The news that Pennsylvania CISO Bob Maley lost his job for publicly discussing a security incident at last week’s RSA Conference really shouldn’t come as a surprise, but it does. Even for a government agency, this kind of lack of understanding of what actually matters is appalling and it is a glaring example of the sickness of secrecy that’s infected far too much of the security community.
Maley was the Pennsylvania CISO for four years and essentially started the state’s information security program from scratch when he took the job. He brought the dozens of state agencies and thousands of employees into the 21st century with a massive project to install intrusion prevention and an identity and access-management system. When he got there, Pennsylvania didn’t even have a standard desktop OS image. And this is a network that was seeing more than a billion security events a month in 2007.
As a result of his success in transforming the state’s infrastructure, Maley became a sought-after speaker and interview subject, a fact that led directly to his firing. At RSA, Maley was on a panel that discussed security issues facing state governments. During the session he talked about a recent incident in which the owner of a driving school in Pennsylvania allegedly figured out a way to game the state’s motor vehicle exam scheduling system in order to get his students to the head of the line.
Maley didn’t give explicit details on the problem and didn’t even really describe it as a security issue, according to news reports. He simply cited it as an example of the issues he deals with every day. And as a result he no longer has a job because, as Jaikumar Vijayan reports in Computerworld, Pennsylvania has a policy requiring employees to get explicit permission to discuss state business publicly.
On its face, that’s a sensible policy. No one wants unauthorized people spouting off to the media. But on the other hand, this is a state government, and the government’s business is the people’s business. This is not classified information, and I would argue that it’s not even sensitive information; it’s simply evidence that someone in the Pennsylvania IT organization misconfigured a Web application.
And that’s the real problem here. Maley’s dismissal (or resignation under pressure) isn’t just an isolated incident. It’s emblematic of a particular kind of tunnel-vision that’s afflicted executives, bureaucrats and others in power for too long.
The kind of reflexive secrecy that Pennsylvania’s bureaucrats practiced in dealing with a simple bug in a driver’s test scheduling system, of all things, is exactly what’s been preventing security professionals from sharing information for decades now. God forbid people talk about an attack or a mistake they made, because then we might suspect they’re not perfect.
Of course, as any five-year-old can tell you, no one is perfect. And one of the more effective ways people learn is by observing and listening to people who have been through the same experiences and to find out what worked and what didn’t. Children understand this instinctively; it’s how they learn how to use a fork, walk, tie their shoes and hide their vegetables under their mashed potatoes.
But somehow that common sense approach to improvement wears off over time and we end up with the absurd situation we’re in now where sharing the most banal information is not only frowned upon but is a career-limiting move. And so we’ll continue in the same vicious cycle we’ve been in forever: build, (try to) secure, hack, deny.
Lather, rinse, repeat.