The conviction of former Uber Chief Security Officer Joseph Sullivan may pose a chilling reassessment of how chief information security officers (CISOs) and the security community handle network breaches going forward.<\/p>\n
A San Francisco federal jury on Oct 5. convicted Sullivan of failing to tell U.S. authorities about a 2016 hack of Uber\u2019s databases. Judge William H. Orrick did not set a date for sentencing.<\/p>\n
Sullivan\u2019s lawyer, David Angeli, said after the verdict\u2019s announcement that his client\u2019s sole focus was to ensure the safety of people\u2019s personal digital data.<\/p>\n
Federal prosecutors noted that the case should serve as a warning to companies about how they comply with federal regulations when handling their network breaches.<\/p>\n
Officials charged Sullivan with working to hide the data breach from U.S. regulators and the Federal Trade Commission, adding his actions attempted to prevent the hackers from being caught.<\/p>\n
At the time, the FTC was already investigating Uber following a 2014 hack. The repeat hack into Uber\u2019s network two years later involved the hackers emailing Sullivan about their stealing a large amount of data. According to the U.S. Department of Justice, they promised to delete the data if Uber paid their ransom.<\/p>\n
The conviction is a significant precedent that has already sent shockwaves through the CISO community. It highlights the personal liability involved in being a CISO in a dynamic policy, legal, and attacker environment, noted Casey Ellis, founder and CTO at Bugcrowd, a crowdsourced cybersecurity platform.<\/p>\n
\u201cIt begs for clearer policy at the federal level in the United States around privacy protections and the treatment of user data, and it emphasizes the fact that a proactive approach to handling vulnerability information, rather than the reactive approach taken here, is a key component of resilience for organizations, their security teams, and their shareholders,\u201d he told TechNewsWorld.<\/p>\n
Troublesome Details<\/h3>\n
A growing trend is for companies victimized by ransomware to negotiate with hackers. But trial discourse showed prosecutors reminding companies to \u201cDo the right thing,\u201d according to media accounts.<\/p>\n
According to published trial accounts, Sullivan\u2019s staff confirmed the extensive data theft. It included 57 million Uber users\u2019 stolen records and 600,000 driver\u2019s license numbers.<\/p>\n
The DoJ reported that Sullivan sought the hackers\u2019 agreement to be paid U.S. $100,000 in bitcoin. That agreement included hackers signing a non-disclosure agreement to keep the hack from public knowledge. Uber allegedly hid the true nature of the payment as a bug bounty.<\/p>\n
<\/p>\n
![\"Subscribe](\"https:\/\/www.ectnews.com\/wp-content\/uploads\/sites\/6\/2022\/05\/tnw-newsletter-pink.jpg\")
<\/div>\n<\/p><\/div>\n<\/center><\/p>\n
Only the jury had access to the evidence of the case, so pontificating specific details of the matter is counterproductive, opined Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, a provider of digital risk management solutions.<\/p>\n
\u201cThere are some general conclusions to draw. I am concerned with the unintended consequences of this case,\u201d Holland told TechNewsWorld. \u201cCISOs already have a challenging job, and the case outcome raises the stakes for CISO scapegoating.\u201d<\/p>\n
Critical Unanswered Questions<\/h3>\n
Holland\u2019s concerns include how this trial\u2019s outcome might impact the number of leaders willing to take on the potential personal liability of the CISO role. He also worries about dislodging more whistleblower cases like the ones that grew out of Twitter.<\/p>\n
He expects more CISOs to negotiate Directors and Officers insurance into their employment contracts. That type of policy offers personal liability coverage for decisions and actions the CISO might take, he explained.<\/p>\n
\u201cIn addition, in the same way that both the CEO and CFO became responsible for corruption on the heels of Sarbanes Oxley and the Enron scandal, CISOs should not be the only roles guilty in the event of wrongdoing around intrusions and breaches,\u201d he suggested.<\/p>\n
The Sarbanes-Oxley Act of 2002 is a federal law that established comprehensive auditing and financial regulations for public companies. The Enron scandal, a series of events involving dubious accounting practices, resulted in the bankruptcy of the energy, commodities, and services company Enron Corporation and the dissolution of the accounting firm Arthur Andersen.<\/p>\n
\u201cCISOs must effectively communicate risks to the company\u2019s leadership team but should not be solely responsible for cyber security risks,\u201d he said.<\/p>\n
Twisted Circumstances<\/h3>\n
Sullivan\u2019s conviction is an ironic role reversal of sorts. Earlier in his law career, he prosecuted cybercrime cases for the United States Attorney\u2019s Office in San Francisco.<\/p>\n
The DoJ\u2019s case against Sullivan hinged on obstructing justice and acting to conceal a felony from authorities. The resulting conviction could have a long-term impact on how organizations and individual executives approach cyber incident response, particularly where it involves extortion.<\/p>\n
Prosecutors argued that Sullivan actively concealed a massive data breach. The jury agreed unanimously with the charge beyond a reasonable doubt.<\/p>\n
<\/center><\/p>\n
Instead of reporting the breach, the jury found that Sullivan, backed by the knowledge and approval of Uber\u2019s then-CEO, paid the hackers and had them sign a non-disclosure agreement that falsely claimed that they had not stolen data from Uber.<\/p>\n
A new chief executive who later joined the company reported the incident to the FTC. Current and former Uber executives, lawyers, and others testified for the government.<\/p>\n
Edward McAndrew, an attorney at BakerHostetler and a former DoJ cybercrime prosecutor and National Security Cyber Specialist, told TechNewsWorld that \u201cSullivan\u2019s prosecution and now conviction is groundbreaking, but it needs to be understood in its proper factual and legal context.\u201d<\/p>\n
The government recently adopted a much more aggressive policy toward cybersecurity, he noted. This impacts white-collar compliance, where organizations and executives are increasingly cast into the simultaneous and disparate roles of crime victim and enforcement target.<\/p>\n
\u201cOrganizations need to understand how the actions of individual employees can expose them and others to the criminal justice process. And information security professionals need to understand how to avoid becoming personally liable for actions they take in responding to criminal cyberattacks,\u201d McAndrew cautioned.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
The conviction of former Uber Chief Security Officer Joseph Sullivan may pose a chilling reassessment of how chief information security officers (CISOs) and the security<\/p>\n","protected":false},"author":1,"featured_media":1347,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[619,1081,1082,74,1048,498,688],"class_list":["post-1346","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-breach","tag-chief","tag-coverup","tag-data","tag-guilty","tag-security","tag-uber"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.txd9.com\/index.php?rest_route=\/wp\/v2\/posts\/1346","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.txd9.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.txd9.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.txd9.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.txd9.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1346"}],"version-history":[{"count":0,"href":"https:\/\/www.txd9.com\/index.php?rest_route=\/wp\/v2\/posts\/1346\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.txd9.com\/index.php?rest_route=\/wp\/v2\/media\/1347"}],"wp:attachment":[{"href":"https:\/\/www.txd9.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1346"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.txd9.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1346"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.txd9.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1346"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}