Did a State CISO Get Fired Because of This Blog?
Less than a week after Robert Maley told an RSA Conference 2010 panel about a security breach in a state driving test scheduling system, the Pennsylvania chief information security officer was out of a job.
And a blog I wrote last week may have played a part in his dismissal. Without my reporting of his remarks, the fact that he discussed the breach may never had reached authorities in Harrisburg, as suggested in a report Wednesday in the Harrisburg Patriot-Review:
"According to the blog,The Public Eye with Eric Chabrow, Maley spoke of an incident that occurred in late February that had thousands of hits from a computer in Russia to PennDOT's site to schedule driver's license exams."
Let's review the facts:
- Maley was among four state CISOs presenting at the RSA Conference 2010 panel entitled The Front Lines: Cyber Security in the States on March 3.
- During the presentation, Maley discussed an incident the previous weekend in which the state discovered an operator of a Philadelphia driving school had hacked into the Department of Transportation's driver exam scheduling system to schedule his clients' driving tests within days while competitors following usual procedures had to wait six weeks to schedule their students' exams.
- The office of Gov. Ed Rendell confirmed that Maley no longer worked for the state, though no reason was given for his departure, according to the reports.
- A Pennsylvania Department of Transportation spokesperson confirmed that an incident occurred and the matter was turned over to the State Police for further investigation, the published reports said.
Maley was dismissed because he violated state rules that explicitly require employees to get approval from appropriate authorities before they publicly disclose official matters, one report said.
If Maley had been fired, was it justified? That's a tough call, especially if his comments came during a criminal investigation. But if the dismissal was solely based on what he said at RSA, I believe it was not justified.
Maley's description of the incident was rather vague. He provided no names and only a general description on how the hacker exploited the scheduling system. One wonders if what truly concerned Pennsylvania authorities was not that he violated state rules but embarrassed the state by publicly revealing the hacking of one of its IT systems.
A popular term bantered about within government cybersecurity circles is transparency. There's a lot about information security that must remain confidential, but too often governments and organizations keep secret information that could be made public. The more information shared among those protecting our IT systems, the better they can perform their jobs to do just that. Maley's comments on the weakness of the PennDOT scheduling system may have alerted other CISOs to look for similar vulnerabilities in their systems.
On a personal note, I feel sorry that my reporting may have contributed to the firing of a public servant but I don't regret that I published his remarks. Maley spoke at an event that was opened to RSA attendees as well as the press with the understanding all remarks were public. (RSA Conference 2010 also sponsored peer-to-peer sessions that barred the media and presumably allowed conference delegates to speak freely among themselves without fear of being quoted.)
How far should CISOs and other IT security professionals go in publicly discussing security breaches? Please share your thoughts below.