Is it really over? What can we learn from this?
Posted by: gsmckee4 in General, Recent NewsI had tried from direct commenting on the Terry Childs/San Francisco Network incident that has been in the news this past week or so. I knew that so many other people out there would be commenting about the incident in their blogs so what good would one more do. Now that the incident appears to be over for the most part I’ll say a few words. I’ll still leave the particulars of the incident to those other blogs. What I want to comment on is what I consider the underlying factor here which is Trust and Ethical Behavior.
While I had strong feelings about this case, what really set me off was a piece in Info World where the author was communicating with a confidential source within the San Francisco technology department. The author was attempting to bring more light to the subject but in the end the article essentially boiled down to: “What he did was wrong but…”
It’s the “but” that I have a problem with.
Now I’m typically the guy who answers “it depends” when asked a general question. I run down the situation and the variables that need to be considered in order to get the information I need for a more precise answer. I don’t automatically assume the worst in people. I often try to give the benefit of the doubt to everyone – a practice that has gotten me in trouble before. I honestly believe that all of these are good traits. I do however acknowledge that there are situations where there is no middle ground and where the choices are truly binary (either a 0 or a 1; on or off).
In these cases I believe that it is imperative that we, as information security professionals, strongly come down on one side or the other without conceding the middle ground. By taking a stand on one side of this issue and rejecting the arguments or justifications contained in the “but” we can use this example to help our companies and our clients.
The simple fact is that there is no way to prevent a situation like this. Organizations delegate responsibility to trusted personnel to accomplish the tasks needed for a business to operate: they do not abdicate responsibility. They have to; there is no way that any company can succeed with the constant oversight of every employee. It is too large of a drain on company overhead. They place a trust in us and we hold a duty to that trust.
In the Terry Childs/San Francisco Network incident too many things were not done or handled in the right way. The incident didn’t start with Childs either. It started well before that. Decisions and omissions made by City of San Francisco’s IT Department undoubtedly played a big part in the lead up to this incident. That said I don’t believe that these factor into what has happened. It has all come up to the point where one individual had to decide what he was going to do. That decision was to either respect the trust that was placed in him or to violate that trust. It appears as if he violated that trust and no amount of “but” can alter that fact.
As with any business situation there is a risk and the risk must be managed. Organizations can insist upon proper documentation and backups for all systems to ensure knowledge retention in the event a trusted person leaves the company or cannot fulfill their duties. Organizations can put in place access log monitoring software and institute periodic third party reviews as the situation or area of criticality warrants. At the end of the day though these measures only see to reduce the risk to acceptable levels. A risk still remains however reduced.
Entries (RSS)
The City and County of San Francisco had recently adopted an information security policy. That policy makes it clear that employees have a duty to secure and protect confidential information and City systems. It also states that passwords are ‘protected data’, and that they are not to be divulged to co-workers. It also specifically states that an employee should not reveal their password to their boss. Further, it states that only the “information owner” which is defined as the “department head” may authorize the disclosure of a password. The person who asked Terry Childs for the password was DTIS Deputy Director Rich Robinson. That person had no written authority to have, nor even to ask any City employee for, their password. Ironically, it was Rich Robinson himself who selected the security policy — thus he knew this. The “department head” in this case was Chris Vein, the Director of DTIS. There is absolutely no indication that Chris Vein ever spoke with Terry Childs, nor that he ever gave written authorization to anyone to obtain the password from Terry Childs.
In this particular case it was not Terry Childs who violated trust — and policy — but rather it was Rich Robinson.
Terry would have been breaking the rules by giving the password, not by withholding it.
http://www.sfgov.org/site/uploadedfiles/dtis/coit/Policies_Forms/CCISDA_security.pdf
Herb,
I haven’t kept up on the particulars of the Childs case over the last week or so, so thanks for the additional information. From the tone of your message it sounds like Mr. Childs is a friend or an acquaintance of yours. It is commendable that you would try to defend a friend.
Honestly though, and with all due respect, the justification that you pose is analogous to those given by abusers in a domestic violence case: “The victim provoked me therefore my actions are justified.” Even if Childs was provoked (and you’ll note from my original post in this thread that I acknowledged that there was fault on both sides) it does not justify the actions that followed.
You see I’d probably have been a Childs supporter up to the point where he was suspended from his job and arrested. That was the point where he crossed the line. At that point his actions negated all that had happened before and took on a life of their own. It all comes down to Professional Integrity.
A few years ago I was doing some research for the masters program I was in at the time (Norwich University’s MSIA Program) and came across an article by Brigadier General Malham Walkin, USAF, Retired (http://www.airpower.maxwell.af.mil/airchronicles/apj/apj96/sum96/wakin.html). He wrote an article on Professional Integrity that I’ve saved because I think it speaks directly to the concept. His audience is the members of the military but the concepts can be applied to any profession. Some quotes from Brig General Walkin’s article:
“Integrity is the modern name we use to describe the actions of those persons who consistently act from a firmly established character pattern of doing the right thing. We especially stress the concepts of integrity when there is temptation to diverge from what good character demands. Persons of integrity do not stray from acting in accordance with strong moral principle even when it is expedient or personally advantageous to do so.”
“No member of the professions can escape these ties to the community since they constitute the very reason for the existence of the professions. Thus, professional integrity begins with this necessary responsibility to serve the fundamental need of the community. Notice that the community makes possible the opportunity for one to become qualified in a given profession and usually allows the professionals the authority themselves to set the standards of competence and conduct of its members.”
“Put in more direct terms, good teachers ought to be good persons, good doctors ought to be good persons, good lawyers ought to be good persons, and good military professionals ought to be good persons. We want to live in a world where the duties of a competent professional can be carried out by a good person with a clear and confident conscience. That means that professional practices must always be constrained by basic moral principles.”
“When professions go beyond their essential service function to society and distort their purpose toward profits, power, or greed, then they lose the trust and respect of their communities and they stop being professions.”
(Now in the last quote I’d substitute “professionals” for “professions” to better support the context in which I use the quote here. I don’t believe that substitution would change the meaning of the sentence.)
At the point where Childs was suspended he should have given up the passwords. He had ample opportunity to seek recompense from the City of San Francisco and have his grievances heard. Instead he acted in a way that was self gratifying and not professional. Not what should have been expected of someone of his intellect and professional standing.