CA Community






This Blog
Syndication

Disclosing vulnerabilities, breaches and why the Pennsylvania CISO issue troubles the industry

Published: March 15 2010, 01:53 PM
by Merritt Maxim

The infosec blogosphere erupted last week on the news that the State of Pennsylvania's CISO Robert Maley was removed from his post over remarks about a recent breach at the Pennsylvania DOT that he made during a panel session at the RSA Conference last week.  Eric Chabrow at GovInfoSecurity.com was in attendance at the actual panel and blogged about the discussion. He also  posted an excellent blog that discusses many of the salient issues of the dismissal. 

While I am not privy to all aspects of the incident (and the State will not comment on the specific reasons for Maley's departure), this news is troubling for a variety of reasons. 

First, this incident has the potential to dissuade qualified infosec professionals from working in the public sector.  The public sector remains a common target for nefarious individuals and organizations of all types (examples include the reported attacks on our federal government IT systems, and even last month's suicide plane crash into an IRS building in Texas - which shows the extent to which some individuals will go to express their frustration with the government).  The reality is that we need seasoned infosec professionals in the public sector, but if these people risk losing their jobs over these types of disclosures, it will get harder to recruit people into the public sector and the public IT infrastructure will continue to be at risk.

Secondly, this incident demonstrates that for all the progress we have made in information security in the last 20 years, awareness of basic infosec principles is still needed.  While Maley's disclosure of a potential breach and vulnerability caused concerns in some circles, public disclosure of vulnerabilities is a central principle behind the design and development of secure systems.  And it is an ongoing challenge in infosec to weigh the risk/reward of disclosing a yet-to-be fixed vulnerability.  Yes, it might invite more attacks, but it also opens the vulnerability to a global knowledge base of seasoned IT security professionals who can a) Offer input on how to address the vulnerability and b) Verify that their systems are not susceptible to this same vulnerability.  There is a reason why cryptographic standards like AES were subjected to a rigorous public review process; such public vetting only helps improve the underlying security.

I hope that organizations will continue to come forward to share their collective IT security experiences without fear of retribution.  There is lot to be gained from such discussions,

Share this post:  EmailEmail
ShareShare
Tags: ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

1 person has left a comment:

Not knowing the circumstances of the dismissal, in Robert Maley's defense, I can only reflect security breach disclosure laws enacted in 45 states with Pennsylvania being one of them.

73 Pa. Stat. § 2303

This legislation covers most corporations but in this case a breach happened to the state systems and I often wonder if they are above the laws they enact,  Who's the hypocrite?

Posted by: George Moraetes, CISM, CGEIT | March 17, 2010 11:50 AM

Leave a Comment

* An asterisk indicates a required field

* :  

:

* :  

 Submit