Reading into the situation a little further, different sources report the average time for early release between 49 and 55 days. Reportedly, only 3% of inmates were released early because of the flaw. So the problem could definitely be worse, but the point to remember here is that it never should have happened in the first place.
There's another angle here that nobody has talked about yet. Did any inmates serve too much time because of the error? If so, they are entitled to remuneration, even if they only served a day longer than they should have. Furthermore, the governor has ordered that all releases under the program are suspended until the dates can be tallied by hand. Under the circumstances, this seems reasonable. That is of course unless you are supposed to be released and are now sitting in prison because for three years the DOC failed to patch faulty software and is now relying on hand calculations (which are more likely to result in error than properly written computer code). This is unreasonable and likely to result in civil lawsuits against the state and those specifically responsible for delaying the fixes.
Side note: this is an interesting sand table exercise for your organization. Who, if anyone, might be named in a civil suit if delaying implementation of certain controls results in a lawsuit. Attitudes change very quickly when individuals are named in lawsuits along with the organization they represent.
At Rendition Infosec, we always tell clients that when we smell smoke, it almost always means fire. This software flaw - and the cavalier attitude towards security that left it unpatched for three years - definitely constitutes smoke. I'll bet the money in my pocket that there are numerous other logic and security flaws in the software. Logic flaws are always the hardest to detect since they require in-depth knowledge of the application. But any program that lacks the resources and leadership to implement a fix impacting public safety probably doesn't have a very good grasp on computer security either.
This is a great case where heads should roll. I'm not generally for firing people in response to infosec fails. Playing the blame game rarely sets the correct tone for a security program. But in this case, I think we can make an exception. If you know about a security fail, particularly one that impacts public safety, and fail to act you should be out of a job. Period. End of story. The failures here are ridiculous. The WA DOC needs a top to bottom review of their information security programs to find out:
- What other vulnerabilities exist that were previously documented but not acted on
- What currently unknown vulnerabilities exist
DOC can't do this internally either. It's clear that management there is incapable of prioritizing and acting on even the most grievous issues. I hope that the state inspector general (or equivalent) mandates independent assessments across the DOC's information security programs to determine just how bad things are there. Experienced auditors know that what we have seen here is likely just the tip of the iceberg.
I first became aware of this problem yesterday evening via a tweet from Greg Linares. I immediately responded that Rendition Infosec would help with some free code reviews for the WA DOC if that's what they needed. Yes, I think the overall state of affairs is that serious. And I stand by that offer. If you are with the WA DOC and want some help from true professionals, not a Mickey Mouse assessment, contact me. I'm a pretty easy guy to find.