Don't Let Your Children Grow Up to Be Cowboys
The firing of the Bob Maley, State of Pennsylvania’s CISO, allegedly because he spoke at RSA about an exploit that he and his team discovered, tracked and remedied, is chilling. There may have been other issues behind the firing, there always are (we call it politics), but it illustrates the extent to which cyber security reality is bumping into the naiveté of non-technical business management.
In this instance, the threat was past tense and what the team learned in the process was invaluable not only to the group in Pennsylvania, but to those who participated in the session at RSA. Security professionals today come up against a barrage of information from auditing or performance reports and logs that track everything that passes in and out of the firewall. Sorting out significant activity form normal traffic is an art form in and of itself--more computer séance than computer science.
Transparently Not in Pennsylvania
The case in point that Bob Maley shared was about an exploit in the Pennsylvania Drivers Licensing System. He and his team noticed the registration system for the exams was getting thousands of hits coming out of Russia. They real story was how they solved the puzzle and determined it was not state secrets the hacker was after, but a place at the head of the class. The owner of a Philadelphia driving school was using a proxy server to exploit a bug in the system which allowed him to schedule exams for his students. Normally, the waiting time to take an exam could be six weeks.
Security Breaches Raise Security Awareness
In my book, Bob Maley is more of an IT hero than a scapegoat. He has been out after dark and is not a newbie when it comes to dealing with the criminals or dealing with the press (not that the two professions have anything in common with each other). He is a former police officer and he has also been the cover story in SC Magazine about how he responded to a data breach in 2007 that compromised half a million state records. His first hand reporting of what a breach looks like and how to go about solving it with the cooperation of local authorities is not only relevant; but also, it raises the awareness of everyone about how easily data can be manipulated and misused. Nothing teaches security awareness better than a security breach.
So what went wrong with Bob Maley’s career? If he did not get clearance to speak at RSA, that is his own fault. However, I find it hard to believe someone with police training would not understand chain of command. I wouldn’t be surprised to find out that the problem had more to do with someone in a position of authority not understanding what a proxy server was, or how sinister the nature of cyber crime has become. We need to raise the level of awareness of cyber crime, not sweep it under the rug. It is a sorry state of affairs when those who lead successful security programs are viewed a paranoid control freaks, business roadblocks or public relations liabilities.
An IT Tells All Audio Book
If Bob Maley is taking a break between jobs, I hope he hooks up with a good writer and makes a bestseller out of the State of Pennsylvania fiasco. I would suggest the same thing to Terry Childs, the former network manager of San Francisco, who was still in jail awaiting trial, last I heard. His crime was
to withhold the network administrative password from someone with a nitwit's understanding of network operational security.