On Wednesday, an ex-Uber CSO was found guilty of federal charges related to payments he secretly approved to hackers who broke into the ride-hailing company in 2016.
For concealing the breach from the Federal Trade Commission, which was looking into Uber’s privacy measures at the time, Joe Sullivan was found guilty of obstructing justice and intentionally concealing a felony.
The Sentencing
A federal jury found Sullivan guilty on two counts stemming from his attempt to hide a security breach at Uber in 2016, during which hackers obtained the personal information of 57 million users and 600,000 Uber drivers.
After a 2014 hack resulted in the exposure of the names and driver’s license information of 50,000 users, Uber was ordered by the Federal Trade Commission to notify all breaches.
Instead, Sullivan gave the two hackers a $100,000 payment and forced them to sign nondisclosure agreements without telling the FTC. He described the payments as a bug bounty to defend them.
Prosecutors said Sullivan “took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the [2016] breach.”
According to Assistant U.S. Attorney Andrew Dawson, the government requested that the judge impose a 15-month jail term. In addition to his three-year probation, Sullivan will be subject to travel restrictions, a $50,000 fine, and community service.
Sullivan was not sentenced to any prison time by William Orrick, a federal judge for the Northern District of California, following a contentious hearing featuring heated discussions about how cybersecurity leaders should treat law enforcement inquiries.
In addition to defending Sullivan’s actions, Orrick claimed to have received 186 letters, at least one of which was signed by more than 50 chief information security officers (CISOs), that claimed the case had a greater chilling impact on the whole cybersecurity industry.
Numerous CISOs have stated that Sullivan was inadvertently used as a scapegoat by then-Uber-CEO Travis Kalanick and internal Uber attorney Craig Clark, both of whom were made aware of the hack six hours after it occurred.
Dawson declined to respond to Orrick’s inquiry on why Kalanick had not been charged in connection with the event during the hearing. Orrick said that Kalanick was “at least as culpable as Mr. Sullivan” and remarked on how odd it was that the former CEO of Uber penned a letter in Sullivan’s defense yet did not show up in court for the whole of the trial.
Orrick and Dawson disagreed with how CISOs and other members of the cybersecurity sector viewed the case, contending that the case should have been centered on attempts to obstruct justice and conceal a data breach that would have had a significant impact on millions of people’s lives rather than the difficult decisions that CISOs must make when a breach occurs.
“The subtext of some of the letters that I received was that if I sentenced Mr. Sullivan to a custodial sentence, that they would be afraid of doing their jobs because they might make the same kind of choice that Mr. Sullivan did, and be afraid of going to prison. And I’m not sure that they understand what the facts are,” Orrick said.
“The harm to the FTC and the public from what Mr. Sullivan did was very real. An intentional failure to disclose and concealment should be prosecuted and just punishment should be rendered. Before I read the CISO [letters], I was thinking that the felony conviction was enough to satisfy the terms and certainly many of the letters that I received reflected that. That wasn’t clear from a lot of the letters either. And I’m not sure what obligations they understand they have when they’re faced with a situation akin to this one. And I think that’s perhaps because they don’t understand the full facts of this case.”
According to Dawson, Sullivan deserved a prison sentence because the case was “not about the particularities of bug bounties or any of the cybersecurity techniques that arose here.”
According to Dawson, a prison sentence would demonstrate to CISOs that they were responsible for ” doing what the law required” rather than “what the company wanted.”
“From our perspective, this is much better thought of as an obstruction of justice case,” Dawson explained.
However, Dawson could not offer comparable cases requiring prison sentences, and Orrick highlighted that the material acquired was never disclosed beyond the initial hackers.
Sullivan’s lawyer acknowledged that some of the letters from CISOs said many are “scared that if they just do their jobs, they’re going to be prosecuted.”
But he argued that the case alone had a “huge impact on the cybersecurity community” and has been “the subject of frequent executive team conversations and panel discussions at industry seminars.”
“It has been a significant driver of efforts to change policies and practices to err on the side of disclosure, even when the legal requirement to do so remains unsettled,” Sullivan’s lawyer said.
Sullivan Admitted Some of His Culpability
In a lengthy back-and-forth with Orrick, Sullivan admitted some misconduct. Still, the judge expressed concern that CISOs were misinterpreting the case due to their private meetings with Sullivan.
Sullivan mentioned that he had previously collaborated with the FTC as a former prosecutor and acknowledged that he would have “done a lot of things differently,”—including requiring that former Uber attorney Clark bring in another attorney for advice.
Since the ruling, Sullivan claims he has spoken with other CISOs and instructed them all to “demand transparency” from their companies and resign if they receive no response. Sullivan continued by saying that his conduct was detrimental to his family and colleagues in the cybersecurity industry.
“I put myself in a position throughout my career where I could have been a good role model in this case, and instead I was a bad role model. A lot of security executives don’t get to the level that I get to, where my voice was actually heard inside the company,” he said.
“And I think that may be why some [CISOs] are afraid, because they don’t think they have the strength to stand up in those situations. But I had the chance and I had the strength, but I didn’t. I failed in this case. I should have fought for transparency.”
In an apparent reference to Sullivan’s case, Deputy Attorney General Lisa Monaco urged cybersecurity and compliance leaders to continue engaging with law enforcement authorities last week.
Monaco told the audience at the RSA Conference that her agency has worked to expand its collaboration with CISOs and compliance officers, many of whom require law enforcement in critical instances such as intrusions. However, she stated that law enforcement has to “make sure that that trust is not broken.”
Struggling to Apply The Security Patch in Your System? –
Try All-in-One Patch Manager Plus