Bob Maley, Pennsylvania’s CISO since 2005, is out of a job, days after he joined a group of other state IT security chiefs on an RSA Conference panel and reportedly offered candid remarks about a recent data breach.
Gary Tuma, a spokesman for Gov. Ed Rendell, told SCMagazineUS.com on Thursday, that Maley was no longer employed by the state. He would not say whether he was fired.
“Beyond that, it’s a personnel issue and we don’t discuss it,” he said.
Maley’s final day in his $90,661-a-year post was Monday.
A call placed to Maley’s cell phone went directly to voicemail.
During the panel at the RSA Conference last week in San Francisco, titled “The Front Lines: Cyber Security in the States,” Maley was scheduled to join CISOs from California, Colorado and Nevada.
According to the conference agenda, the discussion was to center “on the challenges they face, the evolving nature of their state cybersecurity programs, and how government and industry are working together to make a difference. This session is very interactive featuring earnest discussion about how state CISOs manage their crucial role in cybersecurity.”
But Maley may have gotten too earnest, according to reports. According to “The Public Eye with Eric Chabow” blog, Maley offered frank details on a recent intrusion of the Pennsylvania Department of Transportation site where residents can schedule driver’s license tests.
“We saw thousands of hits on our Department of Transportation driver license exam scheduling site coming out of Russia, the same thing over and over, scheduling driver license exams,” he said during the panel, according to Chabow’s blog. “It was encrypted traffic, and we were trying to figure out what the heck was going on. Were they trying to test our systems? What exactly were they up to? The answer was, we really didn’t know.”
Maley told the audience that the hacker, who owned a driving school in Philadelphia, used a proxy server in Russia to mask his identity and then exploited a system bug so he could schedule exams for his students. Normally, the waiting list for available slots is up to six weeks.
Tuma said Maley’s duties would be handled by other members of the security team. No replacement has been announced.
Maley, who was 53 last July when he spoke to SC Magazine for a cover story on data breach response, was instrumental in developing a statewide strategy for preventing data-leakage incidents after some 500,000 state records were compromised in 2007.
He and his team analyzed the threat landscape to determine what posed the most risk to the state’s confidential records, Maley said in the story. The undertaking included encrypting any computers not housed in a secure facility, mainly laptops. But given Pennsylvania’s investment in electronic government services, the main thrust of the project was testing web applications for vulnerabilities to hackers.
Maley, a former police officer in Harrisburg, Pa., was a finalist for this year’s SC Magazine CSO of the Year award, which was won by his RSA panel-mate, Mark Weatherford of the state of California.