October 10, 2022


The sentencing of former Uber chief security officer Joseph Sullivan could lead to a quiet re-evaluation of how the chief information security officer (CISO) and the security community handle network breaches going forward.

A San Francisco federal jury indicted Sullivan on October 5 for failing to tell US officials about the 2016 hack of Uber’s database. Judge William H. Orrick did not set a date for sentencing.

Sullivan’s lawyer, David Angeli, said after the verdict was announced that his client’s sole focus was to ensure the security of people’s personal digital data.

Federal prosecutors noted that the case should serve as a warning to companies about how to comply with federal regulations when handling their network breaches.

Officials accused Sullivan of working to hide the data breach from US regulators and the Federal Trade Commission, and attempting to link his actions to prevent hackers from being caught.

At the time, the FTC was already investigating Uber after the 2014 hack. Two years later, hackers in Uber’s network repeatedly emailed Sullivan about the theft of large amounts of data. According to the US Justice Department, they promised they would delete the data if Uber paid the ransom.

The conviction is a significant precedent that has already sent shock waves through the CISO community. This dynamic policy highlights the personal liability involved in being a CISO in a legal and attacking environment, noted Casey Ellis, founder and CTO of Bugcrowd, a crowded cybersecurity platform.

“This calls for clear policy at the federal level around privacy protection and treatment of user data in the United States, and it emphasizes the fact that here a proactive approach to handling vulnerability information rather than a reactive approach is an important The component is flexibility for organizations, their security teams and their shareholders,” he told TechNewsWorld.

problem description

There is a growing tendency for companies afflicted with ransomware to interact with hackers. But the trial discourse showed prosecutors reminding the companies to “do the right thing,” according to media accounts.

According to published test accounts, Sullivan’s employees confirmed widespread data theft. This included theft records and 600,000 driver’s license numbers of 57 million Uber users.

The DOJ reported that Sullivan sought the hackers’ agreement to pay out US$100,000 in bitcoin. That agreement included the hackers signing a non-disclosure agreement to keep the hack from public knowledge. Uber reportedly hid the true nature of the payment as a bug bounty.

Only the jury had access to the evidence in the case, so it’s counterproductive to testify to specific details of the case, said Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, a provider of digital risk management solutions.

“There are some general conclusions to draw. I am concerned by the unintended consequences of this case,” Holland told TechNewsWorld. “CISO already has a daunting task, and the outcome of the case has made CISO a scapegoat. Have given.”

important unanswered questions

Holland’s concerns include how the results of this trial could affect the number of leaders willing to take on the potential personal liability of the CISO role. He is also concerned about dismissing more whistleblower cases such as the escalating cases from Twitter.

He expects more CISOs to negotiate the insurance of directors and officers into their employment contracts. That type of policy provides personal liability coverage for decisions and actions a CISO may take, he explained.

“Furthermore, given the way both the CEO and CFO became responsible for corruption on the heels of the Sarbanes Oxley and Enron scandals, the CISO should not be the only culpable role in the case of wrongdoing around intrusions and breaches,” He suggested.

The Sarbanes-Oxley Act of 2002 is a federal law that established comprehensive auditing and financial regulations for public companies. The Enron scandal, a series of events involving questionable accounting practices, resulted in the bankruptcy of energy, goods and services company Enron Corporation and the dissolution of accounting firm Arthur Andersen.

“CISOs should effectively communicate risks to the company’s leadership team, but should not be solely responsible for cybersecurity risks,” he said.

twisted conditions

Sullivan’s conviction is a kind of ironic role reversal. Earlier in his legal career, he prosecuted cybercrime cases for the United States Attorney’s Office in San Francisco.

The DOJ’s case against Sullivan hinged on obstructing justice and acting to conceal a felony from officers. The resulting conviction can have a long-term impact on how organizations and individual authorities approach cyber incident response, particularly where it involves extortion.

Prosecutors argued that Sullivan actively concealed the massive data breach. The jury unanimously agreed with the allegation beyond a reasonable doubt.

Instead of reporting the breach, the jury found that Sullivan, backed by the knowledge and approval of Uber’s then CEO, paid the hackers and signed a non-disclosure agreement with them, falsely claiming that he had stolen data from Uber. did not do.

A new chief executive who later joined the company reported the incident to the FTC. Current and former Uber executives, lawyers and others testified for the government.

Edward McAndrew, an attorney for Bakerhostetler and former DoJ cybercrime prosecutor and national security cyber expert, told TechNewsWorld that “Sullivan’s prosecution and now conviction is unprecedented, but it needs to be understood in its proper factual and legal context.”

He said that the government has recently adopted a very aggressive policy towards cyber security. This affects white-collar compliance, where organizations and officials are increasingly cast in the simultaneous and separate roles of crime victim and enforcement target.

“Organizations need to understand how the actions of individual employees can expose them and others to the criminal justice process. And information security professionals need to understand the actions they take in response to criminal cyberattacks. How to avoid becoming personally liable for that,” warned McAndrew.

Will this deal be the one that breaks Elon Musk? He is a risk taker who has proved to be a good thing in many ways. Businesses such as Tesla, SpaceX and Starlink would have either failed or failed to launch successfully without him.

However, much of his business is also at risk, often because of Musk’s moves. Tesla sales, for example, appeared to be falling off a cliff when Musk first announced his desire to acquire Twitter and make changes that disagreed with Tesla buyers. This action demonstrated a relatively strong correlation between Musk’s behavior, good or bad, and the success of those businesses.

The Twitter acquisition is going to get ugly. It was already in operational trouble when Musk launched his hostile takeover, which caused further damage to the company. Now he is paying full price for something that was not only damaged, initially, but was further damaged by the first unsuccessful attempt.

Let’s talk about the good and the bad (lots of bad) with this Musk/Twitter deal. On one hand, it could have saved Twitter. However, cascading failure is more likely to start across all of Musk’s firms.

We’ll close out with our product of the week, a new discrete graphics card from Intel, the Arc A770 Limited Edition, that promises to shake up the graphics card market.

‘Bridgeton’ analogy

Thanks to some comments on “Dancing with the Stars” this month, I was thinking about the “Bridgeton” TV series this week. It is a light drama that revolves around the Old English matchmaking system.

In that framework, Musk would be the nobility, who decided to marry the daughter of another aristocrat who was in financial trouble, regardless of the wishes of the other nobility or the daughter. Musk then uses threats to do even more harm to his potential in-laws, forcing them to agree to the union. He then changes his mind and spoils the family, especially his potential bride, to such an extent that no one else will marry him.

The disgraced family takes him to task in front of the Queen, who appears to be on the side of the bride’s family, and Musk then decides that he will go through with the wedding. The queen is happy, and the bride’s family is happy, but the bride now facing marriage with a man who does not know her has clearly decided that he does not want her, and possibly disrespectful to her. Will happen.

Think of Twitter’s rank-and-file employees as bridesmaids. He is vilified by his potential new CEO, has no real say in the acquisition, and is likely to leave the company or focus on making Musk’s time a living nightmare.

There is no doubt in my mind that Musk is aware of the problem, which means he would be tempted to cut too deeply. But it looks like he plans to replace the late workers with automated technology, as his focus is on finding someone who can code for them to run the place.

While not a bad idea, the technology he needs doesn’t yet exist, which means he won’t be able to backfill in time, making it more likely that Twitter could collapse due to inadequate staffing.

In short, a Bridgeton-like ending, where both parties discover they love each other and live happily ever after, is unlikely.

Musk’s other problems

Musk has little spread across his companies, each of which must receive the full attention of his CEO. In fact, he is more of an operational chairman of the board, in that he delegates the operations of his firms and leads, when needed, or interest of him.

Twitter lives off ad revenue. In fact, it is a marketing construct. But Musk, while an expert in opinion manipulation, has shown no aptitude in marketing, so a business that relies on advertising revenue to survive is far from his skill set.

All of Musk’s other high-profile companies make money by selling products or, in the case of Starlink, services. Advertising revenue-dependent companies are a very different animal because the people you serve are the product of the firm, while the customers are the advertisers who want access to them.

Advertisers typically don’t want their brands to be associated with activities they don’t want to be associated with, but this is the business basis for the kind of moderation that companies like Twitter and Facebook use. They want dispute-related revenue, but they don’t want disputes that damage their brand or the brands of the firms they advertise with.

Musk’s plan to reopen Twitter to people who were banned as a result of violating Twitter’s rules would create a problem for advertisers and could sharply reduce Twitter’s associated revenue.

Cascading failure probability

Musk primarily exists under the image that, although he does crazy things, he is very successful and incredibly lucky, making it unwise to bet against him.

It’s problematic if Twitter fails because it’s a high-profile company, and the nature of this acquisition effort has already demonstrated that Musk is anything but infallible.

Should it fail, Musk’s reputation for success would take a significant hit, undermining his ability to pursue venture capital, and potentially hurting the brands of the firms he currently oversees.

Instead of giving Musk a pass, the media and individual investors will see Musk differently than the successful leader he and his people have worked so hard to build.

Also, Tesla sales could again take a big hit if a large number of people object to Musk’s Twitter redesign, which is likely. This comes at a time when the electric vehicle competition is getting steeper.

Potentially positive, though

Twitter is in deep trouble. It was in trouble before Musk’s bad decision made things worse for the company. To fix something as complicated as Twitter, sometimes you need to take it down to the basics and rebuild it almost from scrap. Whether it’s intentional or not, Musk is effectively doing so, and his effort could result in a company that’s easier to manage.

Since Musk doesn’t understand advertising, once private, taking Twitter to a fee-based model could be a way to focus the service on its users rather than its advertisers. If Pivot is successful, the result should be a communications service that optimally meets the needs of its customers.

Musk has hinted at something called “Application X,” which could be a Microsoft Office-like application that combines social media activity and communication into one application. Depending on the makeup of Application X, that could pose a major threat to Facebook and Google, the most likely companies that would target Application X. This could provide both of those firms with much needed competition to focus back on their core markets.

wrapping up

Musk’s decision to buy Twitter is dire and has the potential to overwhelm many of his other companies, especially Tesla.

The most brutal hit will be Twitter employees, who are not only unsupported by Musk, but are likely to be laid off by him. It should be clear to most that in the very short term it would be better to effectively turn Twitter into the shell of the rest of the employees than to quit. With the job market cooling down, those who move soon will likely have the most luck finding a new job.

Musk’s moves to reinstate those banned by Twitter should lead to increased use of Twitter and advertisers leaving the platform to avoid brand damage. Musk could mitigate this consequence if he changes Twitter from an ad-supported to a user-supported revenue model.

Technical Product of the Week

Intel Arc A770 Limited Edition Discrete Graphics Card

At $349, the Intel Arc 770 Limited Edition with 16GB of memory seems like quite a price for a discrete graphics card. For the right users, it may well be.

I’ll give my advice again when it comes to this new thing in technology: Unless you’re willing to accept some teething pain, you don’t want to be the first to use it.

Any new technology will have compatibility issues. This product will be no different, though initial reports indicate that those problems revolve around older game titles for the most part, where the card’s features probably won’t work well. It may still outperform cards that are over two years old, but if you’re running a current AAA game, it looks like it’s fine.

Intel’s graphics technology isn’t yet competitive with AMD or Nvidia at the high end, but the card appears to be competitive at this price point. As a limited edition with a nice industrial design, it may be acceptable to gamers and PC users who want a discrete card but are on a tight budget. This card provides a way to buy the highest end card from Intel at an affordable price.

Intel ARC A770 Limited Edition GPU

ARC A770 Limited Edition GPU (Image credit: Intel)

Keep in mind that this card comes in two versions that are only $20 apart, which makes me wonder which idiot would buy the cheaper card. The difference is memory, and you may not need the extra 8GB of memory on the more expensive cards, but there’s no way to upgrade a card from 8GB to 16GB after purchase, a ton from paying that $20. makes more sense.

The card is set up for overclocking, initially drawing 225 but is wired to draw 300 watts. An interesting strategy in this card is to offer features like Upscaling (XeSS), Smooth Sync, Speed ​​Sync and Arc Control at this attractive price point. Often, features like this show up in cards that cost almost twice as much).

PCMag did the most comprehensive set of benchmarks we’ve ever seen on this card. It performed competitively in its price range and did the best when the title could reach the card’s advanced features. For example, games like Red Dead Redemption 2 and Shadow of the Tomb Raider that use the XeSS upscaling feature did very well with this card.

However, as I mentioned above, it conflicts with legacy games like Far Cry 5 and Rainbow Six Siege, for example. So, until those games get an update, another option will serve you better if you mainly play legacy games and not new titles.

For someone who’s okay with early adopters and plays newer games more than old ones, the Arc A770 looks like a decent value and a solid early product from Intel’s new graphics group, which is why this week is my product.

The opinions expressed in this article are those of the author and do not necessarily reflect the views of ECT News Network.