Trial of former Uber exec could have ramifications for every CISO, industry execs warn

At least some cybersecurity execs are concerned the ongoing federal trial of Uber’s former chief of security, Joe Sullivan, could have ramifications across the industry, according to the Wall Street Journal and the New York Times. Yet the support isn’t universal.

Sullivan, a former federal prosecutor who is now chief security officer at Cloudflare, is facing charges of criminal obstruction for allegedly helping to cover up a 2016 breach that exposed data on 57 million accounts, including 600,000 drivers’ license numbers. As the trial began on Sept. 7, prosecutors argued that Sullivan sought to avoid reporting the incident as a security breach to the Federal Trade Commission, which the FTC says Uber was legally obligated to do, thanks to an ongoing agency investigation of a prior Uber hack.

Instead, they say, Sullivan directed the hackers to a bug-bounty program intended for white-hat hackers, asked them to sign NDAs, and paid them $100,000 in bitcoin.

Sullivan’s attorney, David Angeli, has insisted his client fulfilled their legal obligations by reporting the incident to Uber’s legal team, the Times wrote, and claims they were merely “scapegoated” by Uber. Sullivan was fired by Uber in 2017. In 2019, the two men who breached Uber in the first place pleaded guilty to extortion and hacking charges, and the next year prosecutors went after the former chief of security. The Department of Justice dropped wire fraud charges against Sullivan earlier this year.

Okta’s cybersecurity director, Marc Rogers, told the Journal that CSOs rarely handle incidents by themselves but rather serve as “the figurehead for security and [are] often the one on the hook.” Former AT&T CSO Edward Amoroso told the paper, “Criminalization of the reporting decisions Joe made will not help to advance” cybersecurity, adding how Sullivan handled the matter “should be an open debate held across the security community, not in a court.”

“Because [cybersecurity] is relatively young, we don’t have that body of law and body of knowledge that’s derived over time to know where the line is,” Steve Zalewski, former CISO at Levi Strauss, told the New York Times. “Bad guys are attacking us every day. We’re just trying to defend the company.”

Conversely, Equifax CSO Jamil Farschi (who took the role after a notorious breach exposed data on nearly 150 million people) accused Sullivan sympathizers on LinkedIn of “tribalism””

“[T]he key lesson here is one that almost every CISO has experienced firsthand: when faced with a lose-lose decision, do the right thing (or at least the lawful one),” Farschi wrote.

The 2016 incident took place while former CEO Travis Kalanick, whose tenure saw Uber develop a reputation for scandals it has yet to shake, was still in charge. Yet, Angeli told the Times that some 30 other people were aware of the breach, and current CEO Dara Khosrowshahi sat on knowledge of the breach three months before Uber publicly disclosed it in November 2017. (Khosrowshahi, testifying during the trial, stated Sullivan presented a misleading account of the hack’s scale and characterized the months-long delay as necessary to acquire a “full fact base.”)

Uber declined to comment on the trial to IT Brew.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.