Joe Sullivan was a rock star in the information security world. One of the first federal prosecutors to work on cybercrime cases in the late 1990s, he jumped into the corporate security world in 2002, eventually taking on high-profile roles as chief of security at Facebook and Uber.
When the security community made its annual summer pilgrimage to Las Vegas for two conferences, Sullivan was an easily recognisable figure: tall with shaggy hair, wearing sneakers and a hoodie.
“Everyone knew him; I was in awe, frankly,” said Renee Guttmann, who was chief information security officer for Coca-Cola and Campbell Soup. “He was an industry leader.”
So it came as a shock to many in the community when Sullivan was fired by Uber in 2017, accused of mishandling a security incident the year before. Despite the scandal, Sullivan got a new job as chief of security at Cloudflare, an internet infrastructure company.
But the investigation into the incident at Uber continued, and in 2020, the same prosecutor’s office where Sullivan had worked decades earlier charged him with two felonies, in what is believed to be the first time a company executive has faced potential criminal liability for an alleged data breach. Sullivan has pleaded not guilty to the charges.
Sullivan stepped down from his job at Cloudflare in July, in preparation for his trial, which begins this week in US district court in San Francisco. Other chief security officers are following the case closely, worried about what it means for them.
Chief information security officers (CISO) are responsible for ensuring that their companies’ data remains safe from hackers and fraudsters, a high-stakes job that has become increasingly tricky. In the past year or so alone, T-Mobile, Planned Parenthood and NFT marketplace OpenSea have been hacked. Perfect security is impossible, and now many security chiefs are wondering what happens if — or rather when — they fail.
If Sullivan is convicted, they worry the outcome could set a precedent for who is at fault for a data breach. Could they be left holding the bag?
Guttmann, who is now an adviser to venture capital firms and start-ups, said Sullivan’s case had made her think more about the problem of ransomware, when hackers encrypt a company’s files and demand payment, usually in cryptocurrency, to release them. A 2021 survey indicated that many companies pay the ransom. “Six years from now, will all of them be prosecuted?” she asked.
At the very least, security executives are worried about being on the hook for potential legal bills. Charles Blauner, a retired CISO and cybersecurity adviser, said security chiefs had taken a strong interest in directors and officers’ insurance, which covers the legal costs of executives who are sued as a result of their work with a company.
“A lot of sitting chief information security officers are going to their bosses and asking if they have D&O [directors and officers] insurance and, if not, can I have it?” Blauner said. “They are saying: ‘If I’m going to be held liable for something our company does, I want legal coverage’.”
After being charged, Sullivan sued Uber to force it to pay his legal fees in the criminal case, and they reached a private settlement.
Some security officers are sympathetic to how Sullivan handled the security incident at the centre of the criminal case, while others say it was clearly inappropriate.
In 2016, according to a criminal complaint, Sullivan learned that hackers had secured access to the personal data of about 600,000 Uber drivers and some personal information associated with 57 million riders and drivers. Prosecutors accuse Sullivan of directing those responsible to the company’s bug bounty programme, which Uber, like many companies, had set up as a financial incentive for third parties to report its security vulnerabilities.
Uber ultimately paid the hackers — two men in their 20s — $100,000 in bitcoin and had them sign nondisclosure agreements, according to the criminal complaint. Uber did not disclose the incident to the public, nor did it inform the Federal Trade Commission (FTC), which was investigating the company for its privacy and security practices.
It became public only in 2017 when Uber’s new CEO, Dara Khosrowshahi, fired Sullivan. Data-breach laws generally require companies to notify individuals when their personal data has been exposed. The two men responsible were later identified and pleaded guilty to hacking.
A member of Uber’s security team around that time, who spoke on the condition of anonymity, said he had not been surprised when he heard about Sullivan’s indictment, given the aggressive, do-what-it-takes culture he experienced at the company. At the same time, he said, it was not unusual to direct people who found vulnerabilities to the company’s bug bounty programme, to ensure that they were rewarded.
Prosecutors have accused Sullivan of obstructing justice and concealing a felony for not disclosing the breach or revealing it to the FTC. Sullivan’s spokesperson said he could not discuss the case given the upcoming trial. Uber declined to comment.
Another former member of Uber’s security team, Michael Sierchio, who left in the months before the incident, said Sullivan had been “unfairly singled out”.
“He’s being scapegoated,” Sierchio said. “The government thinks he should have known better because he’s a former prosecutor.”
Several chief security officers who spoke to the New York Times expressed concern that Sullivan was the only one held accountable at Uber, given that a chief security officer does not generally make the call on whether a company reports a data breach. That, they said, is usually decided by the legal department and the CEO, who at the time was Travis Kalanick. Kalanick’s spokesperson said he had no comment.
In a pretrial hearing, even the judge seemed struck by the extent to which Sullivan was being held responsible for Uber’s actions.
“I had not, until this moment, realised that your case was really against Uber and Uber is going to be sitting here in the form of Mr Sullivan,” Judge William Orrick said to the prosecutor, Andrew Dawson.
Steve Zalewski, a former CISO for Levi Strauss, described the field of cybersecurity as still evolving, having grown up alongside the internet over the past 30 years, and said calls like the one Sullivan had made were tricky.
“Because it is relatively young, we don’t have that body of law and body of knowledge that’s derived over time to know where the line is,” Zalewski said. “Bad guys are attacking us every day. We’re just trying to defend the company.”
As Sullivan’s trial approaches, another high-profile former security chief is in the news — but for disclosing what he said were security problems, rather than concealing them. Peiter Zatko, who was fired as head of security at Twitter in January, recently turned whistleblower, claiming his former company had hidden security vulnerabilities from regulators.
Guttmann said she had recently attended the cybersecurity conference Black Hat in Las Vegas. The trial was on attendees’ minds, and although people she spoke with were generally supportive of Sullivan, she said, his predicament was discouraging.
“People there who were senior at their job, just below CISO, said they wouldn’t take the CISO job for anything,” she said. “The stress, the liability. People don’t think this can be a long-term job at a company any more.” — This article originally appeared in The New York Times