The information security industry took a step back this week with news that the CISO of the state of Pennsylvania, Bob Maley, lost his job, likely over remarks he made during a panel discussion last week at the RSA Conference.
In an industry where information sharing is widely agreed upon as one of the paramount ways to combat the world's cybercriminal element, it is truly upsetting to see a security pro lose his job over doing just that.
Although a spokesman for the Pennsylvania governor wouldn't admit it, that is exactly what appears to have caused Maley's departure from a role he held for five years.
On a panel at the RSA show last week, on which he was joined by three other state CISOs, Maley offered details into a recent intrusion affecting the state's Department of Transportation website. He didn't get too specific, but it was specific enough to surely prove instructional to the scores of conference attendees in the audience.
He described, according to a report on govinfosecurity.com, how the owner of a driving school in Philadelphia used a Russian-based proxy to hide his identity as he exploited a vulnerability so that he could schedule his students for driving exams. (The wait list to take the test usually runs up to six weeks).
Maley, an SC Magazine CSO of the Year finalist, has always been a candid, shoot-from-the-hip kind of guy. I learned this from our conversation last summer when I interviewed the former cop for a cover story on data breach response. For the story, he recounted a number of breaches that have affected the state, rarely holding back details.
I'm assuming that this particular incident touched a nerve with state officials because the hacking was relatively recent, and there was still an investigation underway.
But even so, I find the firing to be counterproductive to what the security community is attempting to accomplish. The key to winning the battle against sophisticated hackers is with details and anecdotes, exactly what Maley appears to have been doing. Speaking generally just doesn't cut it, not in this industry. And especially not at the world's premiere gathering of information security professionals — one of the few times in the year when practitioners get together to swap stories on life in the trenches.
It's a shame, too. We were only just applauding Google for its transparency over the China attacks. Many had lauded the internet giant for coming clean about being the victim of a massive intrusion.
We seemed to be turning a corner...and then this.
In 2010, remaining mum, or too close to the vest, about incidents benefits nobody. Every organization in the country is being probed on a daily basis. Vulnerabilities are going to be there. Hacks are going to happen. Data is going to be exposed. The criminals are going to be one step ahead. Let's move on from this prevailing wisdom that any one organization is immune from attack.
Once we do that, and only then, can we take back the internet.