In July of 2008, Terry Childs, the San Francisco city network administrator received a heads up from some of his co-workers as he headed into a meeting with management. “We were just told you’ve been reassigned.” Childs entered the meeting to find not only local and remotely dialed in management in attendance, but a representative from Human Resources and a police officer (never a good sign, in my personal experience.)
Management demanded Childs turn over the network passwords for the city’s FiberWAN, Childs refused and was subsequently arrested and held on $5 million dollar bond for three years as he awaited his day in court. Childs argued that the city was creating a situation that would undoubtedly undermine the security mechanisms in place that protect the network. He claimed the city employees asking for that information were unqualified to have administrative access to the FiberWAN, so he refused to divulge them for 12 days before he finally provided them to the city’s mayor.
As a former systems administrator, I understand the sentiment – I truly do. Mr. Childs worked on the network for many years building what he believed to be a safe and secure entity that benefitted the citizens of San Francisco by keeping their infrastructure confidential, available and reliable. The network was like his child – he’s spent countless hours watching it grow and mature, and likely felt a keen sense of pride in what he and his team had achieved. But in truth, the FiberWAN was not Mr. Childs dependent – he was, at best, a “foster parent” or a “nanny” to the city’s infrastructure. It didn’t belong to him and he didn’t have the right to lock out the city from their equipment, regardless of his motive (and I make no case either way regarding his intent being noble or vindictive.)
A jury agreed, and found Mr. Childs guilty of violating a California statue on denial-of-service attacks. This week Mr. Childs was sentenced to four years in prison for his actions and will likely be ordered to pay a substantial amount of restitution for the city. The real question, in my opinion, isn’t whether or not Mr. Childs is guilty of criminal mischief – but rather, what in the world has the city of San Francisco done in the past three years to overcome its complete lack of processes and procedures that allowed Mr. Childs to sabotage the network with such ease? Mr. Childs had singular access to the network for a considerable length of time before the incident occurred, yet no actions were taken to correct this. (It reminds me a little of the BP oil spill – you can’t honestly expect me to believe that NOBODY had the foresight to say, “Hey! Potential disaster here! Shouldn’t we have a backup plan?”)
No security system is flawless – and no administrator is incorruptible. The policies we put in place for our security program MUST take into consideration that every person that interacts with the network is a potential vulnerability. While Mr. Childs could definitely have handled the situation more maturely, the city also needs to be held accountable by its citizens who should be demanding an accounting of how the city is preventing this situation from occurring again.