Earlier than becoming a member of Uber as chief security officer in 2015, Joe Sullivan served for 2 years as a federal prosecutor with the US Division of Justice, the place he specialised in laptop hacking and IP points. He labored on various high-profile instances, from the primary case within the U.S. of prosecution underneath the Digital Millennium Copyright Act to the prosecution of a hacker who breached NASA’s Jet Propulsion Laboratory.
Greater than 20 years after becoming a member of the U.S. authorities to assist organizations defend in opposition to the so-called unhealthy guys, Sullivan discovered himself on the opposite aspect of the justice system.
In October 2022, a San Francisco jury discovered him responsible on prices of obstructing an official continuing and misprision of a felony (a failure-to-report-wrongdoing offense.) In Might this yr, Sullivan was sentenced to 3 years probation.
The irony shouldn’t be misplaced on Sullivan, who spoke to information.killnetswitch in London this week previous to his keynote speech on the cybersecurity convention Black Hat Europe.
This precedent-setting case pertains to a breach of Uber’s techniques in 2016, the place hackers threatened to reveal the info of fifty million Uber clients and drivers. The decision centered primarily round Uber’s resolution to not report the breach to the Federal Commerce Fee, as the corporate was mandated to report all breaches after an earlier 2014 hack of its techniques uncovered the names and driver’s license numbers of fifty,000 individuals.
The case didn’t go as Sullivan, who was fired from Uber in 2017, had anticipated.
“We thought we had been going to win the trial. We barely placed on a protection as a result of my legal professionals had been like, ‘we don’t have to.’ I didn’t testify, so the jury by no means noticed me. They only noticed the nameless Uber government with a masks on,” Sullivan informed information.killnetswitch through the interview on Wednesday.
The primary-of-its-kind verdict hit Sullivan onerous initially. “After I misplaced the trial final October, I used to be in a funk, I didn’t need to speak to anyone, and I didn’t know what would occur to my life,” he mentioned. “I simply needed to twist up in a ball.”
Sullivan’s case additionally triggered nervousness amongst fellow CSOs and CISOs, various whom wrote letters to the case’s sentencing choose, William Orrick, praising Sullivan’s actions and voicing their fears that they too might face authorized penalties for merely doing their jobs.
These fears have lasted lengthy past Sullivan’s conviction. The previous Uber CSO, who now works as CEO at a non-profit devoted to offering humanitarian and expertise support to the individuals of Ukraine, informed information.killnetswitch that he receives calls each week from security professionals asking whether or not they need to keep within the trade and whether or not they need to take interviews for higher-ranking roles that include better accountability — and better threat.
“What I inform the security executives proper now could be that they shouldn’t run away from the job — they need to run in direction of it,” Sullivan mentioned, noting that the shared nervousness amongst cybersecurity professionals, together with the truth that he needed to be a “higher individual,” is a part of the explanation he needed to begin talking out in regards to the Uber data breach case.
“I noticed that sharing what I’ve gone by way of is healthier than not and more healthy for me. It’s taken me a yr to say that, however that’s the appropriate technique to be,” Sullivan informed information.killnetswitch. “I used to be very bitter, however I need to be a greater individual. I additionally need to proceed being a part of the security world, so I’ve to recover from it.”
Sullivan informed information.killnetswitch that one more reason he’s eager to talk out is due to the truth that there have been “100 webinars, by 100 legal professionals, saying that ‘you received’t find yourself like Joe in case you have insurance coverage, when you deliver authorized and PR into the room, or in case you have a breach accountability coverage’”.
“We did all of these issues [at Uber],” Sullivan mentioned. “We had insurance coverage; there was a data breach response coverage; we looped in PR, and the CEO [Travis Kalanick] signed off on the whole lot, together with the greenback quantity,” he added, referring to the $100,000 cost that was made to the 2 younger males that found the vulnerability that led to the 2016 Uber breach.
When requested whether or not he believed Uber’s then-CEO ought to have been held accountable, Sullivan mentioned: “I don’t assume anyone did something mistaken on the finish of the day.”
“Uber wouldn’t exist at present — the truth is, we might nonetheless be taking taxis — if it wasn’t for [Kalanick] and his sheer forcefulness,” Sullivan added. “On the upside, he drove some change on the planet. Nonetheless, on the draw back, his philosophy was that the one who threw the primary punch wins the combat.”
Fixing a damaged trade
In what Sullivan describes as “the best irony of his profession,” a part of his function on the Division of Justice concerned him working intently with organizations in Silicon Valley so as to encourage extra collaboration with the federal government. “That’s been the story of my profession; attempting to get the private and non-private sectors to work collectively”.
Sullivan believes that going ahead, this public-private sector collaboration, together with sturdy regulation, is the one technique to repair the “damaged” cybersecurity trade.
“After I joined, [Uber] had the worst security of any $40 billion firm, and that may’t fly on the planet anymore. In the event you’re going to promote a product, your security needs to be adequate the day you promote it,” Sullivan mentioned. “I may very well be very bitter in regards to the concept of presidency regulation since I used to be regulated, however I additionally assume we’d like it for the web to work properly sooner or later,”
Sullivan praised the U.S. Safety and Change Fee’s incoming data breach disclosure guidelines, which come into impact on December 15, noting that whereas not good, it’s a lot better than having zero steerage. “We will nitpick the small print as a lot as we would like, however that is the appropriate technique to do it,” he mentioned. “I appear to be the one who’s criticizing the SEC lower than everybody else as a result of I feel we should always reward them for attempting to make guidelines.”
As for CSOs and CISOs, lots of whom are nonetheless nervous that they’ll be held personally chargeable for security failings at their group, Sullivan believes that now could be the time to talk out so as to form any future regulation.
“We’ve to drag ourselves up, we’ve got to study the coverage aspect of it, and we’ve got to learn to make our voice heard,” Sullivan informed information.killnetswitch. “I feel we’ve got to develop leaders who may be actual societal leaders who’re specialists in our career.”
