and private sectors. More openness is needed among security professionals. The state of PA has it wrong. Lockdown is not a way to progress forward out of this losing battle with regards to properly securing the infrastructure while allowing the inevitable growth of technology and information.
Re:"Lockdown" is the problem with Security (Score:4, Interesting)
Except this is an ongoing police investigation. There is a difference. And a panel discussion isn't necessarily the best way to network with peers on issues like this. He made a mistake and paid for it. It was a bit harsh, but not totally out of line.
Parent
lucky not to be in jail as other who have (Score:2)
lucky not to be in jail as other who have came out with info on security incidentes / holes have been locked up.
Broke the Golden Rule of Conferences (Score:4, Funny)
Didn't he know that you're only supposed to talk at conferences when A) you have something to sell, or B) you're being paid in a round-about way to promote a product while appearing to have no conflicting interest?
No one does a post-mortem of ACTUAL issues that matter to ACTUAL people, anymore.
First rule (Score:5, Funny)
The first rule of Commonwealth's online driving exam scheduling system is: You don't talk about Commonwealth's online driving exam scheduling system.