Why Bob Maley’s Firing is Bad for All of Us

The news that Pennsylvania CISO Bob Maley lost his job for publicly discussing a security incident at last week’s RSA Conference really shouldn’t come as a surprise, but it does. Even for a government agency, this kind of lack of understanding of what actually matters is appalling and it is a glaring example of the sickness of secrecy that’s infected far too much of the security community.

The news that Pennsylvania CISO Bob Maley lost his job for publicly discussing a security incident at last week’s RSA Conference really shouldn’t come as a surprise, but it does. Even for a government agency, this kind of lack of understanding of what actually matters is appalling and it is a glaring example of the sickness of secrecy that’s infected far too much of the security community.

Maley was the Pennsylvania CISO for four years and essentially started the state’s information security program from scratch when he took the job. He brought the dozens of state agencies and thousands of employees into the 21st century with a massive project to install intrusion prevention and an identity and access-management system. When he got there, Pennsylvania didn’t even have a standard desktop OS image. And this is a network that was seeing more than a billion security events a month in 2007.

As a result of his success in transforming the state’s infrastructure, Maley became a sought-after speaker and interview subject, a fact that led directly to his firing. At RSA, Maley was on a panel that discussed security issues facing state governments. During the session he talked about a recent incident in which the owner of a driving school in Pennsylvania allegedly figured out a way to game the state’s motor vehicle exam scheduling system in order to get his students to the head of the line.

That’s it.

Maley didn’t give explicit details on the problem and didn’t even really describe it as a security issue, according to news reports. He simply cited it as an example of the issues he deals with every day. And as a result he no longer has a job because, as Jaikumar Vijayan reports in Computerworld, Pennsylvania has a policy requiring employees to get explicit permission to discuss state business publicly.

On its face, that’s a sensible policy. No one wants unauthorized people spouting off to the media. But on the other hand, this is a state government, and the government’s business is the people’s business. This is not classified information, and I would argue that it’s not even sensitive information; it’s simply evidence that someone in the Pennsylvania IT organization misconfigured a Web application.

And that’s the real problem here. Maley’s dismissal (or resignation under pressure) isn’t just an isolated incident. It’s emblematic of a particular kind of tunnel-vision that’s afflicted executives, bureaucrats and others in power for too long.

The kind of reflexive secrecy that Pennsylvania’s bureaucrats practiced in dealing with a simple bug in a driver’s test scheduling system, of all things, is exactly what’s been preventing security professionals from sharing information for decades now. God forbid people talk about an attack or a mistake they made, because then we might suspect they’re not perfect.

Of course, as any five-year-old can tell you, no one is perfect. And one of the more effective ways people learn is by observing and listening to people who have been through the same experiences and to find out what worked and what didn’t. Children understand this instinctively; it’s how they learn how to use a fork, walk, tie their shoes and hide their vegetables under their mashed potatoes.

But somehow that common sense approach to improvement wears off over time and we end up with the absurd situation we’re in now where sharing the most banal information is not only frowned upon but is a career-limiting move. And so we’ll continue in the same vicious cycle we’ve been in forever: build, (try to) secure, hack, deny.

Lather, rinse, repeat.

Suggested articles

Security a Concern as HTML5 Gains Traction

From animated logos to Web videos for hip, independent bands, HTML5 is getting buzz and gaining traction. But concerns about the security of features in the new version of the Web’s lingua franca persist. 

Facebook Apps Pump Out Mobile “Entertainment” Spam

Attacks via social networks continued their steady march on Tuesday, as an untold number of Facebook users unwittingly found themselves caught up in a spam run that pointed friends to premium mobile entertainment Web sites.

Discussion

  • PTCruiserGT on

    So basically Pennsylvania's bureaucrats think that security by obscurity works.  FAIL.

  • Anonymous on

    Not surprised.  Most agencies and companies cover up security incidents.  It makes them look bad and jeapordizes their reputation. 

  • Anonymous on

    PTCruiserGT,

    It's worse than that. I can top ANYTHING Bob Maley has to say... but I can't!

  • Sectoid on

    Great writing Dennis, you nailed it...

     

    Read some of the comments here (loval coverage), clearly some very relevant debate:

    http://www.pennlive.com/midstate/index.ssf/2010/03/pennsylvanias_web_security_off.html

  • Anonymous on

    I hope the guy gets his job back or get a nice settlement.  Previous poster, you are right.  Most security professionals have seen much worse, however know that the laws do not protect them.  Whistleblower laws are weak and ineffective and companies have deep pockets to make their life security people miserable.  I am getting out of the field just because of this reason.  Taking my CISSP and putting it in the garbage.

     

     

  • Anonymous on

    Someone powerful probably wanted him out, and this was probably their best opportunity to get rid of him.  If this is really the only reason for his ouster then the entire state should be outraged by policies that encourage cover-ups.

  • Anonymous on

    Bob Maley did not personally start the security program at PA.  He came on board after an enterprise program was inititated.  The fact that he takes credit for it all should indicate what kind of ego the man has.  He is very good at taking credit for other's work.  PA still does not have a standard desktop, so taking credit for that shows that you need to take everything he says with a grain of salt.  He was fired not because he was looking out for the state, but because he was only looking out for himself.

  • marymax on

    OK Anonymous I have a question for you; if PA had an security enterprise program installed and running; why was the Driving School Instructor able to hack and manipulate the driving schedules of the Department of Motor Vehicles database to bring his students ahead of others that had appointments?  We seem to take things for granted and belive that our infmation is secure but in reality its not as secure as we belive.  I do hope that Bob Maley is reinstated and that PA realizes that when someone takes responsibilty for taking a security porgam and improving it and there is still flaws in their security system  then there is something inherent in the system that makes the system inadiquate.  If the security system was a perfect system then there should have been on reason for the instructor to suceed.  I'm an IT person and there is no such thing as a perfect security system.  Your security system is only as good as the person who is intalling the system makes it.  We need to get over this secrecy mentality and start working together as a world wide team to put roadblocks in the way of hackers with the understanding that any hacker whether it be a good one or a poor one can and will find ways to get around a security system.

    Another question; why are you anonymous? Do you work for the State? Why dosen't PA have a standard Desktop? That is the first thing that should be done so that there is uniformity through out the state and there should be a uniform security system installed on all State and City networks to prevent hacking into government systems. 

  • AlbieW on

    This is why we don't get and keep the very best people working in government and when we do get the best to come and work there they are stifled by beauracracy!

  • Cynical in Illinois on

    In Illinois, a Governor (not Blagojevic) went to jail because the State licensed a driver who didn't speak English, who ended up killing five children in a firey car accident.  I believe the driver was granted a license by a driving school which sold the licenses and contributed to the Governor's campaign.  It was licenses for bribes basically.  Therefore, there could be more than just a security issue.  The owner of the driving school could know persons in high places. 

  • Anonymous2 on

    Different anonymous, but I will answer your question marymax: 'Why doesn't PA have a standard Desktop?'

    Define a standard OS image?  With more than 40 Departments with varying level of budgeting and resources and more variations of software than most organizations could even imagine, what would a 'standard OS image be'?  If it is simply defining through policy OS standards, patching requirements, AV and other security software requirements that make up a required base of an image...than yes, this all exists.  I do not have the animosity by Anonymous the first for Bob...he was a good guy in a tough position IMHO

  • Anonymous on

    I have to be anonymous because of my settlement with the state government I worked for.  One new high-level manager decided to investigate the IT systems of the program I worked with - he had his people take down the servers to copy the drives.  He did this without telling the program manager or staff, so a line-of-business application went dead without any notice to us or the critical customers.  His people cloned the drives, then re-assembled the RAID array in the wrong order.  When the servers failed to boot, he blamed me - why?  Because in his words, I used 'hacking tools', the same system auditing tools my previous supervisors had authorized and the same tools I learned about in SANS classes on the way to my CISSP.

    Six months of admin leave before being let go - nothing I said or my lawyer said made a difference.  Finally, a small settlement and the right to resign.  I never got to shove the truth of his dishonesty (learned from the interrogatories during the discovery process) in his face.  I got thrown under the bus to protect his reputation and 18 years of stellar service went down the tube.  He never bothered to consider that what he alleged was so blatantly a violation of the ISC2.org code of ethics and also would have meant hurting a system that helped low-income clients - why would I endanger my hard-earned cert or the clients?  It made no sense at all.  The truth was that he compartmentalized the knowledge of what actually happened, so no one ever knew what really happened, just his version.  So, I can relate to Maley's predicament.  I don't know him; maybe he was/is arrogant because some posters clearly don't like him.  The point is, there are truly some idiots in state government management.

    My $0.02 worth.

  • Anonymous on

    One fact that seems to have been glossed over "The incident was reported to the state police, and the matter is currently under investigation, the source said." If this is true and was done before Maley spoke, then he talked about an ongoing investigation. At the point that the information was turned over to the state police to investigate it becomes a legal matter and, I'm making assumptions here, it is up to the State AG or State Police to decide what information if any can be disclosed about the issue.

  • marymax on

    I'm so sorry; had I known I wouldn't have asked such a stupid question.  I too have lost several jobs because someone has taken it upon themselves to go behind managements backs to access systems that they have no authority to access.  I'm an Administrative Assistant with ethics and I have been fired from jobs because I wouldn't do anything unethical; like I was told by a major staffing agency that I had walked out on a job before it was completed and that they could not represent me anymore.  The client had told one version of the story to the recruiter but the recruiter never bothered to contact me to get my side of the story. So I can feel for you because I've been there and back again. Its called passing the buck to save their jobs at the expense of another persons job.  And I agree with you about there being some truly idiots in all State Governments especially in Management.  You want to compare State Governments for Idiot Managers look to the State of California.   Again, I'm so sorry for the comment. 

     

  • Anonymous #3 on

    Hi marymax,

    I'm a different 'anonymous' poster than the one you're apologizing to; my anonymous posting about running into an idiot state manager reflect how common this type of treatment is for ethical security workers.  I'm sorry to hear about what happened to you, and no need to apologize!

    What hurt me most was how some other managers I'd helped prosper turned their backs on me completely like I was 'career poison'.  I spent $9K on an employment lawyer and computer forensics expert, just to clear my name.  If I could have afforded it, I would never have settled and waited instead to take them to civil court after the State appeals process was finished.

    When you believe in, and practice, ethics and integrity, don't assume that everyone does the same.  Especially middle-management...  I was naive and trusted that Right would win out.

    Take care.

  • Anonymous on

    If Maley was practicing in accordance with ethics and integrity, he would have followed the policies of his employer.  Do the litmus test on this by replacing the field, topic and context and it really boils down to him breaking a pretty standard policy.  Jumping to conclusions or making assumptions about the intent or making up stories about some grand conspiracy to cover up information is quiet far-fetched when it really does seem quite simple - he didn't follow the policy.

  • Anonymous on

    I've seen whistleblowers get entire facilities shutdown. I don't blame myself the whistleblower. I blame the mgmt for not doing anything when the whistle was blown 6 months prior and for the execs in shutting down the profitable business instead of fixing the mgmt issue and not resolving the vulnerabilities in the product. When I was layed off for blowing the whistle I thought about suing but a year later I am making twice what I used to and the company has since tried to get me back to no avail, plus the fact that I have a family member still working there at another facility and their life might be hell if I spoke out. With more experience I have recently learned this stuff happens more often than people realize. Lessons learned: Be very careful with blowing the whistle as it can mean many peoples jobs regardless of company policies saying otherwise. There are easy loopholes around such policies for executives. Don't hire managers that aren't security savvy for any sw or hw product. Keep your skills up to date so you can make twice as much when you get laid off.

  • Anonymous on

    Policies allow, among other things, the ability to fire people as nobody is 100% compliant to all policies. Of course one can let things slide constantly with all employees but when one wants to fire someone just cite a policy not the real reason for them being fired. That is how one protects management and companies legally. Don't put the real reason in an email for eDiscovery. We teach no one ethics/morals K-12 and we wonder why the world is this way. Many companies just give lip service and facade to ethics. One reason Buffet is successful is because he has the opportunity to find out to a good degree the real ethical cores of the executives at play. Maley will be better off with a company or agency with executives that have a solid ethical core.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.