The Tech Herald

CISO fired after giving panel talk at RSA Conference

by Steve Ragan - Mar 12 2010, 14:00

CISO fired after giving panel talk at RSA Conference. (IMG: PennDOT)

Robert Maley, the former CISO for the state of Pennsylvania, has apparently been fired for his role in a panel discussion earlier this month at the RSA security conference. During the talk, Maley openly discussed a problem he had recently witnessed with PennDOT’s driving exam scheduling system. Was this a justified termination?

Citing sources close to the matter, Computerword said that because Maley did not obtain proper permission, which is required for all Commonwealth employees, he was fired for his discussion. Gary Tuma, Pennsylvania Governor Ed Rendell’s press secretary, confirmed to Computerworld [Source] and The Patriot-News [Source] that Maley was no longer employed by the state, but would not comment on the matter any further.

So what did Maley say? Eric Chabrow, who writes for GovInfoSecurity.com, was present during the session at the RSA Conference. [Source] According to him, Maley said, “We saw thousands of hits on our Department of Transportation driver license exam scheduling site coming out of Russia, the same thing over and over, scheduling driver license exams. It was encrypted traffic, and we were trying to figure out what the heck is going on. Were they trying to test our systems? What exactly were they up to? The answer was, we really didn't know.”

Chabrow’s brief post explained that authorities eventually tracked the IP address to a proxy server in Russia, which was being used by a local driving school owner. The vulnerability being targeted essentially allowed the driving school owner to jump the queue when it came to waiting for driver’s exams. This outside scheduling caused a six week wait for other drivers and schools.

Edit: Per the comments below, there was an existing six week delay for testing. This delay was what the driving school owner was exploiting when jumping names in the queue. -Steve

“What he was doing was saying (to potential customers), ‘You go over across the street, to John's driver training, and it's going to take you six to eight weeks to get your test. We can get you in tomorrow’,” Maley said during the conference.

Danielle Klinger, a spokeswoman for Pennsylvania's Department of Transportation, confirmed that there was a problem with PennDOT’s scheduling system and that the issue has been turned over to the state police. At the same time, Klinger dismissed the notion that there was any sort of breach to PennDOT’s systems.

According to Computerworld’s sources, Pennsylvania's IT security organization has faced several cuts on both the budget (38-percent) and staff (40-percent) over the last two years.

So while no one from the state will use the word termination, assuming that Maley was fired for his comments, is it his fault or an overreaction? Weigh in and tell us.

My Stance:

I agree with two other reporters on this issue.

There are usually policies in place when it comes to discussing internal investigations or issues in most Enterprises, but more so when you work on the state or federal level. If you break them, then you lose your job.

However, Maley was the CISO. He knows what he can and can not say, active investigation or not.

SC Magazine’s Dan Kaplan, who has met and interviewed him, said that he is a “…a candid, shoot-from-the-hip kind of guy.”

“I learned this from our conversation last summer when I interviewed the former cop for a cover story on data breach response. For the story, he recounted a number of breaches that have affected the state, rarely holding back details,” Kaplan wrote.

As for the talk itself, Maley’s comments were vague. They offered no names, just a high-level overview of the incident itself. If he was terminated for his remarks alone, then it seems more likely that the powers that be in the state were more embarrassed that he went public with such a recent incident. Bottom line is that he made them look bad, and they hung him out to dry.

Chabrow’s take

Dan Kaplan’s take

[The opinions expressed in this article are those of Steve Ragan and not necessarily those of the staff on The Tech Herald or the Monsters and Critics (M&C) network. Comments can be left below or sent to security@thetechherald.com]

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Nissan GT-R NISMO Available in Gran Turismo 6

Nissan and Sony have added the new Nissan GT-R NISMO to the in-game dealerships in  Gra...

2015 Kia Soul EV Prices

Kia have announced prices for their all-new Kia Soul EV. The company says this is their firs...

Celebrity Photographer Uli Weber Lauches New Goodwood Revival Book

Celebrity and fashion photographer Uli Weber is to launch a new book at this year’s Goodwood...

The Gorgeous Aston Martin Virage Shooting Brake Zagato (PICS)

World-famous Italian car design firm Zagato have revealed pics of their new one-off Aston Ma...

2015 Lincoln Navigator Pictures

We have added some pictures of the 2015 Lincoln Navigator. The new model features a 3.5...