Fired CISO says his comments never put Penn.'s data at risk

Maley admits he was wrong to speak at RSA, won't appeal firing

Robert Maley was fired from his job as the chief information security officer for the state of Pennsylvania earlier this month after he spoke, without proper authorization, about security incidents involving the state during a panel discussion at the RSA trade show.

References he made to a security incident involving the online driving test system at the Pennsylvania Department of Transportation in particular were believed to have led to his termination. A state spokesman has not commented, citing privacy rules, except to confirm that Maley is no longer employed by the commonwealth. In this interview, Maley gives his side of the events that led to his dismissal.

Robert Maley
Robert Maley

What exactly happened? They terminated me. I was specifically asked not to talk about anything in Pennsylvania without explicit permission and to have everything that I would say to be completely reviewed before I said it. So yeah, they told me that, and, yup, I was wrong ultimately doing that. As far as the official reason, that's why. It's not because of the PennDOT incident. It was because I did not have permission to speak. Not just at RSA, I wasn't permitted to speak anywhere. I was on vacation when I went there. I went out there on my own time.

What prompted you to do that? Pennsylvania is facing a lot of significant challenges with the economy, as are a lot of other states, with budget cuts, training cuts. It just made things very difficult. I don't presume to be the know-all expert about anything, and I need to get myself around the type of experts that they have at these conferences so I can learn what's going on so I can take that information back and share it with the staff.

I was the one that was responsible for information security at Pennsylvania, so being exposed to the caliber of the people that I find at these conferences and the education that I can get [was important].

But what prompted you to speak about Pennsylvania security matters at RSA knowing that you didn't have the required clearance? Two reasons. The first was to promote the success that the commonwealth of PA has made in the information assurance world, and the second was to share information with my peers -- information I hoped they would find valuable in furthering our common goal of protecting our assets.

So what happened at PennDOT? There's been a lot of speculation in the press about the PennDOT incident. First, it wasn't a hacking. It was an anomaly. Something happened. It was caught. It was identified. The incident was closed and the vulnerability was closed as well. I would have never spoken in public about any vulnerability that would have exposed the citizens of the commonwealth. That is something I have never done and never would do. I was using [the PennDOT incident] as an example of legacy applications that are still at risk. The whole purpose of using that as an example is that the people at RSA are the ones who are responsible for protecting their citizens, their company. It helps for people to know what is really going on, about how fast things are changing.

It's your position that you compromised nothing by speaking at RSA? Nothing. The vulnerability has been fixed. Everything I talked about was either part of a public submission or was available in press releases. I talked about prior breaches at Pennsylvania, but that was information I got from public press releases.

You talked about this being done on your own time. Should that have made a difference? When I left, I had put in a vacation request and I was approved. They didn't appreciate that I was doing it on my own time and they dismissed me. They canceled my vacation and said I was absent without leave ... In the dismissal, they said I spoke without approval. My problem is I believe in what I am doing. For me, citizen safety comes first.

So they canceled it retroactively? Yes.

Can they do that? Yes.

Are you surprised that you were fired? (Laughs) Yes. I looked at the four years that I've been there and the accomplishments that Pennsylvania had made in the realm of cybersecurity. They have received a NASCIO (National Association of State Chief Information Officers ) award, they have been finalists in the security area at NASCIO and have won other awards for their programs. Pennsylvania has really put together an outstanding security program. I know people like to make comments about government employees, but the folks that are doing security there are the finest people I've had the opportunity to work with.

Did budget cuts have anything to do with your dismissal? How has it affected the security team at Penn? That would be speculation. I don't want to go there. There were several positions where some folks left to go and join the private sector, and those positions were either cut or were not permitted to be filled. Again, I have to go back to the caliber of the program and of the people who have been put in place over the last few years. The ones who are still there are really good people. They are going above and beyond what their pay grade is to maintain the security of what they are doing. I can't say enough about them.

What message do you think an action such as this sends to other CISOs? I've read a couple of comments in various blogs about the perceived message. It's a challenge in the balance. In the private sector, the CSOs are responsible to the board and to the stockholders. I think the stockholders in the public sector are the citizens. I think citizens have a right to know about what their government is doing to keep their information safe. Obviously, talking about a vulnerability that exists in a system is bad. If we know about a vulnerability, well, then we need to fix it. But if the information we share with our peers can help others improve their security posture, then I find significant value in that.

Are you planning on appealing your termination? No, I won't. I think the whole issue of information sharing is something that people are always talking about. Every time I am around a group of people, they are talking about how to share information between the government and the private sector.

I remember back three years ago nobody would talk about any security problems with SCADA systems. That seems to be starting to change. The fact that this incident has gotten some people talking I hope will keep the issue on the table, and I hope we can find ways that we can share incidents like this successfully with our peers. I hope we can be more open about what's really going on to benefit the good guys, because I think the bad guys have no problems sharing information with each other.

What's your advice to your counterparts? They really have to evaluate for themselves their own environment. We have all the state governments, they are all unique, they all have different political environments, they all have different security landscapes, they all have different financial situations. So they have to evaluate their own situation and they have to be true to themselves.

What now? What are your plans? Open. I am very passionate about the industry. I am very passionate about what I do, I enjoy what I do.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies