Prosecutors Argue for 15 Months in Jail for Uber CISO
In a sentencing memorandum filed with a San Francisco federal court on April 27, 2023, prosecutors argued that Joe Sullivan—the former CISO of Uber and a former federal computer crimes prosecutor himself (with the same office)—should serve 15 months in federal prison for his role in the ride-sharing company’s concealment of a data breach. At the same time, the FTC was in negotiations with Uber to settle claims resulting from a previous data breach at the company. Sullivan is scheduled to be sentenced on May 4.
The Uber Charges
To the government, what happened in the Sullivan case is simple. Joe Sullivan, as CISO, learned that hackers had taken massive amounts of PII about Uber customers, drivers and others and were threatening to publicly release it. At the same time, Uber was negotiating a sensitive deal with the FTC, which called for Uber to provide greater controls over data security and privacy. In fact, Sullivan had just testified before the FTC under oath that many of the vulnerabilities which were exploited only a few days after by the hackers had, in fact, been fixed. Fearful that disclosure of the new hack would throw the FTC negotiations into disarray, Sullivan, without the knowledge and approval of anyone else at Uber, arranged to pay the attackers out of Uber’s preexisting “bug bounty” program. The attackers would be paid not to disclose the fact that there had been a second breach and, in fact, to falsely state that no such breach had occurred. In that way, Sullivan could disguise the fact of the breach to the FTC and to Uber customers. Uber lawyers testified that Sullivan did not inform them of the data breach and that it was Sullivan’s idea to conceal the breach. For this, Sullivan was convicted of concealing a felony (misprision of a felony) and obstruction of a government operation.
Maybe. On the other hand…
Naturally, Sullivan and his legal team see things differently. After the hackers approached the CISO with evidence of the theft—through a configuration issue with AWS—of the data, Sullivan attempted to mitigate the harm resulting from the breach. He sought and obtained assurances from the attackers that the data had not been disseminated beyond the two attackers, and that nobody other than the attackers had seen the data. He sought and obtained assurances that, in return for the bug bounty payment, they would explain the vulnerability they exploited and the methodology they used to do so, and would return and permanently delete any purloined data. If he retroactively “hired” the attackers and made them agents of Uber, then there would be no actual harm to Uber customers, and—at least in theory—there was no need to report the new incident to customers or the FTC. In fact, Sullivan asserted, the CEO was aware of and approved the process and this was the “same call we made 100 times.”
Jail Time
Hundreds of cybersecurity and legal professionals have written letters of support for their former colleague. The government dismissed the importance of these letters of support, noting that “the letters submitted on Defendant Sullivan’s behalf evince that same widespread misunderstanding of the facts and of the evidentiary basis for the jury’s verdicts—a misunderstanding that clearly originates with Defendant’s own self-serving narrative that he first relied on when he was interviewed by internal investigators in August 2017” In fact, the government goes further, asserting that letters attesting to Sullivan’s character and morality show why he should get a harsh sentence, noting “[t]hose same moral qualities only underscore that Defendant knew how wrong his conduct was, and the case stands as shocking proof that even such a revered figure in his community will resort to criminal activity when his reputation is on the line and he thinks no one is watching.” The prosecutor noted that Sullivan should be treated harshly and deserves prison time because he “has a spotless history. He is respected in his community. He is an innovator in his field. He is loyal to his friends and has supported those less fortunate.”
No, the prosecution countered—all of the letters submitted on behalf of Joe Sullivan by cybersecurity professionals showed why he should go to jail—for the benefit of the cybersecurity community!
The prosecution argued, “One of the themes that becomes evident in reviewing the letters submitted on Defendant Sullivan’s behalf is that many in the cybersecurity industry are not aware of the egregious conduct Defendant Sullivan has been proved guilty off [sic]—the witness tampering, the fraudulent corporate paperwork, the many lies. Letter after letter submitted to this Court suggests that this prosecution reflects simple second-guessing of a difficult decision, that Defendant Sullivan is nothing more than a scapegoat, and that neither the government nor the jury really understands cybersecurity. As the Court is aware after presiding over the trial in this matter, none of this is true. Additionally, as the Court may be aware, this false narrative has the real potential to drive a wedge between the cybersecurity community and law enforcement at precisely a time when our country is facing an unprecedented array of cyber threats that require those two communities to work hand-in-glove.”
The facts of the case illustrate some of the common problems with data breach investigations—how much to reveal and why. The reason we have data breach reporting requirements is to allow victims of data breaches to take some remedial actions after the breach. By paying the attackers—even as part of the bug bounty program—and ensuring that the stolen data was not further used or disclosed, the need for disclosure was minimized. Sullivan’s testimony before the Federal Trade Commission was that the company had corrected some of the errors related to AWS configurations that had led to the first data breach. Data security has always been a work in progress, and there’s no evidence that his statements to the FTC were knowingly false. Rather, the government is arguing that, having made those statements and later learned that the vulnerabilities remained (because of the data breach), Sullivan should have gone back and corrected his testimony. Maybe. Maybe not. But it seems that federal criminal law is a mighty heavy sledgehammer to use in such a case.
Will the Sullivan case act as a “wake-up call” for CISOs? Will it make a difference in the future when a company is making a decision whether to report or not? If Sullivan gets probation, will some beleaguered CISO make the same decision as Sullivan did? If he goes to jail for more than a year, will this have any practical application in the security community? Probably not. I have often said that the goal in data breach investigations is not to do the “right” thing but rather to do the “least wrong” thing. The Sullivan sentencing will invariably make people more cautious and more prone to reporting—even in cases where reporting is unnecessary and counterproductive. However, it may also increase the sharing of incident data with management and senior management and get buy-in related to breach disclosure, and that’s a good thing. Sentencing is May 4.
