As Ex-Uber Executive Heads to Trial, the Security Community Reels
Joe Sullivan was a rock star in the information security world. One of the first federal prosecutors to work on cybercrime cases in the late 1990s, he jumped into the corporate security world in 2002, eventually taking on high-profile roles as chief of security at Facebook and Uber.
When the security community made its annual summer pilgrimage to Las Vegas for two conferences, Mr. Sullivan was an easily recognizable figure: tall with shaggy hair, wearing sneakers and a hoodie.
“Everyone knew him; I was in awe, frankly,” said Renee Guttmann, who was the chief information security officer for Coca-Cola and Campbell Soup. “He was an industry leader.”
So it came as a shock to many in the community when Mr. Sullivan was fired by Uber in 2017, accused of mishandling a security incident the year before. Despite the scandal, Mr. Sullivan got a new job as chief of security at Cloudflare, an internet infrastructure company.
But the investigation into the incident at Uber continued, and in 2020, the same prosecutor’s office where Mr. Sullivan had worked decades earlier charged him with two felonies, in what is believed to be the first time a company executive has faced potential criminal liability for an alleged data breach. Mr. Sullivan has pleaded not guilty to the charges.
Mr. Sullivan stepped down from his job at Cloudflare in July, in preparation for his trial, which begins this week in U.S. District Court in San Francisco. Other chief security officers are following the case closely, worried about what it means for them.
Chief information security officers, or CISOs, are responsible for ensuring that their companies’ data remains safe from hackers and fraudsters, a high-stakes job that has become increasingly tricky.
In the past year or so alone, T-Mobile, Planned Parenthood and the NFT marketplace OpenSea have been hacked. Perfect security is impossible, and now CISOs are wondering what happens if — or rather when — they fail. If Mr. Sullivan is convicted, they worry the outcome could set a precedent for who is at fault for a data breach. Could they be left holding the bag?
Ms. Guttmann, who is now an adviser to venture capital firms and start-ups, said Mr. Sullivan’s case had made her think more about the problem of ransomware, when hackers encrypt a company’s files and demand payment, usually in cryptocurrency, to release them. A 2021 survey indicated that many companies pay the ransom.
“Six years from now, will all of them be prosecuted?” she asked.
At the very least, security executives are worried about being on the hook for potential legal bills. Charles Blauner, a retired CISO and cybersecurity adviser, said security chiefs had taken a strong interest in directors and officers insurance, which covers the legal costs of executives who are sued as a result of their work with a company.
“A lot of sitting chief information security officers are going to their bosses and asking if they have D.&O. insurance and, if not, can I have it?” Mr. Blauner said. “They are saying, ‘If I’m going to be held liable for something our company does, I want legal coverage.’”
After being charged, Mr. Sullivan sued Uber to force it to pay his legal fees in the criminal case, and they reached a private settlement.
Some security officers are sympathetic to how Mr. Sullivan handled the security incident at the center of the criminal case, while others say it was clearly inappropriate. In 2016, according to a criminal complaint, Mr. Sullivan learned that hackers had secured access to the personal data of about 600,000 Uber drivers and some personal information associated with 57 million riders and drivers. Prosecutors accuse Mr. Sullivan of directing those responsible to the company’s bug bounty program, which Uber, like many companies, had set up as a financial incentive for third parties to report its security vulnerabilities.
Uber ultimately paid the hackers, two men in their 20s, $100,000 in Bitcoin and had them sign nondisclosure agreements, according to the criminal complaint. Uber did not disclose the incident to the public, nor did it inform the Federal Trade Commission, which was investigating the company for its privacy and security practices.
It became public only in 2017 when Uber’s new chief executive, Dara Khosrowshahi, fired Mr. Sullivan. Data breach laws generally require companies to notify individuals when their personal data has been exposed. The two men responsible were later identified and pleaded guilty to hacking.
A member of Uber’s security team around that time, who spoke on the condition of anonymity, said he hadn’t been surprised when he heard about Mr. Sullivan’s indictment, given the aggressive, do-what-it-takes culture he experienced at the company. At the same time, he said, it was not unusual to direct people who found vulnerabilities to the company’s bug bounty program, to ensure that they were rewarded.
Prosecutors have accused Mr. Sullivan of obstructing justice and concealing a felony for not disclosing the breach or revealing it to the F.T.C. Mr. Sullivan’s spokesman said he could not discuss the case given the upcoming trial. Uber declined to comment.
Another former member of Uber’s security team, Michael Sierchio, who left in the months before the incident, said Mr. Sullivan had been “unfairly singled out.”
“He’s being scapegoated,” Mr. Sierchio said. “The government thinks he should have known better because he’s a former prosecutor.”
Several chief security officers who spoke to The New York Times expressed concern that Mr. Sullivan was the only one held accountable at Uber, given that a chief security officer does not generally make the call on whether a company reports a data breach. That, they said, is usually decided by the legal department and the chief executive, who at the time was Travis Kalanick. Mr. Kalanick’s spokeswoman said he had no comment.
In a pretrial hearing, even the judge seemed struck by the extent to which Mr. Sullivan was being held responsible for Uber’s actions.
“I had not, until this moment, realized that your case was really against Uber and Uber is going to be sitting here in the form of Mr. Sullivan,” Judge William Orrick said to the prosecutor, Andrew Dawson.
The U.S. attorney’s office had no comment on the case. In the hearing, Mr. Dawson said that Uber had legal obligations around security and privacy and that the state’s evidence would show “what Mr. Sullivan did to undermine those obligations.”
Steve Zalewski, a former chief information security officer for Levi Strauss, described the field of cybersecurity as still evolving, having grown up alongside the internet over the last 30 years, and said calls like the one that Mr. Sullivan had made were tricky.
“Because it is relatively young, we don’t have that body of law and body of knowledge that’s derived over time to know where the line is,” Mr. Zalewski said. “Bad guys are attacking us every day. We’re just trying to defend the company.”
Other chief security officers are less forgiving. Jamil Farshchi, who became chief information security officer at the data broker Equifax after a huge breach there affected more than 140 million people, kicked off a spirited discussion on LinkedIn last month when he accused those defending Mr. Sullivan of “tribalism.”
“It’s really easy to downplay accountability in favor of sympathy when you’re fighting for your tribe,” wrote Mr. Farshchi, who declined to comment for this article. “The U.S. v. Sullivan trial starts in September, but the key lesson here is one that almost every CISO has experienced firsthand: when faced with a lose-lose decision, do the right thing (or at least the lawful one).”
As Mr. Sullivan’s trial approaches, another high-profile former security chief is in the news, but for disclosing what he said were security problems, rather than concealing them. Peiter Zatko, who was fired as head of security at Twitter in January, recently turned whistle-blower, claiming that his former company had hidden security vulnerabilities from regulators.
“Quite honestly, the weight of the world is on our shoulders,” said Jason Manar, chief information security officer at the software company Kaseya. “I definitely have fewer strands of hair than I used to.”
Last year, Kaseya was hit by a cyber attack from a Russian-based cybercriminal group called REvil, which compromised up to 1,500 businesses that use Kaseya’s software services. Mr. Manar was one of the F.B.I. agents who investigated the attack; he later took a security job at the company, at the end of 2021.
He said the difference between the Kaseya incident and Uber’s was that Kaseya had quickly disclosed the hack and worked with law enforcement officers, which gave him the confidence that the company would have his back if something went wrong again. Mr. Sullivan’s case, he hoped, would turn out to be an anomaly.
Still, he acknowledged, there are risks to being the person in charge of responding to colossal threats.
“The stakes are high for every CISO out there,” he said. “I just think it comes down to it’s an ethical and a moral responsibility, as well as a legal responsibility, to just do what’s right.”
Ms. Guttmann, the former CISO for Coca-Cola and Campbell, said she had recently attended the cybersecurity conference Black Hat in Las Vegas. The trial was on attendees’ minds, and while people she spoke with were generally supportive of Mr. Sullivan, she said, his predicament was discouraging.
“People there who were senior at their job, just below CISO, said they wouldn’t take the CISO job for anything,” she said. “The stress, the liability. People don’t think this can be a long-term job at a company anymore.”