Incident & Breach Response
,
Security Operations
The Question is Also One for the Legal Team to Own, Says Uber’s Former CSO
Trick question for CSOs: When does a security incident qualify as being a data breach, triggering notification or other regulatory rules?
See Also: Live Webinar Today | Cyber Resilience: Recovering from a Ransomware Attack
The answer is that it’s “a very complicated question” that cybersecurity leaders should leave to their legal team while they stay fully in the loop, said former Uber CSO Joe Sullivan, sharing lessons learned from the U.S. Department of Justice’s successful prosecution against him.
With a company such as Uber having to comply with numerous regulations across the 100 countries in which it operates, “there’s no possible way that any of us in operational roles could be able to keep up with that, and so we shouldn’t even try,” he said. “I didn’t even try and I wouldn’t even try.”
Rather, “in the same way I would expect the AppSec engineer on my team to know AppSec a lot better than I do, I would expect the lawyer who’s assigned on my team to know their space, and we have to come together as a team to get to the right outcome,” he said (see: Uber Ex-CSO’s Trial: Who’s Responsible for Breach Reporting?).
Sullivan’s observations, shared in a podcast interview conducted by Steve King, a long-time CISO who now heads Information Security Media Group’s CyberEd.io cybersecurity education platform, are pertinent because in October 2022, after a four-week trial, a federal grand jury found Sullivan guilty of obstruction and misprision of a felony, which refers to knowing something is a felony and covering it up.
Sullivan’s crime wasn’t that a breach happened on his watch but that he obstructed an ongoing federal investigation by the Federal Trade Commission into Uber’s data security practices in the wake of an earlier data breach in 2014. The government said that as the officer designated by Uber to answer the FTC’s questions, he should have notified them about the 2016 breach, which occurred 10 days after he’d provided sworn testimony to the agency.
The government’s case hinged in part on Sullivan and his team securing a nondisclosure agreement with attackers. Prosecutors accused the former Uber CSO of using the NDA and a supposed bug bounty to cover up the 2016 hack attack that resulted in the theft of 57 million user and driver records as well as 600,000 driver’s license numbers from the publicly traded company.
Sullivan said that throughout the 2016 hack response, his team was being advised by a member of the legal team – subsequently granted immunity by prosecutors – whose boss was in charge of the privacy team and also oversaw the lawyers handling Uber’s response to the FTC.
Text messages submitted as evidence during the trial showed Sullivan had discussed the attack, data theft and proposed bug bounty payment with Uber’s then-CEO, Travis Kalanick.
Uber’s subsequent CEO, Dara Khosrowshahi, entered into a non-prosecution agreement with the DOJ, and the company assisted its case. Kalanick was not charged. Neither Sullivan nor Kalanick testified at the trial. Sullivan is appealing the verdict.
The case against Sullivan was a watershed, in that it was the first-ever federal prosecution for a CSO over how he or she handled a data breach, seemingly assigning ultimate responsibility for the breach not to a senior corporate officer but instead to the CSO (see: After the Sullivan Verdict: A CISO’s Guide to Avoiding Jail).
No Jail Time
Prosecutors recommended a 15-month sentence for Sullivan. In May, based on testimony during the case and the over 200 letters he received attesting to Sullivan’s good character and service to the cybersecurity community, U.S. District Judge William H. Orrick instead sentenced the former CSO to three years of probation and to pay a $50,000 fine. He lauded Sullivan and his team for having contained the security incident.
Based on testimony delivered during the trial, Sullivan said that at his sentencing hearing, the judge had acknowledged that the impetus for the NDA wasn’t to cover up the breach. Instead, he said, it was used to try and contain the damage as well as identify the attackers, be they a nation-state group, organized crime or – as in this case – a man in his late teens and another in his early twenties who had been finding vulnerabilities in corporate networks and demanding money in return for what they had learned.
Sullivan said his “attribution playbook,” developed in part during his time prior to Uber when he served as Facebook’s CSO, involved constant communication with attackers. “You force them to go through different platforms as part of the communication and/or payment, and sooner or later, odds are that they’re going to screw up and expose an IP address or something.”
That’s what happened with the two men who stole data from Uber, communicating to the company as “John Dough” that they wanted $100,000 in exchange for sharing details of the vulnerability and a promise to delete the data.
Uber’s security team told them that to receive a bug bounty, they needed to sign an NDA, and they received a request to do so via an online document-signing service. “They weren’t able to figure out how to block their origin IP address,” Sullivan said, which led to their unmasking.
“We were able to find them, locate them,” he said, adding that he and his team “felt like we had achieved the right outcome in terms of protecting our customers and their data.” The two hackers later pleaded guilty to hacking charges.
The guilty verdict against Sullivan triggered concerns among CSOs, who typically don’t hold directors-and-officers liability insurance, although legal experts now recommend they do so, while adding that the unique facts of the case failed to create any security-specific precedents.
Even so, Sullivan said, security leaders have told him that the case has made their already difficult jobs harder, and made them worry not just about risks to their organization but also to themselves, which are “all bad things from my case, that, you know, I partly at least caused.”
Following the guilty verdict, Sullivan quit his job as CSO of Cloudflare, saying the company had been “very supportive, but there’s only so much you want to ask,” and that he could no longer serve in that role after being convicted of a felony.
In short order, the same recruiter who had landed him the gigs at Uber and Cloudflare turned his desire to volunteer in support of Ukraine’s defense into a new job opportunity, as CEO of Ukraine Friends, which supports refugees as well as civilians still in Ukraine. One of the U.S.-based nonprofit organization’s efforts involves repurposing laptops and sending them to Ukraine for students to use in schools – if they’re lucky enough to attend in person – or for remote schooling.
“We’ve had companies, small startups, donate 10 laptops, and big companies donate hundreds of laptops, and every single one makes a difference because each one changes the life of a kid,” Sullivan said.
Leadership Lessons Learned
What advice does Sullivan offer to individuals now serving as CSOs?
For starters, he lauds anyone who goes into the profession, which he said is filled with people “who want to help people.” Praise will often be scant for security teams, and the rest of the business often does not know just what they do or what they actively prevent. Nevertheless, he said, security leaders can have a demonstrable impact on those around them.
“If you’re a security leader, remember that you’re a leader, and the littlest thing you do to help someone else makes a huge impression on them,” he said. “That was the thing that I came to appreciate from the case: I didn’t remember half the things people wrote about in the letters, but I’d made impressions, because I was a leader of their team or I was a leader of a department that was adjacent to theirs or I’d hosted their son for lunch and explained my profession, or all those little things that you do. They add up and make a difference for others, and you should always make time to do them. That’s what I learned.”