The sentencing of former Uber chief security officer Joseph Sullivan could lead to a quiet re-evaluation of how the chief information security officer (CISO) and the security community handle network breaches going forward.
A San Francisco federal jury indicted Sullivan on October 5 for failing to tell US officials about the 2016 hack of Uber’s database. Judge William H. Orrick did not set a date for sentencing.
Sullivan’s lawyer, David Angeli, said after the verdict was announced that his client’s sole focus was to ensure the security of people’s personal digital data.
Federal prosecutors noted that the case should serve as a warning to companies about how to comply with federal regulations when handling their network breaches.
Officials accused Sullivan of working to hide the data breach from US regulators and the Federal Trade Commission, and attempting to link his actions to prevent hackers from being caught.
At the time, the FTC was already investigating Uber after the 2014 hack. Two years later, hackers in Uber’s network repeatedly emailed Sullivan about the theft of large amounts of data. According to the US Justice Department, they promised they would delete the data if Uber paid the ransom.
The conviction is a significant precedent that has already sent shock waves through the CISO community. This dynamic policy highlights the personal liability involved in being a CISO in a legal and attacking environment, noted Casey Ellis, founder and CTO of Bugcrowd, a crowded cybersecurity platform.
“This calls for clear policy at the federal level around privacy protection and treatment of user data in the United States, and it emphasizes the fact that here a proactive approach to handling vulnerability information rather than a reactive approach is an important The component is flexibility for organizations, their security teams and their shareholders,” he told TechNewsWorld.
There is a growing tendency for companies afflicted with ransomware to interact with hackers. But the trial discourse showed prosecutors reminding the companies to “do the right thing,” according to media accounts.
According to published test accounts, Sullivan’s employees confirmed widespread data theft. This included theft records and 600,000 driver’s license numbers of 57 million Uber users.
The DOJ reported that Sullivan sought the hackers’ agreement to pay out US$100,000 in bitcoin. That agreement included the hackers signing a non-disclosure agreement to keep the hack from public knowledge. Uber reportedly hid the true nature of the payment as a bug bounty.
Only the jury had access to the evidence in the case, so it’s counterproductive to testify to specific details of the case, said Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, a provider of digital risk management solutions.
“There are some general conclusions to draw. I am concerned by the unintended consequences of this case,” Holland told TechNewsWorld. “CISO already has a daunting task, and the outcome of the case has made CISO a scapegoat. Have given.”
important unanswered questions
Holland’s concerns include how the results of this trial could affect the number of leaders willing to take on the potential personal liability of the CISO role. He is also concerned about dismissing more whistleblower cases such as the escalating cases from Twitter.
He expects more CISOs to negotiate the insurance of directors and officers into their employment contracts. That type of policy provides personal liability coverage for decisions and actions a CISO may take, he explained.
“Furthermore, given the way both the CEO and CFO became responsible for corruption on the heels of the Sarbanes Oxley and Enron scandals, the CISO should not be the only culpable role in the case of wrongdoing around intrusions and breaches,” He suggested.
The Sarbanes-Oxley Act of 2002 is a federal law that established comprehensive auditing and financial regulations for public companies. The Enron scandal, a series of events involving questionable accounting practices, resulted in the bankruptcy of energy, goods and services company Enron Corporation and the dissolution of accounting firm Arthur Andersen.
“CISOs should effectively communicate risks to the company’s leadership team, but should not be solely responsible for cybersecurity risks,” he said.
Sullivan’s conviction is a kind of ironic role reversal. Earlier in his legal career, he prosecuted cybercrime cases for the United States Attorney’s Office in San Francisco.
The DOJ’s case against Sullivan hinged on obstructing justice and acting to conceal a felony from officers. The resulting conviction can have a long-term impact on how organizations and individual authorities approach cyber incident response, particularly where it involves extortion.
Prosecutors argued that Sullivan actively concealed the massive data breach. The jury unanimously agreed with the allegation beyond a reasonable doubt.
Instead of reporting the breach, the jury found that Sullivan, backed by the knowledge and approval of Uber’s then CEO, paid the hackers and signed a non-disclosure agreement with them, falsely claiming that he had stolen data from Uber. did not do.
A new chief executive who later joined the company reported the incident to the FTC. Current and former Uber executives, lawyers and others testified for the government.
Edward McAndrew, an attorney for Bakerhostetler and former DoJ cybercrime prosecutor and national security cyber expert, told TechNewsWorld that “Sullivan’s prosecution and now conviction is unprecedented, but it needs to be understood in its proper factual and legal context.”
He said that the government has recently adopted a very aggressive policy towards cyber security. This affects white-collar compliance, where organizations and officials are increasingly cast in the simultaneous and separate roles of crime victim and enforcement target.
“Organizations need to understand how the actions of individual employees can expose them and others to the criminal justice process. And information security professionals need to understand the actions they take in response to criminal cyberattacks. How to avoid becoming personally liable for that,” warned McAndrew.