The Field Report
There are 18,000 banking institutions in the U.S., and somebody has to blog about their breaches, concerns and security successes.
Government Information Security Blogs
Comments (2)
Read All Posts (208)
Did a State CISO Get Fired Because of This Blog?
March 11, 2010 - Eric Chabrow
And a blog I wrote last week may have played a part in his dismissal. Without my reporting of his remarks, the fact that he discussed the breach may never had reached authorities in Harrisburg, as suggested in a report Wednesday in the Harrisburg Patriot-Review:
"According to the blog,The Public Eye with Eric Chabrow, Maley spoke of an incident that occurred in late February that had thousands of hits from a computer in Russia to PennDOT's site to schedule driver's license exams."
Let's review the facts:
- Maley was among four state CISOs presenting at the RSA Conference 2010 panel entitled The Front Lines: Cyber Security in the States on March 3.
- During the presentation, Maley discussed an incident the previous weekend in which the state discovered an operator of a Philadelphia driving school had hacked into the Department of Transportation's driver exam scheduling system to schedule his clients' driving tests within days while competitors following usual procedures had to wait six weeks to schedule their students' exams.
- The office of Gov. Ed Rendell confirmed that Maley no longer worked for the state, though no reason was given for his departure, according to the reports.
- A Pennsylvania Department of Transportation spokesperson confirmed that an incident occurred and the matter was turned over to the State Police for further investigation, the published reports said.
Maley was dismissed because he violated state rules that explicitly require employees to get approval from appropriate authorities before they publicly disclose official matters, one report said.
If Maley had been fired, was it justified? That's a tough call, especially if his comments came during a criminal investigation. But if the dismissal was solely based on what he said at RSA, I believe it was not justified.
Maley's description of the incident was rather vague. He provided no names and only a general description on how the hacker exploited the scheduling system. One wonders if what truly concerned Pennsylvania authorities was not that he violated state rules but embarrassed the state by publicly revealing the hacking of one of its IT systems.
A popular term bantered about within government cybersecurity circles is transparency. There's a lot about information security that must remain confidential, but too often governments and organizations keep secret information that could be made public. The more information shared among those protecting our IT systems, the better they can perform their jobs to do just that. Maley's comments on the weakness of the PennDOT scheduling system may have alerted other CISOs to look for similar vulnerabilities in their systems.
On a personal note, I feel sorry that my reporting may have contributed to the firing of a public servant but I don't regret that I published his remarks. Maley spoke at an event that was opened to RSA attendees as well as the press with the understanding all remarks were public. (RSA Conference 2010 also sponsored peer-to-peer sessions that barred the media and presumably allowed conference delegates to speak freely among themselves without fear of being quoted.)
How far should CISOs and other IT security professionals go in publicly discussing security breaches? Please share your thoughts below.
 |
 |
 |
 |
|
 |
This is an interesting post but I don’t agree with some of your reasoning. Here is my rationale on the subject:
On the area of information sharing: I certainly agree with you in that disclosure of certain information is definitely necessary to create a solid and unified approach to security. (This is illustrated by the fact that government authorities are moving towards an information sharing model to defend against
information security threats).
Although information sharing is essential, I feel that a clear framework is absolutely necessary to protect Information that is shared. Before we go down the road of sharing information, there needs to be clear structure that directs how this information can be used and by whom.
While I really feel for Maley having lost his job and having these charges linked to his name in such a public way, I can understand Pennsylvania's decision to let him go especially if he failed to alert ethics representatives of his intention to use this data during his participation on the RSA panel.
If this was not discussed or disclosed to the state, then frankly I feel it shows a lack of responsibility to have discussed this in such an open way without having any non-disclosure-agreement-type documents from everyone who was listening to that panel no matter how “vague” it was. In discussing this information openly, he in effect put this state-owned confidential information on the street with no protection whatsoever.
If sharing is going to happen, then I feel it should only happen in the context of having all participants properly vetted, having them agree to clear policies and classification guidelines and having buy in from the data owners.
Can you imagine if your doctor followed this example and freely spoke of your personal health in medical conferences? (I wouldn’t feel too comfortable even if he was vague”. :-)
The other factor here is that he was on the panel recognized as a state representative and not as a private citizen. To the public eye, any recommendations or conclusions he made at that conference could be interpreted as official policy or as an official statement for the state in question. He would have had had to ensured that his material was clearly communicated to ethics representatives for the State and that he had permission to use this example. I think this is a pretty big faux pas for someone on that level of expertise and understanding.
To Twinnen’s point, I agree that when a breach occurs it is responsible to alert proper authorities but that alert process needs to have structure before it goes public. Without that structure – it would be like yelling “FIRE!” , in a crowded theater. There needs to be a process in the way private data is communicated to the public. From what I’m reading on this case – it seems Pennsylvania was robbed of that opportunity.
Thoughts?
On the area of information sharing: I certainly agree with you in that disclosure of certain information is definitely necessary to create a solid and unified approach to security. (This is illustrated by the fact that government authorities are moving towards an information sharing model to defend against
information security threats).
Although information sharing is essential, I feel that a clear framework is absolutely necessary to protect Information that is shared. Before we go down the road of sharing information, there needs to be clear structure that directs how this information can be used and by whom.
While I really feel for Maley having lost his job and having these charges linked to his name in such a public way, I can understand Pennsylvania's decision to let him go especially if he failed to alert ethics representatives of his intention to use this data during his participation on the RSA panel.
If this was not discussed or disclosed to the state, then frankly I feel it shows a lack of responsibility to have discussed this in such an open way without having any non-disclosure-agreement-type documents from everyone who was listening to that panel no matter how “vague” it was. In discussing this information openly, he in effect put this state-owned confidential information on the street with no protection whatsoever.
If sharing is going to happen, then I feel it should only happen in the context of having all participants properly vetted, having them agree to clear policies and classification guidelines and having buy in from the data owners.
Can you imagine if your doctor followed this example and freely spoke of your personal health in medical conferences? (I wouldn’t feel too comfortable even if he was vague”. :-)
The other factor here is that he was on the panel recognized as a state representative and not as a private citizen. To the public eye, any recommendations or conclusions he made at that conference could be interpreted as official policy or as an official statement for the state in question. He would have had had to ensured that his material was clearly communicated to ethics representatives for the State and that he had permission to use this example. I think this is a pretty big faux pas for someone on that level of expertise and understanding.
To Twinnen’s point, I agree that when a breach occurs it is responsible to alert proper authorities but that alert process needs to have structure before it goes public. Without that structure – it would be like yelling “FIRE!” , in a crowded theater. There needs to be a process in the way private data is communicated to the public. From what I’m reading on this case – it seems Pennsylvania was robbed of that opportunity.
Thoughts?
Posted by securasys on April 8, 2010 @ 1:21 PM
I was also a speaker at the RSA Conference. My organization vetted my presentation and approved its content. Presumably, those above the state CISO (CIO, Governor, anyone else?) discussed his participation in the conference and outlined the "rules of engagement". If the expectations were never set, they are unlikely to be met. The last thing we want is for any party that has had a breach to clam up. The possible impact on the investigation of a crime is the only circumstance that might have been an issue from what is described here. Aside from that, PA officials should open their eyes to the reality and prevalence of damaging breaches before rashly firing otherwise well-intentioned public servants.
Posted by twinnen on March 11, 2010 @ 1:12 PM
Latest Tweets & Mentions
Posts By Category
- ACH
- Agencies
- Anti-Money Laundering
- Application Security
- ARRA/HITECH
- Audits Investigations Reports
- Authentication
- Bank Secrecy Act
- Banking Today
- Biometrics
- Budgeting & Funding
- Business Continuity & Disaster Recovery
- CIO Council
- Cloud Computing
- Collaboration & Interagency
- Committees and Testimonies
- Compliance
- Confidence In Banking
- Congress
- Cybersecurity
- Data Loss
- Debit, Credit, Prepaid Cards
- Defense Department
- Electronic Health Records
- Emerging Technology
- Encryption
- Endpoint Security
- Federal Trade Commission
- FISCAM
- FISMA
- Fraud
- GAO
- Governance & Standards
- Governance, Risk & Compliance
- Government Accountability Office
- Gramm-Leach-Bliley Act
- GRC
- Health Information Exchanges
- HIPAA
- Homeland Security Department
- HR
- ID & Access Management
- ID Access & Management
- Identity Theft
- Identity Theft Red Flags Rule
- Incident Response
- Information Security Compliance
- Information Sharing
- Insider
- Insider Threat
- Inspectors General
- Intelligence
- Law Enforcement
- Laws, Regulations & Directives
- Leadership & Management
- Legislation
- Medical Identity Theft
- Messaging
- Mobile & Wireless
- Mobile Banking
- National Security Agency
- Network & Perimeter
- Network/Perimeter
- NIST
- Office of Management & Budget
- Office of Management and Budget
- Pandemic Preparation
- Payments
- PCI DSS
- Phishing
- Physical Security
- Privacy
- Remote Capture
- Risk Assessment
- Risk Management
- Sarbanes-Oxley Act
- Security Leadership
- SIM & SEM
- SIM/SEM
- Skimming
- Social Media
- Staff & Recruitment
- Storage
- Technology
- Training & Education
- Unified Threat Management
- US-CERT
- Vendor Management
- Virtualization
- Web Security
- White House
Authors & Blogs
The Agency Insider
From the FDIC to the NCUA, banking institutions take guidance from myriad government agencies and regulations. Here's where we make sense of it all.
Secure Marketspace
A look into how the security and privacy concerns of consumers and citizens impact institutions and government agencies.
Information Technology Risk Management
Not all risks are created equal. Understand, manage and transfer risks, as necessary. Ignore none.
-
The Public Eye
Keeping tabs on federal government efforts to protect citizens' privacy
-
Industry Insights
Insights and opinions from the thought-leaders who represent the industry’s services and solutions providers.
Career Insights
Insights from advisors, consultants and practitioners who know what it takes to be a successful security professional
The Security Scrutinizer
Keeping an eye on efforts to protect the privacy and security of personal healthcare information
The Fraud Blog
Tracking fraud incidents and trends wherever -- and however -- they occur.
Recent Comments
"I tend to agree with John Gilligan. I recently worked for a DoD agency subject to DoD IG, GAO and all the other..."
Read Post | Jump to Comments"I really do not know what they are talking about. My question is exactly and specifically how do we get the knowledge..."
Read Post | Jump to Comments"I strongly disagree that all certifications provides a "false sense of security/" Infosec Pros/Ethical..."
Read Post | Jump to Comments
