According to today's ComputerWorld, Pennsylvania's Chief Information Security Officer (CISO) Robert Maley was fired after discussing a previously undisclosed security "anomaly" at the US RSA 2010 conference last week. Mr. Maley, the ComputerWorld story says, apparently disclosed that:
"a Philadelphia-area driving school ... was trying to get early driving tests for its students. The source said someone at the school exploited a configuration 'anomaly' in the Department of Transportation's online driver's test scheduling system."
As a result, the driving school could jump the queue in scheduling tests for its students.
According to ComputerWorld, Mr. Maley, who was the state's CISO for four years and its first one, hadn't been authorized to speak about the incident, which a Pennsylvania government spokesperson says is being investigated by the Pennsylvania State Police.
The spokesperson also said that the incident was not a security issue, although she would not describe what the anomaly was or how it was supposedly exploited.
The ComputerWorld story also noted that Pennsylvania's IT security staff and budget have been reduced by approximately 40% each over the past 18 months (the state is looking at a $475 million deficit for this fiscal year, which ends June 30th) and according to unnamed sources, the remaining security staff has been told to shut up about cyber security problems.
I guess you don't want to advertise that the state is vulnerable to cyber attacks, do you?
Ironically, also at the RSA conference was a panel on the need for companies to tell law enforcement about security breaches. Companies are often hesitant to do so because of the perceived bad publicity that sometimes comes with a call. Privately run companies can more easily keep such calls to law enforcement quiet - public companies can for a short time but not forever.
Pennsylvania government officials did call law enforcement, but it also did not inform the public of the matter either. If it was trying to hide the incident because of the bad "political" publicity that it might create, firing the CISO probably wasn't a smart move. A quiet reprimand would have been better, and no one would have much noted the "anomaly." Now it is a big deal.
And if the State was trying to make a point to other state government employees by quickly firing the CISO over talking without permission, I expect that to backfire as well since it not only looks petty, but the message, rightly or wrongly, is that the current Pennsylvania government has lots of dirty cyber security linen to hide. Expect the state's press to start digging for it.
Now try hiring an experienced CISO into that environment. Unless, of course, Pennsylvania doesn't really want one.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.