CISO fired after giving panel talk at RSA Conferenceby Steve Ragan - Mar 12 2010, 14:00
CISO fired after giving panel talk at RSA Conference. (IMG: PennDOT)
Robert Maley, the former CISO for the state of Pennsylvania, has apparently been fired for his role in a panel discussion earlier this month at the RSA security conference. During the talk, Maley openly discussed a problem he had recently witnessed with PennDOT’s driving exam scheduling system. Was this a justified termination?
Citing sources close to the matter, Computerword said that because Maley did not obtain proper permission, which is required for all Commonwealth employees, he was fired for his discussion. Gary Tuma, Pennsylvania Governor Ed Rendell’s press secretary, confirmed to Computerworld [Source] and The Patriot-News [Source] that Maley was no longer employed by the state, but would not comment on the matter any further.
So what did Maley say? Eric Chabrow, who writes for GovInfoSecurity.com, was present during the session at the RSA Conference. [Source] According to him, Maley said, “We saw thousands of hits on our Department of Transportation driver license exam scheduling site coming out of Russia, the same thing over and over, scheduling driver license exams. It was encrypted traffic, and we were trying to figure out what the heck is going on. Were they trying to test our systems? What exactly were they up to? The answer was, we really didn't know.”
Chabrow’s brief post explained that authorities eventually tracked the IP address to a proxy server in Russia, which was being used by a local driving school owner. The vulnerability being targeted essentially allowed the driving school owner to jump the queue when it came to waiting for driver’s exams.
This outside scheduling caused a six week wait for other drivers and schools.
Edit: Per the comments below, there was an existing six week delay for testing. This delay was what the driving school owner was exploiting when jumping names in the queue. -Steve
“What he was doing was saying (to potential customers), ‘You go over across the street, to John's driver training, and it's going to take you six to eight weeks to get your test. We can get you in tomorrow’,” Maley said during the conference.
Danielle Klinger, a spokeswoman for Pennsylvania's Department of Transportation, confirmed that there was a problem with PennDOT’s scheduling system and that the issue has been turned over to the state police. At the same time, Klinger dismissed the notion that there was any sort of breach to PennDOT’s systems.
According to Computerworld’s sources, Pennsylvania's IT security organization has faced several cuts on both the budget (38-percent) and staff (40-percent) over the last two years.
So while no one from the state will use the word termination, assuming that Maley was fired for his comments, is it his fault or an overreaction? Weigh in and tell us.
I agree with two other reporters on this issue.
There are usually policies in place when it comes to discussing internal investigations or issues in most Enterprises, but more so when you work on the state or federal level. If you break them, then you lose your job.
However, Maley was the CISO. He knows what he can and can not say, active investigation or not.
SC Magazine’s Dan Kaplan, who has met and interviewed him, said that he is a “…a candid, shoot-from-the-hip kind of guy.”
“I learned this from our conversation last summer when I interviewed the former cop for a cover story on data breach response. For the story, he recounted a number of breaches that have affected the state, rarely holding back details,” Kaplan wrote.
As for the talk itself, Maley’s comments were vague. They offered no names, just a high-level overview of the incident itself. If he was terminated for his remarks alone, then it seems more likely that the powers that be in the state were more embarrassed that he went public with such a recent incident. Bottom line is that he made them look bad, and they hung him out to dry.
[The opinions expressed in this article are those of Steve Ragan and not necessarily those of the staff on The Tech Herald or the Monsters and Critics (M&C) network. Comments can be left below or sent to email@example.com]