Bill Murray, one of the pioneers of the information security industry, is among a pair of speakers who withdrew from this fall's CSI conference upon learning Franke Abagnale was also presenting. Here is a copy of his letter to the real "Catch Me If You Can" conman explaining his actions.
As a participant in this dispute, I received a copy of Ira Winkler's column and your response. I regret that you find yourself in this position. While I appreciate your offers of remedies and take them as evidence of your good intentions, I think they go beyond what is necessary or indicated. However personally you take Ira Winkler's column, you are not the target or the cause and no remedy is expected of you. I think that Ira's article may put the emphasis in the wrong place. As one of those who withdrew, I would like to [offer] my position. I hope that it is one with which my colleagues identify and that you can appreciate.
My, not to say our, dispute is not with you or about you but with the organizers and about us. It is not personal but professional. It is about our ambitions and aspirations for our infant profession. The popular press and our potential principals seem all too ready to identify us with our adversaries and to refer to rogue hackers as "security experts." It is not sufficient that we behave ethically but also necessary that we be seen to be ethically scrupulous.
We have a unique problem in the information security business that
The CSI organizers are show business people, not security people. One can understand that they might not appreciate our sensitivity. . . . I do not believe that the organizers engaged you for your knowledge, or even your entertainment value, so much as for your notoriety and romantic image. Those of my colleagues who withdrew from the program exercised the only limited leverage with them that we have. I think that engaging you represented an error in judgment on their part, one that I would not like to see repeated. For whatever weight it carries with them, they are not likely to forget how we feel about it.
For most of my 40-year career I have systematically and consistently refused to participate on programs with known rogues and felons. At first it was because it was a condition of my employment. As I became more independent, it was to protect my professional reputation. Now it is to protect the profession. Most of the senior members of the profession have followed this policy; I consulted some of them before making my decision. One of my colleagues told me that he has refused to appear on four different programs on which you were featured. My principals adhere to this policy; they did not want me to appear and withdrew as exhibitors. My professional associates did not want me to appear. A fellow (ISC)2 board member also withdrew and (ISC)2 withdrew as an exhibitor. They did so as a matter of routine under established policy.
To appear with rogues in any professional capacity or forum grants to them a degree of professional recognition that they have not earned and do not deserve; it identifies us with them. If we do not observe the distinction, we can hardly expect our employers and clients to recognize it. If they do not recognize it, we can hardly expect them to grant us the degree of trust required for us to serve them or for them to even engage us. Appearing with rogues sets a poor example for our younger and less experienced colleagues and sends a message to the script kiddies that society is all too ready to forgive any "youthful indiscretions." All they need do is repent and society will welcome them to professional practice. It reinforces their belief that their special knowledge trumps decades of experience, professional contribution and good behavior. I would no sooner appear with them than I would recommend them to an employer.
We are not alone in our choice of remedies. The traditional, established, learned and licensed professions, to whose ranks we aspire, enforce a similar policy on their members. A lawyer may not engage in a partnership or accept an equity investment from a non-lawyer, much less from a felon. Impersonation of a lawyer or physician automatically and permanently bars one from credentials in those fields.
While I acknowledge your 30 years of good behavior, that behavior was the license, not the reason, for engaging you. At least privately, the decision makers admit as much. They wanted the Frank Abagnale portrayed by and identified with Leonardo DiCaprio. When I write my legend, I hope that he will consent to play me too. However, I confess that I was troubled by the romantic portrayal in "Catch Me If You Can." This is a portrayal with which rogue hackers are all too ready to identify. Many are young, most are immature, all are ethically challenged and skilled at rationalizing their antisocial behavior. I was also troubled by the idea that the FBI was conned. I understand that the FBI's hands are not entirely clean and that they will never confirm or deny the legend. While my colleagues who are former FBI agents, are not in a position to confirm or deny it, all seem embarrassed by it.
While it did not figure into my decision not to appear, I was embarrassed that you were given a position on the CSI program that I have held four times and that I had always considered to be an honor granted for professional leadership. Indeed, I used it as a credential for a generation before there were other credentials available to professionals in our space. It no longer has the value to me that it used to.
Except to announce my withdrawal, I have, until now, been silent on this issue. I have refused to be engaged on it. I do not want to get into a debate on it now. While I would just as soon that Ira had not written [about it], I confess to ambivalence about whether silence is the best course.
William Hugh Murray, CISSP
Executive Consultant, Cybertrust
Associate Professor, Naval Postgraduate School
Member of the Board, (ISC)2
Chairman of Professional Practices, (ISC)2
This was first published in December 2004