Former Uber CSO Joe Sullivan and lessons learned from the infamous 2016 Uber breach – Source: www.csoonline.com

Like most CSOs, Joe Sullivan was drawn to the role to help prevent cybercrimes. His role as CSO of Uber was something of a shift from his previous job prosecuting cybercriminals as an assistant US attorney, but closer to the tip of the cybersecurity spear. As a top-level professional in the business of defending against the bad guys, it was unexpected and not a little ironic that he would find himself on the other side of the justice system.

On May 4, 2023, Sullivan was sentenced to three years of probation for felony obstruction and misprision for not reporting a 2016 breach at rideshare and delivery company Uber that threatened to expose the data of 600,000 drivers and the personal information associated with 57 million riders. In an interview with CSO, Sullivan said he’s less concerned with his personal fate than the possibility that the entire episode will cause CISOs to become more concerned about protecting themselves from aggressive prosecution than protecting their organizations.

“It would be a tragedy if the outcome of this case was the opposite of what prosecutors intended, and security leaders grow more concerned about the risk to themselves than managing risk for the victims,” Sullivan tells CSO. “Our goal as a community should be for security leaders to become more empowered, more resourced, and more championed under the leadership of their companies.”

Sullivan verdict caused anxiety for cybersecurity professionals

Sullivan’s case has caused much anxiety among cybersecurity professionals, spurring fears that they themselves could face legal penalties for simply doing their jobs. But it has also galvanized the community. Sullivan stresses his gratitude for the hundreds of letters of support he received, which he says helped him through the most difficult times. His lawyers forwarded 186 of those letters to sentencing judge William Orrick, which he feels is the key reason he didn’t go to prison (although the sheer volume of letters annoyed the judge, who said at sentencing that he never received so many letters of support in past cases).

The letters cited Sullivan’s exemplary record as a steadfast cybersecurity champion with a reputation for stepping into growing e-commerce companies, including eBay and Facebook, and building out their security and privacy programs. There were letters stating that Sullivan’s work at those companies had put numerous fraudsters and child predators behind bars. And they also pointed to his community service and outreach (for example, currently he is CEO of the nonprofit Ukraine Friends).

Fear and confusion about liability for CSOs

The letters also reveal an underlying sense of fear and confusion around the shifting issue of who is liable for the handling of breaches. Some state that, if the point of this case is deterrence (motivation to err on the side of caution in breach reporting), then, message received. Many explain how difficult the role is, how dynamic breach response can be, and the lack of clear federal guidelines for breach reporting.

The excerpts below are from a single letter, “Exhibit 19,” originally dated February 27, 2023, and signed by nearly 50 cybersecurity executives:

“A prison sentence would negatively impact our industry, as well as the security of companies and consumers worldwide, by making it too personally risky to make the difficult judgment calls in unique situations, which this line of work requires.

“This case suggests that we could face both criminal and civil liability if we, for example, defer to general counsels’, CEOs’, or other officers’ decision-making authority about disclosure obligations or other difficult decisions, which turn out to be improper in retrospect.”

“(Sullivan’s) case has had a huge impact on the cybersecurity community. It has been the subject of frequent executive team conversations and panel discussions at industry seminars, and a significant driver of efforts to change policies and practices to err on the side of disclosure, even when the legal requirement to do so remains unsettled.”

Frightened security executives a bad outcome

One of the signatories to that letter was Chenxi Wang, an experienced cybersecurity executive and managing partner at Rain Capital, which invests in cybersecurity startups. “This case is a wake-up call to all CISOs. And as a result, CISOs are already looking at better processes and controls for response and reporting, which is what you want to do anyway,” she says. “But you don’t want security executives fearing their jobs and responsibilities. That is a bad outcome to have happen.”

In his statements at the sentencing hearing, prosecuting attorney Andrew Dawson was unsympathetic to the CISOs who wrote on Sullivan’s behalf. Pointing out the above letter, he said: “The impression is no crime occurred here. This is a tough industry, tough decisions are made, maybe this was a good-faith mistake but that’s all it was. Unless there is some rampant industrywide interest in obstruction of justice, the lessons of this case are … follow the law, follow the rules, don’t withhold information from an active, ongoing investigation.”

A key point of confusion arises over when not reporting a breach becomes obstruction and misprision, especially when there is pressure on CISOs to avoid disclosing information about breaches and breach response that could create even more vulnerabilities for attackers to exploit.

In a letter to the sentencing judge, Samuel Levine, director of the Bureau of Consumer Protection at the US Federal Trade Commission put it this way: “As a consequence of defendant Sullivan’s actions, FTC staff were forced in 2017 to reopen their completed investigation of Uber’s data security practices and renegotiate a then-pending proposed consent agreement related to a similar data breach of Uber in 2014.”

Should the CSO ultimately be liable in such cases?

Another point of confusion: why was the CSO held liable and accused of a coverup when paper trails show that Sullivan had set up an incident tracker for the response team and had informed and deferred to Uber’s CEO at the time, Travis Kalanick, and Uber attorney Craig Clark, who led Uber’s legal response to the 2016 incident? Orrick, who called this case “unprecedented,” pointed this out in court, based on the sentencing transcript. “I remain perplexed that Mr. Kalanick wrote a letter on Mr. Sullivan’s behalf, and he [Kalanick] was not present in this case. I am left with the impression that he was at least as culpable as Mr. Sullivan, and nobody brought him to court.”

This question was also raised in a Law360 legal review, published May 17, which focused on how unusual it was that neither Kalanick nor Sullivan’s in-house counsel Craig Clark appeared in court, noting that Clark received government immunity in exchange for testifying.

“I’ve thought about this a lot. If you’re a person who’s never sat in the seat of the CSO, the natural conclusion is the person to blame is the person in that title,” Sullivan says. “CSOs are not holding the scale though, the CEO is. CSOs can make recommendations, but they are not the ultimate decider of that — unless we pull the parachute rope and eject ourselves from the plane as a whistleblower, which is not the option that most people are taking. Their hope is they can continue to make a difference where they’re at.”

It was Clark who had recommended not reporting the breach because Sullivan’s team was able to retrieve the data before it leaked on the dark web. And that begs another question: is reporting required if the hackers were caught and their systems expunged of the sensitive data before it leaked to the dark web?

Breach reporting guidelines still not clear

The judge acknowledged Sullivan’s efforts in containing the breach and retrieving the stolen records by tricking the two hackers to sign an NDA and using that to track their IP addresses, providing evidence that was later used to convict the hackers of conspiracy to commit extortion. (They are now awaiting sentencing in the same district court of Northern California in which Sullivan was tried.) But the judge also said that because of the failure to report in 2016, their arrests were delayed until 2017 when the breach was reported by Uber’s new leadership.

Everyone following this case has an opinion about whether Sullivan was right or wrong in the decisions he made. But as details of the case reveal, the answer is not so black and white. Sullivan’s background as a former assistant D.A., that Uber had been vilified at the time for past scandals, and the glaring lack of federal guidance for breach reporting all had some bearing on the case and its outcome.

“In fairness to CISOs, there’s not a lot of guidance about what to disclose to whom and when, and every state has a different law. These can be tough judgment calls — you’re in a bind, and it isn’t easy to figure out what to disclose to whom, especially at a company like Uber,” says Rob Chesnut, formerly chief ethics officer at Airbnb and author of the book, “Intentional Integrity: How Smart Companies Can Lead an Ethical Revolution.”

Chesnut, who spent a year on Uber’s safety advisory board from 2015 to 2016, says he firmly believes “that the general counsel is the one who should be responsible for making the legal decision about whether to report a breach, and it’s strange that Uber’s general counsel claimed to know nothing even though an Uber lawyer was deeply involved, the CEO was well informed, and so much of the company’s engineering team was working on the fix to the breach.”

Hard lessons learned in the Uber breach case

Chesnut advises CISOs to maintain a close relationship with general counsel, and ensure that there is a group effort, including outside counsel, to make such decisions. Sullivan said as much during the sentencing hearing when he told Orrick that he should have informed general counsel, even though he, the CEO, and general counsel were all traveling on other Uber business at the time of the breach. Sullivan also admitted that he should have sought outside counsel beyond Uber’s own lawyers. Chesnut advocates having outside counsel lined up for cases like these, along with setting up a documented chain of command and then practicing reportable breach scenarios in tabletop exercises.

In the early 2000s, when he was senior vice president of safety at eBay, Chesnut recruited Sullivan from the Department of Justice into a senior director role in his group. He recalls how Sullivan was personally involved in the capture and prosecution of cybercriminals trying to victimize eBay users, and how he was frequently on planes to places like Romania. Later, at Facebook, Sullivan gained a reputation for his work in child protection, catching and testifying against numerous pedophiles who ended up serving jail time.

Uber’s culture could have played a role in the outcome

What changed? Chesnut hypothesizes that the secretive culture at Uber may have overridden Sullivan’s inclinations. However, he adds, “The idea that Joe should be solely responsible for this is wrong. He was responsible for allowing the CEO’s decision to stand. But he was clearly scapegoated as the new incoming Uber CEO was trying to clean up Uber’s reputation in the public eye.”

Uber is based in San Francisco, California, home to the consumer privacy act. California law requires a business or state agency “to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.” The law does not say that organizations don’t have to report if the company manages to retrieve that data before it is spread on the dark web — which was the argument Clark used and Sullivan accepted for not reporting the breach to regulators.

Easier to be a whistleblower than report?

Based on California law, Uber should have reported; if not, then Sullivan should have reported. As things turned out, it would have been much easier to be branded a whistleblower against Uber than trying to pick up the pieces of his life after a felony charge and conviction.

The moment the charges were filed, his banks and insurance companies dropped him. He had to maneuver to protect his three kids who were reading about him on social media. And now, returning to the work he loves as CISO will be forever in question. “I’ve been under this anxiety for such a long time. I had underestimated the outcome at every stage. Finally, I prepared myself mentally to go to prison. And now it’s time to figure out the reality of what I can and can’t do under the terms of my probation.”

Sullivan wants to use his case to rally security leaders to work together and with lawmakers to clarify reporting rules and liability and to finally draft a national data breach and reporting law. He would also like to advocate for more support and nurturing for CISOs at the board level, and in turn, promote transparency between security and leadership.

As this Uber case shows, don’t expect leaders to play fair when their own reputations or their freedom is on the line. Because, as Orrick noted in the sentencing hearing: “If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison.”