Implications for CSOs of Charges Against Joe SullivanFeds Accuse Former Uber CSO of Covering Up Hacker Attack and Data Breach
Does the case against Uber's former CSO Joe Sullivan presage a change in how organizations must report hacker attacks or data breaches?
"The case is causing great consternation in the infosec community partly because it is the first instance in which a CSO or CISO has been personally held responsible - other than by firing - for a data breach response, and the first time that criminal sanctions of any kind have been sought against the corporate victim of a data breach for ... mishandling the data breach itself," says attorney Mark Rasch, who's of counsel to the law firm of Kohrman, Jackson & Krantz, in a report for Security Current.
Here are the particulars of the case: On Aug. 20, federal prosecutors in San Francisco filed two charges against Sullivan, accusing him of failing to report a 2016 data breach to the U.S. Federal Trade Commission while the FTC was investigating a 2014 data breach at the ride-sharing service.
Prosecutors say that as the person nominated by Uber to provide sworn testimony to the FTC, Sullivan should have immediately disclosed the breach. They've also accused him of misusing the company's bug bounty program with HackerOne, which had previously topped out at $10,000 bounties, to pay two men $100,000 in "hush money" in exchange for providing details of how they obtained the data on 57 million driver and rider accounts in October 2016, deleting the data, as well as signing a non-disclosure agreement about what they did.
Prosecutors have also accused Sullivan of hiding the full extent of the breach from Uber's general counsel and former CEO, Travis Kalanick, and continuing to cover it up when briefing Uber's new CEO, Dara Khosrowshahi, about the incident after he joined in 2017. Once Khosrowshahi learned of the breach, he disclosed it publicly in November 2017, saying it had been a "failure" to not do so sooner. He also fired in-house attorney Craig Clark, who had directly overseen the payment via HackerOne, as well as Sullivan, who responded by saying that everything he did was with the full knowledge of, and sign-off from, Uber's senior management.
In short order, Uber faced numerous lawsuits, and the U.S. attorney for Northern California announced that it had opened a criminal investigation into the matter.
Ultimately, Uber reached a $148 million settlement agreement with the attorneys general of all 50 states and the District of Columbia over its failure to report the breach in a timely manner, and it pledged to be more transparent. Uber also paid more than $1 million in fines to U.K. and Dutch data protection authorities.
In October 2019, the two men who received the $100,000 payoff - Florida resident Brandon Glover and Canadian national Vasile Mereacre - pleaded guilty to conspiracy to commit extortion as well as hacking multiple organizations, including Uber. They face up to five years in prison but have yet to be sentenced.
Charges Against Sullivan: Obstruction, Misprision
Legal experts say that as the fines and legal settlements demonstrate, Uber clearly and legally erred by not disclosing the breach of personal information in a timely manner to either victims, attorneys general or EU regulators.
But the two charges filed last week against Sullivan are obstruction of justice and "misprision of a felony," which refers to knowing something is a felony and covering it up. "It's an old, common law statute; it goes back hundreds of years," Rasch tells Information Security Media Group. "In this case, it's being used to prosecute the victim of a crime, and that's an unusual use. It doesn't mean the statute doesn't cover it, but it's an unusual use."
One example of when a misprision charge might normally be brought, Rasch says, is if an individual was asked by someone else to hide a gun for them, and the individual knew the gun had been used for a crime.
"The Sullivan case represents the first time this statute has been used to prosecute the victim of a cyberattack for not reporting the attack because he concealed it through the NDA," says Rasch, who previously worked for the U.S. Department of Justice, where he started the computer crime unit within the criminal division’s fraud section.
One information security wrinkle with the misprision charge is that organizations get hammered daily by all sorts of things that are felonies. Is the government really arguing that by failing to report every distributed denial-of-service attack, incoming email with malware attached - or wiping logs that show attempts to remotely access systems without authorization - an organization and its security team would be committing misprision?
"Just to calm the fears of others [CSOs and CISOs], merely not reporting a breach or an attack or a DDoS or a ransomware is not misprision of a felony," Rasch says. "There are no criminal penalties - at least not currently - for a failure to report a data breach, and there are few, if any, legal requirements of reporting other cybercrimes that are not data breaches."
Incident Response Realities
The case against Sullivan, who's now CSO of Cloudflare, hinges in part on prosecutors accusing him of covering up the extent of the breach when sharing information with Uber's general counsel, who was communicating with the FTC.
"Now unfortunately, there's language in the complaint that talks about things like Sullivan telling people 'let's keep this close to the vest, nobody else talk about this stuff,' things like that," Rasch says. "I mean that is standard fare in an incident response, and in fact, almost always those directions come from the general counsel, and the general counsel says everything gets reported to me so that it can be considered privileged so that we can not report it."
'Chief Sacrificial Officer'
Sullivan has strongly disputed that he attempted to cover up the 2016 security incident, which he said Uber had decided to treat not as a data breach but as a vulnerability disclosure. "There is no merit to the charges against Mr. Sullivan, who is a respected cybersecurity expert and former assistant U.S. attorney," Bradford Williams, his spokesman, tells ISMG.
"This case centers on a data security investigation at Uber by a large, cross-functional team made up of some of the world’s foremost security experts, Mr. Sullivan included," Williams says. "If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all. From the outset, Mr. Sullivan and his team collaborated closely with legal, communications and other relevant teams at Uber, in accordance with the company’s written policies. Those policies made clear that Uber’s legal department - and not Mr. Sullivan or his group - was responsible for deciding whether, and to whom, the matter should be disclosed."
The fact that so many people inside Uber not only learned of the data breach but knew of the payoff has led some in the cybersecurity community to characterize the charges against Sullivan - which could see him serve up to eight years in prison - as being an inappropriate case of scapegoating.
Katie Moussouris, a bug bounty expert who runs consultancy Luta Security, says he's essentially been made into a "chief sacrificial officer" for Uber (see: So You Want to Build a Vulnerability Disclosure Program?).
"I think that singling out Joe for this is ridiculous," Moussouris tells Wired. "No company places security and transparency decisions on one executive alone. Not only is there a shared culpability among all the executives involved in the decision, but any bug bounty companies involved in these types of situations must not ignore data breach laws or agree to facilitate clandestine payoffs."
Talk to an Attorney, or Maybe Two
What precedent this case might set remains unclear. But Rasch says that for CSOs and CISOs, transparency remains essential when handling any security incident.
"At a minimum, keep your lawyer advised of what you are doing, and get them to approve it. And if your lawyer tells you to do something you think is a crime, get another lawyer. Or at least a second opinion," he says. "Nobody has paid me enough money as a lawyer to go to jail for them - at least not yet."