By Jim Phillips
Athens NEWS Senior Writer
What's the real story on Ohio University's firing Thursday of two top
officials from its Communication Network Services (CNS)?
OU's chief information officer, William Sams, says Tom Reid and Todd
Acheson fell asleep at the switch, and should have done more to prevent a
series of computer hacking incidents that exposed personal data on
thousands of students and alumni to possible theft.
Reid and Acheson counter that Sams himself should be taking some major
blame for the security breaches, and suggest that their own biggest
offense in OU's eyes may have been challenging the qualifications of a
consultant the university hired to investigate the hackings.
Reid was director of CNS, and Acheson was its Unix systems manager. OU
suspended them in June, following the release of a report by Moran
Technology Consultants, Inc., of Napierville, Ill., which was hired to
investigate the causes of a series of computer security breaches at OU.
The Moran report singled Reid and Acheson out for blame in allowing
hackers to break into OU computers on at least five occasions over more
than a year.
On Thursday, OU announced it was firing the two men. Earlier, the two had
taken part in a disciplinary meeting with Sams, at which they presented
Attorneys for both Acheson and Reid said Friday their clients are getting
a raw deal.
"This is disgraceful, what the university's doing," alleged Fred Gittes,
attorney for Acheson. "It's not only a cover-up, but it's insulting in the
manner in which it's being done."
Gittes and Reid's attorney James Colner both said they were particularly
incensed by what they consider a blatantly broken promise on OU's part -
to not make any decisions on Reid and Acheson's employment until the men
had received all the documentation on their cases that they had requested
from the university.
But with their records requests still largely unfilled, the attorneys
claim, Reid and Acheson nonetheless learned Thursday that they'd been
canned. (In Reid's case, he claims he learned about his firing from a
reporter before he got the news from OU.)
"We were promised up and down that we were going to get (those records)...
before any decision was made," Colner said. "And of course, that promise
Gittes agreed, saying the university stonewalled on filling records
requests for his client, then went back on its word and fired him anyway.
"We could not even get Todd's calendar," Gittes alleged.
He noted that OU released the Moran report only in a heavily redacted
form, and that the consultant has admitted destroying the notes used in
compiling the report - an action that Reid and Acheson claim violated the
terms of Moran's contract.
Asked about any agreement regarding records and the timing of OU's
employment decision, Sams said Friday: "I think that's something our Legal
Affairs Office would take under consideration. I can't recall any
commitment like that." (Reid and Acheson say the promise came from Legal
Affairs during the disciplinary meeting with Sams.)
Sams himself is leaving his position as chief information officer with OU,
as soon as the university can find a replacement.
SAMS SAID THAT much of the rope used to hang Reid came, not from the Moran
report, but from Reid's own presentation at the disciplinary meeting. Sams
said the evidence shows that Reid and Acheson failed to safeguard the
outer "perimeter" of the university's whole computer network.
"The responsibility that Mr. Reid and Mr. Acheson had was for the
wide-area network and the local-area network," he said. "Both of those
were involved in all of the security breaches."
In a lengthy prepared statement issued Friday - which apparently reflects
what was in his presentation during his disciplinary meeting
- Reid noted that none of the breaches occurred on computers that were
under his management.
Far from having closed his eyes to computer security problems, Reid
maintains that he made "repeated efforts to gain university attention to
the issue of information security, dating back to 1998," which included
making "numerous proposals" for upgrades complete with requests for
"My department developed and implemented literally dozens of security
initiatives in the past 10 years that have served Ohio University quite
well," he added.
Sams countered that Reid proposed all his projects to improve computer
security before Sams took over as CIO.
"It's very clear from his own documentation, that he never advised me of
the seriousness of the security situation," Sams alleged.
He cited the fact that Reid and Acheson never called for installation of a
"perimeter firewall," a kind of security moat around the outside of the
university's entire computer system, providing security at the point where
OU's computers reach out to the Internet. (OU recently announced that such
a firewall will be put in place, as part of a large-scale reorganization
of its IT structure.)
"What they did not do was put any good gates on the (information)
highway," Sams alleged. Because the two were responsible for the security
of the entire wide-area and local-area networks, he argued, it's
irrelevant which individual servers they were supposed to be watching.
Reid contends in his prepared statement that it's "widely known" that such
firewalls aren't typically used at large research universities "due to the
sheer complexity of the server environment, the need for an open and
high-performance networking environment crucial to research and learning,
and the distributed responsibility and authority over many aspects of the
institution, including information technology."
He cited a report by a task force on computer security in education, which
stated that while firewalls are widely used to protect critical systems,
they are "less common" at system perimeters, with only 40 percent of a
sample of doctoral research universities using them.
Sams countered that this report is three years old and possibly outdated,
and that a top computer security firm, the Gartner Group of Stamford,
Mass., has recommended that OU install a perimeter firewall.
Sams added that Reid's job should have included warning Sams that a
firewall was needed. Asked how, as CIO, he could have been unaware that OU
was lacking such a supposedly important security feature, Sams
acknowledged that he did know this, but added that "I was dependent on Mr.
Reid" to keep him apprised of looming security risks.
Reid has questioned why Sams never raised the computer-security issue with
him during a two-year performance review in March 2006, in which Sams gave
Reid high marks for his performance.
ANOTHER POINT MADE by Reid and Acheson involves their relationship with
Moran, the company whose report first singled the two out publicly for
Gittes said Reid and Acheson had some disagreements with Charlie Moran,
head of Moran Technology Consultants, when the company was working on a
contract to help develop a student information system at OU, before it was
hired to investigate the hackings. Based on this conflict, the attorney
said, he suspects Moran may have had a vested interest in getting rid of
the two men.
"He views Todd Acheson and Tom Reid as obstacles to getting further
contracts with OU," Gittes suggested. "It's clear that Mr. Moran had it in
Reid, likewise, mentions what he calls a "clear conflict of interest on
the part of Moran Consulting," which he claims was raised as an issue by
two OU internal experts when they reviewed Moran's report.
(Gittes and Colner have both referred to the opinions of the two internal
experts, whose comments have not been seen by The Athens NEWS. The
attorneys claim the professors are highly critical of some of the
conclusions and reasoning in the Moran report. Sams said he invited the
experts' comments, read them, and took them into account in making his
decision to fire Reid and Acheson.)
Regarding the alleged bad blood between Moran and the fired officials,
Sams said that while he did hear of "a pretty spirited discussion"
involving Reid and/or Acheson over Moran's ideas about the student
information system, at the time, he didn't have the impression that it was
"I think they had agreed to disagree," he recalled, adding that Moran
"seemed more bemused by it than anything."
Moran could not be reached for comment.
Ultimately, both Gittes and Colner strongly suggested, Sams himself should
be under as much scrutiny for the computer breaches as his two underlings.
"The buck for the computer security problems does not stop at Tom Reid's
desk," Colner declared in his statement. "It stops at the desk of Ohio
University Chief Information Officer Bill Sams and the university
Gittes was even more pointed.
"You have the man who is responsible for all of these systems when this
hacking happened, making these judgments, and nothing's happened to him,"
he said. "He had ultimate responsibility for this. What's happened to
OU, however, announced last month that Sams was "stepping aside" as chief
information officer, pending the hiring of a replacement. In announcing
his decision, Sams stated in a university news release, "... it has become
clear to me that a new energy level and skill set is going to be required
in order to allow (OU's) IT organization to realize its potential.
Consequently, I recommended to the provost and the president that a search
for my successor be initiated."
Visit the InfoSec News store!