Pennsylvania Fines Ex-CISO $10,000Ethics Panel: Vendors Paid for Conference Expenses
Pennsylvania fined its former chief information security officer, Robert Maley, $10,000 for having vendors pay for his travel, meals and lodging to industry events as well as playoff baseball tickets, violations of a state ethics code, the state Ethics Commission said Tuesday.
The ethics panel also said Maley failed to notify the state that he partly owned an IT security firm, Susquehanna Digital Forensics, during his tenure as state CISO. In addition, the report said Maley failed to file requisite financial interest statements and used his state-owned PC for personal use.
According to the ethics report, Maley agreed to pay the fine and submit financial interest statements the state contends he never filed from 2006 through 2010.
An attempt to contact Maley has been made via e-mail. We'll post his comments if and when they're received.
On the job as state CISO for nearly 4Â½ years, starting in November 2005, Pennsylvania fired Maley in March 2010 after his bosses read a GovInfoSecurity.com blog (see CISO Witnesses Hack Like No Other) that covered remarks he made as a panelist at the RSA security conference in San Francisco. At the time, the state did not give a reason for the firing, though it was suggested that he was not authorized to represent Pennsylvania at the conference. Maley, as the ethics report revealed, used vacation time to attend the event. He was identified at the event as Pennsylvania's CISO.
What wasn't known publicly then, but disclosed in the ethics report, was that Core Security, a provider of IT security testing and measurement software products and services, paid Maley's expenses to the RSA conference. The security vendor also paid for Maley's travel expenses to other security events while Pennsylvania was a Core Security customer, the ethics report said. According to the Pennsylvania Ethics Commission, payments made to or on behalf of Maley by Core Security totaled $12,481.52, including $5,000 given to Maley after he left state service. Days before the state fired Maley, the then CISO authorized a no-bid purchase of $53,183 in a product and services from Core Security, the ethics report said, adding that the state rescinded that order.
A spokesman for Core Security had no comment Tuesday evening, saying the company is looking into the ethics report.
Two Vendors Provided Baseball Tickets
The ethics report also said two security vendors the state conducted business with, BitArmor Systems - now part of Trustwave - and McAfee, provided Maley with baseball tickets, including two seats furnished by McAfee valued at $760 to a playoff game between the Los Angeles Dodgers and Philadelphia Phillies on Oct. 19, 2009, in Philadelphia.
Guidance Software, which sold the state security software and services the ethics panel valued at more than $1.3 million, covered Maley's expenses of $1,663 to a May 2009 Computer Enterprise and Investigation Conference in Orlando. The ethics report says Pennsylvania made the purchases on Maley's recommendation. At the conference, co-sponsored by Guidance Software, Maley spoke about the vendor's EnCase forensic product, the report said. The ethics report cited Maley as saying he didn't endorse the product, but spoke to educate other customers about it.
Requests for comments via e-mail have been made to Trustwave, McAfee and Guidance Software.
The ethics commission also said Maley used his work computer for non-state purposes in early 2010, including sending out resumes to a prospective employer in San Francisco and to Liesyl Franz, vice president for cybersecurity and global public policy at TechAmerica, the IT industry's lobbying and trade group in Washington. A forensic examination of Maley's state computer concluded he spent more than 71 hours on non-state business at an estimated cost of $3,300, based on a compensation rate of about $46 an hour, the ethics report said.
In a guest blog Maley wrote and posted on GovInfoSecurity.com a month after the firing (see Why I Spoke Publicly About Cyber Incident), he skirted the details surrounding his dismissal, but defended his presentation at the RSA conference, saying sharing information "about security incidents can be valuable and should be encouraged."