A jury yesterday found former Uber security chief Joe Sullivan guilty of covering up a massive data breach; the conviction makes Sullivan likely to become the first executive to face prison time over the mishandling of a cyberattack.
According to The New York Times, in 2016, while the Federal Trade Commission (FTC) was investigating an earlier breach of Uber’s computer systems, Sullivan learned of a subsequent compromise that affected more than 57 million Uber accounts. According to prosecutors, Sullivan broke multiple laws when he failed to disclose the subsequent breach to government regulators; a federal jury in San Francisco consisting of six women and six men yesterday convicted him of two crimes: obstructing the FTC’s investigation and acting to conceal a felony from authorities.
Stephanie M. Hinds, the U.S. attorney for the Northern District of California, said in a statement: “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”
While I certainly agree both that illegal conduct should not be tolerated, and that Sullivan crossed red lines with his behavior in this particular case, I do wonder how well justice is truly being served.
While there are State laws requiring the disclosure of various data breaches, there is no specific, clear, federal counterpart that details what, when, and how a CISO must handle such matters. Furthermore, CISOs of large companies rarely, if ever, decide on their own what data to reveal or not to reveal, or to whom to reveal it; as they do vis-à-vis the many other legal and regulatory matters related to breaches, CISOs consult with lawyers and others within their firms about what to do.
While Sullivan himself was an attorney, he did, in fact, consult with an Uber lawyer vis-à-vis how to handle the second breach; instead of being prosecuted, however, the attorney in question – who was fired by Uber for his role in the matter – was given immunity by federal prosecutors in exchange for testifying against Mr. Sullivan. Court documents also show that Uber’s then-CEO was well aware of the second breach – the CEO even approved a $100,000 payment to the hackers involved, an act that may have been part of an effort to disguise the breach as if it were part of a white-hat bug-bounty program.
Should Sullivan really lose years of his life to a prison cell if he followed Uber’s internal legal advice that suggested that under the then-current circumstances there was no requirement to disclose the hack?Should Sullivan really lose years of his life to a prison cell if he followed Uber’s internal legal advice that suggested that under the then-current circumstances there was no requirement to disclose the hack? #CyberSecurity #News Click To Tweet
Is he alone really the culprit?
While the particulars of this case may or may not have justified Sullivan’s double conviction – the verdict is being appealed – the unforeseen ramifications of the verdict may, in fact, harm cybersecurity more than help it.
Serving as a Chief Information Security Officer is a daunting task. I can tell you this firsthand. You never get thanked when things go well, and you always get blamed when things go wrong. You can succeed at stopping 99.9999% of all attacks – but, you will still be blamed harshly if .0001% get through. You work around the clock, and are never really off duty. There is a reason that the rate of turnover in such roles is so high – CISOs burn out quickly.Serving as a Chief Information Security Officer is a daunting task. You never get thanked when things go well, and you always get blamed when things go wrong. You can stop a million attacks, and still be fired if 1 gets through.… Click To Tweet
If CISOs can be criminally prosecuted for their actions subsequent to a breach, and corporate attorneys who are supposed to guide the CISOs through the related legal matters can be given immunity in exchange for testimony against those same CISOs, what does that do to the trust that CISOs need to place in their attorneys at such critical points in time? And, when we already face severe shortages of qualified, talented senior security managers, do we really want our “best and brightest” people to fear serving in CISO positions that bring “damned if you do, damned if you don’t” situations in which revealing data that a corporate lawyer says you should not reveal can easily destroy your career and cause you the great expense and heartache of facing lawsuits from your former employer, but not revealing the same data can potentially land you in prison?
I also wonder if the present verdict will scare some organizations that, for security reasons, should be bringing CISO and various other senior-level security roles in house, to refuse to do so.
Time will tell how this verdict impacts the cybersecurity field – one thing is clear, however, it will have an impact.