The conviction of former Uber Chief Security Officer Joseph Sullivan may pose a chilling reassessment of how chief information security officers (CISOs) and the security community handle network breaches going forward.
A San Francisco federal jury on Oct 5. convicted Sullivan of failing to tell U.S. authorities about a 2016 hack of Uber’s databases. Judge William H. Orrick did not set a date for sentencing.
Sullivan’s lawyer, David Angeli, said after the verdict’s announcement that his client’s sole focus was to ensure the safety of people’s personal digital data.
Federal prosecutors noted that the case should serve as a warning to companies about how they comply with federal regulations when handling their network breaches.
Officials charged Sullivan with working to hide the data breach from U.S. regulators and the Federal Trade Commission, adding his actions attempted to prevent the hackers from being caught.
At the time, the FTC was already investigating Uber following a 2014 hack. The repeat hack into Uber’s network two years later involved the hackers emailing Sullivan about their stealing a large amount of data. According to the U.S. Department of Justice, they promised to delete the data if Uber paid their ransom.
The conviction is a significant precedent that has already sent shockwaves through the CISO community. It highlights the personal liability involved in being a CISO in a dynamic policy, legal, and attacker environment, noted Casey Ellis, founder and CTO at Bugcrowd, a crowdsourced cybersecurity platform.
“It begs for clearer policy at the federal level in the United States around privacy protections and the treatment of user data, and it emphasizes the fact that a proactive approach to handling vulnerability information, rather than the reactive approach taken here, is a key component of resilience for organizations, their security teams, and their shareholders,” he told TechNewsWorld.
Troublesome Details
A growing trend is for companies victimized by ransomware to negotiate with hackers. But trial discourse showed prosecutors reminding companies to “Do the right thing,” according to media accounts.
According to published trial accounts, Sullivan’s staff confirmed the extensive data theft. It included 57 million Uber users’ stolen records and 600,000 driver’s license numbers.
The DoJ reported that Sullivan sought the hackers’ agreement to be paid U.S. $100,000 in bitcoin. That agreement included hackers signing a non-disclosure agreement to keep the hack from public knowledge. Uber allegedly hid the true nature of the payment as a bug bounty.
Only the jury had access to the evidence of the case, so pontificating specific details of the matter is counterproductive, opined Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, a provider of digital risk management solutions.
“There are some general conclusions to draw. I am concerned with the unintended consequences of this case,” Holland told TechNewsWorld. “CISOs already have a challenging job, and the case outcome raises the stakes for CISO scapegoating.”
Critical Unanswered Questions
Holland’s concerns include how this trial’s outcome might impact the number of leaders willing to take on the potential personal liability of the CISO role. He also worries about dislodging more whistleblower cases like the ones that grew out of Twitter.
He expects more CISOs to negotiate Directors and Officers insurance into their employment contracts. That type of policy offers personal liability coverage for decisions and actions the CISO might take, he explained.
“In addition, in the same way that both the CEO and CFO became responsible for corruption on the heels of Sarbanes Oxley and the Enron scandal, CISOs should not be the only roles guilty in the event of wrongdoing around intrusions and breaches,” he suggested.
The Sarbanes-Oxley Act of 2002 is a federal law that established comprehensive auditing and financial regulations for public companies. The Enron scandal, a series of events involving dubious accounting practices, resulted in the bankruptcy of the energy, commodities, and services company Enron Corporation and the dissolution of the accounting firm Arthur Andersen.
“CISOs must effectively communicate risks to the company’s leadership team but should not be solely responsible for cyber security risks,” he said.
Twisted Circumstances
Sullivan’s conviction is an ironic role reversal of sorts. Earlier in his law career, he prosecuted cybercrime cases for the United States Attorney’s Office in San Francisco.
The DoJ’s case against Sullivan hinged on obstructing justice and acting to conceal a felony from authorities. The resulting conviction could have a long-term impact on how organizations and individual executives approach cyber incident response, particularly where it involves extortion.
Prosecutors argued that Sullivan actively concealed a massive data breach. The jury agreed unanimously with the charge beyond a reasonable doubt.
Instead of reporting the breach, the jury found that Sullivan, backed by the knowledge and approval of Uber’s then-CEO, paid the hackers and had them sign a non-disclosure agreement that falsely claimed that they had not stolen data from Uber.
A new chief executive who later joined the company reported the incident to the FTC. Current and former Uber executives, lawyers, and others testified for the government.
Edward McAndrew, an attorney at BakerHostetler and a former DoJ cybercrime prosecutor and National Security Cyber Specialist, told TechNewsWorld that “Sullivan’s prosecution and now conviction is groundbreaking, but it needs to be understood in its proper factual and legal context.”
The government recently adopted a much more aggressive policy toward cybersecurity, he noted. This impacts white-collar compliance, where organizations and executives are increasingly cast into the simultaneous and disparate roles of crime victim and enforcement target.
“Organizations need to understand how the actions of individual employees can expose them and others to the criminal justice process. And information security professionals need to understand how to avoid becoming personally liable for actions they take in responding to criminal cyberattacks,” McAndrew cautioned.