Pa. CISO Unfairly Fired


By Tony Kontzer

I'm writing today to bring your attention to the case of Bob Maley. In case you haven't heard--and you probably haven't since very few IT news outlets have picked up on his--Maley was the chief information security officer for the state of Pennsylvania until this week, when he apparently was let go for comments he made during a presentation at last week's RSA IT security conference in San Francisco.

What were Maley's offending remarks, you may ask? It seems he shared information about an incident last month in which a driving school in Philadelphia hacked into the Pennsylvania Department of Transportation's scheduling system, booking up swaths of appointments in an attempt to gain an advantage over the competition. Only problem is, the Pennsylvania DOT says no hack occurred, though a spokeswoman reportedly acknowledged that state law enforcement officials are investigating an "anomaly."

The incident came to light when Eric Chabrow, managing editor of Government Information Security (and former editor of CIO Insight), reported Maley's comments on his blog, "The Public Eye." I only found out about the whole affair when I happened to log onto Twitter at the right moment to see a post from danielkennedy74--himself a CISO--that can't be shared in our family-friendly format. Kennedy's irritation with the development was reflected in dozens of other posts on the topic Wednesday.

Let this blogger join the chant: whoever made the decision to fire Maley was dead wrong. It's not that I don't understand the thinking. Yes, Maley may have spoken out of turn and embarrassed the Pennsylvania DOT, but he did so in the name of enlightenment. He did so in an effort to help other CISOs make better decisions about protecting their own IT domains. He did so because he thought he was doing the right thing.

Mr. Maley, if it helps, I think you did do the right thing. Remember, the very conference at which you made your comments featured a series of federal government officials all calling for more cooperation from the private sector if the IT community is to get the upper hand on cyber criminals. And I don't believe that should only refer to companies cooperating with the Feds. It should also mean companies cooperating with each other, by sharing information on attacks, opening up best practices, and not living in fear that merely discussing an exposed vulnerability will invite more attacks.

In fact, Mr. Maley, your first call should be to Homeland Security Secretary Janet Napolitano. I hear she's looking for some IT security help, sharing encouraged.


3 Comments for "Pa. CISO Unfairly Fired"

  • Mike Meikle April 20, 2010 10:34 am

    I can partially empathize with Mr. Maley. While consulting for a client on a security matter, some of their customers were being defrauded out of 100,000s of dollars. Unfortunately, internal politics were delaying the resolution of the issues that lead to the hacking. Finally, I had to engage the CIO of the company and inform that person what was occurring. It went over poorly with the CIO's direct reports to put it mildly, but the situation was finally addressed. In order to effectively address the threat that businesses face from the black hat crowd, we need to dispense with the "Office Space" business antics. Also, upper-management needs to stop paying lip service to the calls for cooperation and open-door policies and actually be serious. I know that criminals are serious; about making money and exploiting our weaknesses. Let´┐Ż™s not provide them with more ammunition.

  • PassingThru March 15, 2010 2:20 pm

    Unbelievable. PennDOT thinks their pride was hurt before. Funny, they managed this like they manage our road ways, over budget, over-time, poor quality.

  • Peter Bachman March 12, 2010 2:17 pm

    As a Pennsylvania resident, I'm outraged at the treatment of Mr. Maley, but not surprised at our loss. This did not look to be a major breach, just a minor example of how difficult it is to maintain web services code, so that it treats people fairly and they don't get scammed. I think Springsteen and sports fans felt the same way when ticket sales were unfairly gamed, by paid hackers. While the people were eventuallly prosecuted, the damage had already been done. The domain name system is simply set up to facilitate this nonsense, with X.509v3 certificates grafted on during the dot com boom, so levels of assurance are not high, if you start poking around backstage at the props of the security theater. I recently advocated for a fix in one of PA's major financial transfer systems regarding broken web security authentication code directly with the vendor, amazed that it was done so poorly and so out of date. While it did get fixed eventually, the lag time was substantial. If you try and trace back most of the security as to the way it's supposed to be done by the standards, it looks to be very low bid contract work. On the other hand, some of the services that used to cost a lot, and were a cottage industry of sorts, trucking documents up to the capital for routine stuff for renewals of driver's licenses, etc, is done on line very smoothly. Now that the commonwealth wants to network personal medical data there are serious concerns that this stance of security through obscurity will dominate; rather than the advanced ideas circulating at RSA and the blogosphere. The current threat models being developed are far more advanced, and far less trivial than this example, which is indicative of a gap in treating the CISO with the business respect that is deserved, by those, by dint of political power, remain reactive and think primarily in terms of job security than solving systemic problems.

Leave a Comment