Friday, March 19, 2010

Bob Maley - when employers and professional organizations collide

On March 3, Eric Chabrow wrote a blog post that quoted Pennsylvania's chief information security officer, Bob Maley, who was on a panel at an RSA security conference:

"We saw thousands of hits on our Department of Transportation driver license exam scheduling site coming out of Russia, the same thing over and over, scheduling driver license exams. It was encrypted traffic, and we were trying to figure out what the heck is going on. Were they trying to test our systems? What exactly were they up to? The answer was, we really didn't know."

But there's one thing that we do know - Bob Maley is no longer the chief information security officer of Pennsylvania. The reason for his dismissal was not disclosed, but presumably it was related to his public disclosure of the security breach.

Many people are professionals in one field or another, and while the have an obligation to their employer, they also have an obligation to their profession. And as Merritt Maxim notes, Maley's disclosure was consistent with his obligations to the security profession:

While Maley's disclosure of a potential breach and vulnerability caused concerns in some circles, public disclosure of vulnerabilities is a central principle behind the design and development of secure systems. And it is an ongoing challenge in infosec to weigh the risk/reward of disclosing a yet-to-be fixed vulnerability. Yes, it might invite more attacks, but it also opens the vulnerability to a global knowledge base of seasoned IT security professionals who can a) Offer input on how to address the vulnerability and b) Verify that their systems are not susceptible to this same vulnerability. There is a reason why cryptographic standards like AES were subjected to a rigorous public review process; such public vetting only helps improve the underlying security.

I hope that organizations will continue to come forward to share their collective IT security experiences without fear of retribution. There is lot to be gained from such discussions.

Certainly much to be gained by society as a whole, but what of Maley's organization in particular? Does Maley have an obligation to protect Pennsylvania state systems from attacks? Could Maley have donned a mask and presented himself as "The Unknown CISO," thereby saving Pennsylvania from possible copycat hackers?

And this doesn't just apply to CIO types. Accountants, lawyers, doctors, and many other professionals have obligations that may clash with what their employers want them to do. Heck, now that I'm a card-carrying member of the Association of Proposal Management Professionals, I may run into such an issue myself some day.

So how do we resolve such conflicts?
blog comments powered by Disqus