Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Censorship Government Your Rights Online

Pennsylvania CISO Fired Over Talk At RSA Conference 147

An anonymous reader writes "Pennsylvania's chief information security officer Robert Maley has been fired for publicly talking about a security incident involving the Commonwealth's online driving exam scheduling system. He apparently did not get the required approval for talking about the incident from appropriate authorities."
This discussion has been archived. No new comments can be posted.

Pennsylvania CISO Fired Over Talk At RSA Conference

Comments Filter:
  • Must have not got the memo..
    • by rednip ( 186217 )
      Don't worry, I'll send it over right now.
  • by AliasMarlowe ( 1042386 ) on Thursday March 11, 2010 @04:11PM (#31444352) Journal
    What's the story here? He blabbed on a security issue without approval, and got his ass roasted.
    • by DoofusOfDeath ( 636671 ) on Thursday March 11, 2010 @04:15PM (#31444416)

      What's the story here? He blabbed on a security issue without approval, and got his ass roasted.

      The same reason I don't want nuclear regulators getting fired for admitting when there was a heavy water leak into an aquifer.

      • by HungryHobo ( 1314109 ) on Thursday March 11, 2010 @04:18PM (#31444486)

        If this were a private company I'd be of the opinion that their internal security is their concern but this is a government office and the people who pay the bills have a right to know what's going on.

        • by Mathinker ( 909784 ) on Thursday March 11, 2010 @04:54PM (#31445078) Journal

          If this were a private company I'd be of the opinion that their internal security is their concern but this is a government office and the people who pay the bills have a right to know what's going on.

          If the internal security failure lead to your private information being leaked and the possibility of financial loss to you, I think that you might be of the opinion that there should be legislation which deals with disclosure. Actually, there is such legislation in many jurisdictions. And you also have Sarbanes–Oxley stuff which is supposed to encourage whistleblowing.

          Some "internal" things are more internal than others....

        • by mcgrew ( 92797 ) *

          If this were a private company I'd be of the opinion that their internal security is their concern but this is a government office and the people who pay the bills have a right to know what's going on.

          True, but as in the private sector, there's a chain of command to follow. I hear things about Illinois state government in the bar I drink at that don't reach the paper, because the state employees aren't suppoosed to talk about government to the media without permission; they have official spokespeople for th

      • The same reason I don't want nuclear regulators getting fired for admitting when there was a heavy water leak into an aquifer.

        Apples and oranges, one is a health risk, one isn't.

      • by geekoid ( 135745 )

        You also do not want a nuclear regulator spilling his guts about an ongoing investigation.

      • by blair1q ( 305137 )

        He wasn't blowing a whistle, he was making conversation.

        As an employee, he's required to follow the organization's policies, one of which is that releases of information go through information-release channels, at least for approval.

        If he'd asked for approval, and been denied, but decided it was an ethical problem that could only be resolved by releasing the info anyway, he might be protected by whistleblower laws. If merely applying for approval might have compromised his safety or rights, he might be pro

        • Re: (Score:3, Insightful)

          by crymeph0 ( 682581 )

          ...He just yapped without checking.

          Which is just sloppy corporate citizenry.

          Except his employer isn't "corporate", they're a U.S. state, funded by taxpayers. As a taxpayer, I demand to know if there are security (or "configuration") holes that have been actively exploited at the institutions my taxes fund, unless the dissemination of such knowledge would hurt an ongoing police investigation. There is no mention in the story of such a request from the police, just a general indication that the police are investigating.

      • A C-level executive is expected to speak at conferences, and in the case of security conferences, to talk about security.

        His management probably didn't realize they had authorized him to speak about matters that might make them look bad.

        As it happens, if the case has gone beyond investigation and is before the courts, it's now a matter of public record

        --dave

    • by firewrought ( 36952 ) on Thursday March 11, 2010 @04:38PM (#31444844)

      What's the story here? He blabbed on a security issue without approval...

      The firing seems heavy-handed. Don't you want your Chief Information Security Officer participating in industry security conferences, selectively sharing the experiences of your organization with security professionals so as to help find long term solutions? Who knows... maybe he shared some sort of special classified/secret/private data that he really ought not to have, but it sounds like good old bureaucracy + control freaks at the top who think it's all about militaristic need-to-know.

      • Re: (Score:3, Interesting)

        by OzPeter ( 195038 )

        What's the story here? He blabbed on a security issue without approval...

        The firing seems heavy-handed. Don't you want your Chief Information Security Officer participating in industry security conferences, selectively sharing the experiences of your organization with security professionals so as to help find long term solutions?

        Do you want this happening while there is apparently an on going investigation? There are reasons why there are approval rules and they aren't about old bureaucracy and control freaks

    • I consider him a martyr. How are we to learn anything is no one talks about how they dealt with security issues.

    • The shareholders (taxpayers) have a right to know such information. If it were a private company I'd maybe agree with you, but this is different.

  • Good job... (Score:5, Insightful)

    by kurokame ( 1764228 ) on Thursday March 11, 2010 @04:13PM (#31444388)
    Firing the guy will absolutely convince the public that you've fixed your security problems.
  • by Anonymous Coward on Thursday March 11, 2010 @04:14PM (#31444412)

    (had to make sure I hit the "Post Anonymously" button...)
    I'm one of many server administrators for LUTX, the (US) Federal Government IT "swat team" that was put in place during the Clinton Administration. One day I was working on a code-blue 456 system using the X-K-Red-27 technique and suddenly a bunch of drunken Canadian's broke in and try to SSH the HTTPS server. Well, as you can imagine, all hell broke loose and we had to double-slot the uranium deuteride fast on the flip-flop before the Russkies could notice.
    I hope I don't get fired for sharing this amazing story with Slashdot

    • by OzPeter ( 195038 ) on Thursday March 11, 2010 @04:35PM (#31444772)

      (had to make sure I hit the "Post Anonymously" button...) I'm one of many server administrators for LUTX, the (US) Federal Government IT "swat team" that was put in place during the Clinton Administration. One day I was working on a code-blue 456 system using the X-K-Red-27 technique and suddenly a bunch of drunken Canadian's broke in and try to SSH the HTTPS server. Well, as you can imagine, all hell broke loose and we had to double-slot the uranium deuteride fast on the flip-flop before the Russkies could notice. I hope I don't get fired for sharing this amazing story with Slashdot

      Its times like this that I really want to apply a Post Humously moderation

    • Re: (Score:3, Funny)

      by kybred ( 795293 )

      a bunch of drunken Canadian's

      -1: redundant

    • I'm one of many server administrators for LUTX, the (US) Federal Government IT "swat team" that was put in place during the Clinton Administration. One day I was working on a code-blue 456 system using the X-K-Red-27 technique and suddenly a bunch of drunken Canadian's broke in and try to SSH the HTTPS server.

      What a load of bullshit. We all know that Canada doesn't actually exist.

  • Yep, he is hitting what I call "legacy" PR, which is based on controlling the message.
  • reasonable? (Score:5, Insightful)

    by DaveGod ( 703167 ) on Thursday March 11, 2010 @04:16PM (#31444438)

    Seeing as careless talk can lead to image problems and/or lawsuits (or harming your case if prosecuting them). If you're in a senior position and you talk publicly in a work-related context, you talk on behalf of the organisation whether you intend to or not. OTOH if you are "blowing the whistle" on wrongdoing, there is a specific procedure for that which offers protection.

    • "image problems and/or lawsuits"

      This is a government operation, paid for with taxpayer dollars. They have no product to sell, and no investors to satisfy. They DO however, have many stakeholders in the form of the taxpaying public who deserve to know how their dollars are spent.

  • has always worked

    except on windows xp...
  • by snmpkid ( 93151 )

    Are they hiring now?

  • by introspekt.i ( 1233118 ) on Thursday March 11, 2010 @04:25PM (#31444610)
    Who fired him? Sounds like he made the wrong people look bad. Rules are rules, I suppose, but if the problem has been fixed, isn't talking about security and attack vectors generally a good thing?
    • Obviously, his manager doesn't read /.

    • by tlambert ( 566799 ) on Thursday March 11, 2010 @05:07PM (#31445254)

      Who fired him?

      According to public records having to do with reporting structure, he would have been fired by Brenda Orth, CIO (Chief Information Officer) in the OA (Office of Administration, Commonwealth of Pennsylvania). The reporting chain is easily verifiable using either the Google cached copy of their page, or the Internet Way Back Machine.

      She basically reports to the state Governors staff, so there's no telling how far up hill you'd have to go to find the source of the firing, but as his immediate supervisor, whe would have been the one to pull the trigger.

      -- Terry

  • by haruchai ( 17472 ) on Thursday March 11, 2010 @04:26PM (#31444616)

    Now all your remaining security issues will fix themselves. But, don't worry, I'm sure Robert Maley will be happy to help you out - at 5 times what you were paying him.

  • The key paragraph (Score:5, Informative)

    by Wintermute__ ( 22920 ) on Thursday March 11, 2010 @04:32PM (#31444716)

    The important paragraph in TFA:

    "Maley's dismissal comes amid ongoing budget and staff cuts at Pennsylvania's IT security organization, the source said. Over the past 18 months to two years, the administration has cut information security budgets by close to 38%, and staff by 40%. They also put a "lockdown" on talking about cybersecurity, the source claimed."

    Now there's a good plan: If you don't talk about it, no one will know you have a problem, and you can save all that money you were spending on those annoying security types.

    • by timothy ( 36799 ) * Works for Slashdot on Thursday March 11, 2010 @06:09PM (#31446198) Journal

      Howard County, Maryland (back when I was living there -- might be many other places like this, too) decided to make the local parks "trash free." By removing the trash cans. I leave the results as an exercise for the reader ;)

      timothy

      • Oh I lived near a park like that. They did it because they noticed that trash tended to pile up around trash cans. Also, the maintenance workers were complaining about the heavy bags in the full trash cans.

        I'm sure the two issues were unrelated....

    • ""Maley's dismissal comes amid ongoing budget and staff cuts at Pennsylvania's IT security organization, the source said. Over the past 18 months to two years, the administration has cut information security budgets by close to 38%, and staff by 40%. They also put a "lockdown" on talking about cybersecurity, the source claimed.""

      So basically staff was cut so much that security could now be compromised. So lets also make a rule of not talking about cyber security to cover our cuts and protect senior official

  • Easy fix? (Score:4, Insightful)

    by Shadyman ( 939863 ) on Thursday March 11, 2010 @04:32PM (#31444720) Homepage
    From TFA: Over the past 18 months to two years, the administration has cut information security budgets by close to 38%, and staff by 40%. They also put a "lockdown" on talking about cybersecurity, the source claimed.

    So instead of paying people to fix our security holes, we're just not allowed to talk about them?
    • by plover ( 150551 ) *

      So instead of paying people to fix our security holes, we're just not allowed to talk about them?

      It's a hell of a lot cheaper that way. (Except for the parts where the bad guys break-in and steal your stuff; yeah, those are kind of expensive, but fixing them doesn't come out of the CIO's paycheck.)

      Therefore this is all your fault for complaining about your taxes. You said to your lawmakers "we want less state services and lower quality workers" and there you go! You got exactly what you voted for.

    • It's a case of "see no evil, hear no evil, speak no evil"

  • by Archangel Michael ( 180766 ) on Thursday March 11, 2010 @04:33PM (#31444738) Journal

    If I were him, I'd start spilling all the info I ever had on security for the state. No amount of money or threats would stop me.

    I mean any and every item. I'd expose every stupid supervisory move that compromised security and my ability to protect the network. EVERYTHING would be exposed.

    Nothing worse than people getting their panties all in a wad over a "talk" about a well publicized incident, of which all the bad guys already knew about.

    There is only one thing these people understand, and that is how to look good. Ruin it for them.

    • by plover ( 150551 ) * on Thursday March 11, 2010 @05:35PM (#31445660) Homepage Journal

      Compromising your own ethics for revenge is a net loss. A vengeful, spiteful CISO would have about 0.00% chance of a new job that paid anything above "volunteer" wages.

      Remember, CIO already jokingly stands for "Career Is Over." I don't think he needs to pile on "Career Is So Over" limiting moves by acting like a 13-year-old dumped by his first girlfriend.

      • Compromising your own ethics for revenge is a net loss. A vengeful, spiteful CISO would have about 0.00% chance of a new job that paid anything above "volunteer" wages.

        Remember, CIO already jokingly stands for "Career Is Over." I don't think he needs to pile on "Career Is So Over" limiting moves by acting like a 13-year-old dumped by his first girlfriend.

        True enough, but then again ... he could just post anonymously.

      • And exactly how do you think most whistleblowers get their start?

        Every whistleblower ever gets painted first as a "disgruntled employee crying for attention." When that doesn't stick, they move on to "violating security by disclosing classified information."

        The problem is, we never find out about bad behavior covered by secrecy from people who are happy and secure within the organization. Criminal enterprises both in and out of government usually get uncovered when they try to screw over one of the lower gu

        • by plover ( 150551 ) * on Thursday March 11, 2010 @07:38PM (#31447162) Homepage Journal

          A whistleblower reveals secret information to right a wrong. Perhaps there's a safety issue that is going uncorrected, or an unfair pay gap, or workplace racism, or where the bodies are buried. Those are kept secret to keep costs down at the expense of human health, or to protect the criminally negligent or guilty.

          The GP said:

          If I were him, I'd start spilling all the info I ever had on security for the state. No amount of money or threats would stop me. I mean any and every item.

          There are plenty of legitimate secrets a CISO is expected to keep. Plans for upgrades that reveal current deficiencies but can't be implemented yet due to budget constraints. Ongoing operational security tasks. Or command and control structures: a list of the three key people without whom an emergency response would fail would provide a juicy target list for a serious attack. The identities of sting or honeypot operations. Those are all perfectly legitimate security items that should be kept secret.

          A whistleblower is trying to correct an inequity. A traitor provides secret information only to damage an organization. See the difference?

          • "Maley's dismissal comes amid ongoing budget and staff cuts at Pennsylvania's IT security organization, the source said. Over the past 18 months to two years, the administration has cut information security budgets by close to 38%, and staff by 40%. They also put a "lockdown" on talking about cybersecurity, the source claimed."

            They're gutting my budget and staff, cracking us wide open to attacks such as this one, and putting a gag-order on us to hide their downright malicious mismanagement.

            Sounds like a whi

          • There are plenty of legitimate secrets a CISO is expected to keep. Plans for upgrades that reveal current deficiencies but can't be implemented yet due to budget constraints.

            Depending on the issue, those NEED to be exposed.

            Imagine the outcry you'd get, if it turns out that the ADX Florence/a> had been built with paper mache, but due to budget issues, there was no way of fixing it, because it'd be too expensive. Should we wait for a hundred convicted murderes to walk out before doing anything? [wikipedia.org]

          • If you read the whole post, and not cherry picked the one statement, you'd have a better understanding of what I was saying.

            But pedantry is easy. I said I'd expose EVERY stupid decision that compromised security. IF there was a deficiency that was being address that would not be a "stupid" decision.

            You see how that qualifies the original statement? However, If I said that as CISO I recommended using IE 8 or Firefox or other browser because of some unpatched exploit in IE6 and 7 out in the wild, and the peop

      • by mcgrew ( 92797 ) *

        True. Anger is almost always counterproductive in almost every circumstance.

    • by geekoid ( 135745 )

      "No amount of money or threats would stop me."

      You hold onto that thought when no one will hire you.

    • Re: (Score:2, Insightful)

      by Kittenman ( 971447 )

      If I were him, I'd start spilling all the info I ever had on security for the state. No amount of money or threats would stop me.

      Tut. Not sure how it is in your part of the world but some of us sign confidentiality agreements. I've worked for the British home office, some 30 years ago. I'm still bound by the "Official Secrets Act" that I signed then.

      I'm not saying that some stories shouldn't be blabbed, but we're professionals. We do what we're paid to. If we're not happy, move on. But don't air dirty laundry. Especially not someone else's.

    • In any large organization whether its government or private you will have the same problem. Part of the job is to help the owners look good. If you do that you get promoted. When you do not you get fired. Its a fact of life when you work. You can have a place with great management who may not do this as much but you wont get anywhere if you are a whistler blower or labeled a whiner.

  • Another telling fact from the article is that the security staff and budget have both been cut by upwards of 40%...no wonder they don't want anybody talking...
  • Cluetrain... (Score:3, Insightful)

    by jacks0n ( 112153 ) on Thursday March 11, 2010 @04:41PM (#31444896)

    Cluetrain Manifesto.... Dead. Slashdot Confirms.

    I'm personally not interested in what comes out of any organization's public orifice because it always looks and smells like BS.

    When they shut down their non-public orifices they become more and more useless. They lose value. real, actual dollars value.

    In a way I'm more worried about this from a public organization because they have a monopoly on governance

    and when they're doing it wrong they can keep doing it wrong a lot longer than a private company.

    • by plover ( 150551 ) *

      They may not get the government they need, but they'll always get the government they deserve. The citizens always have the option to "t'row da bums out!"

      Not that the bums on the other side of the fence are somehow better bums, but at least they're not the same bums.

    • by geekoid ( 135745 )

      "and when they're doing it wrong they can keep doing it wrong a lot longer than a private company."
      No, private companies do the same thing. It happens in any bureaucracy.

      With a public organization, at least you individual has power.

    • People are still buying into that crap?

    • I'm personally not interested in what comes out of any organization's public orifice because it always looks and smells like BS.

      You are totally right, I'm also not personally interested what comes out of any organizations public ORIFICE. It's smelly business at its finest!

  • by Anonymous Coward on Thursday March 11, 2010 @04:44PM (#31444926)

    I'm simply rehashing the same thing I wrote over at SC Magazine's site:

    We do not know all the facts behind the termination, but if was based primarly on his RSA appearance, that's a shame. There are so many variants of qualitative and quantitative risk assessment, that regular meetings with your peers seems to be just as critical with regards to understanding the important controls which need to be put in place. The days of leading with FUD appears to be in our rear view mirror, and building up a positive outlook in security by learning from the past and attempting to stay ahead of the curve is imperative to our support of the business or the public entity. What was the common theme with all the CISO's at RSA? Information sharing is critical and we're way behind. We don't share information, we put ourselves on "lockdown" and don't get invited to the table anymore as security professionals. We're seen as roadblocks, as negative drags on the bottom line. Something has to change or else we're going to lose ground as a country. In fact we already have.

    Sharing information with other professionals is now critical to any InfoSec career. We do need to account for privacy, so a balance must be achived. Maley may have violated a confidentiality component of his employment, but that doesn't make the spirit of what he did wrong in any way. If anything, some clear guidance on what types of information is shared behind closed doors at peer review and group meetings at RSA should be discussed. You can't vette everyone who attends the meetings, but openness is a good thing, not a bad thing. More transparency is needed across the public and private sectors. More openness is needed among security professionals. The state of PA has it wrong. Lockdown is not a way to progress forward out of this losing battle with regards to properly securing the infrastructure while allowing the inevitable growth of technology and information.

    • by chill ( 34294 ) on Thursday March 11, 2010 @05:33PM (#31445644) Journal

      Except this is an ongoing police investigation. There is a difference. And a panel discussion isn't necessarily the best way to network with peers on issues like this. He made a mistake and paid for it. It was a bit harsh, but not totally out of line.

  • lucky not to be in jail as other who have came out with info on security incidentes / holes have been locked up.

  • by BlueBoxSW.com ( 745855 ) on Thursday March 11, 2010 @05:20PM (#31445444) Homepage

    Didn't he know that you're only supposed to talk at conferences when A) you have something to sell, or B) you're being paid in a round-about way to promote a product while appearing to have no conflicting interest?

    No one does a post-mortem of ACTUAL issues that matter to ACTUAL people, anymore.

  • hack or not to hack (Score:2, Interesting)

    by Anonymous Coward

    However, she contested several media reports that have described the incident as a hacking attack, and said that as far as the the department was aware, there had been no hack or breach of the system.

    Don't you hate it when people imply that their system was not "hacked" simply because they didn't provide the proper precautions to stop the leaking of internal data or changing database information in a way it was not intended?

    According to our current definitions... IT WAS A HACK. Whether something is a hack is not determined by the ease in which they are preformed or the impact size of the damage no matter how minimal.

    She is describing "hack" in terms of ramifications.

    This is concept is almost as silly as

  • First rule (Score:5, Funny)

    by 93 Escort Wagon ( 326346 ) on Thursday March 11, 2010 @06:01PM (#31446058)

    The first rule of Commonwealth's online driving exam scheduling system is: You don't talk about Commonwealth's online driving exam scheduling system.

  • The incident may have been a pretense to jettison someone whose departure was desirable for other reasons. That the budget is being cut might be reason enough to try to offload the (probably) most expensive guy on the payroll. Maybe he was a squeaky wheel and wanted more security than was determined to be affordable, and just wouldn't shut up about it. Invent your own possible ulterior motives...

    -dB

    • by xmundt ( 415364 )

      Greetings and Salutations...
      Yea, this was about the first thing that came to my mind when I read the story. While in Gov. his salary might have been fixed, if he annoyed the wrong folks by complaining too much, there is a long history of building a portfolio of reasons that he should be terminated. It is quite possible that they will leave the position "pending", too, which would ensure that the cash they were handing over to him would stay in the treasury.

  • I went to one geared towards security for people in physics. Essentially only the people from CERN were willing to give talks where they discussed actual incidents. Everyone from DOE labs was unable. I had the sense that other labs were under rules like that as well. It was ridiculous because of that nothing could be shared, hence nothing could be learned. We were all admin types at the labs, it was not open to the public or anything of that sort.

  • Not trying to karma whore, but I had already written about this in a previous comment [slashdot.org].

    What I have linked to is both the original article from our local paper as well as two other articles from blogs which covered this subject.

    As you can see from some of the comments in the original article, there are those who have some inside information to what went on as well as what type of person he was.

Whoever dies with the most toys wins.

Working...