The former chief security officer of Uber was convicted in a historic federal trial earlier this month, after the defendant was charged with covering up a ransomware attack while his firm was under investigation by the Federal Trade Commission for prior lapses in data protection.
The jury found that Joseph Sullivan obstructed justice by paying off a pair of hackers who gained access to 57 million customer records and 600,000 license numbers of Uber drivers.
Sullivan paid the two hackers $100,000 in bitcoin and made them sign non-disclosure agreements to keep the attack a secret, despite not knowing their real names — their identity was later discovered.
Many critics of the verdict have raised questions about why an executive doing his job could be held criminally liable for negotiating a deal to protect his company’s reputation. While private sector companies and federal officials have officially frowned upon ransomware payments, officials have said more than two-thirds of ransom attacks have never been reported to federal authorities.
Another key question raised by this case is, if Sullivan could be convicted on these charges, why are other senior executives, C-suite officials and corporate board members allowed to walk away without any culpability?
“When a major security incident hits, there is a collective effort between executives and the security team to address, mitigate and contain it,” Christian Vezina, CISO at OneSpan, said via email after the verdict.
If a decision was made to limit the information disclosed about the incident, Vezina argues the CISO was not acting alone.
Sullivan never told the FTC about the deal and later misled Uber’s newly installed upper management about the scope of the 2016 attack.
He did however notify a limited number of Uber executives about the ransomware incident, including Uber’s then CEO Travis Kalanick as well as a member of Uber’s legal team, according to court documents.
Application of law
Sullivan was convicted of obstructing a Federal Trade Commission probe, which had been investigating a prior breach at Uber. He was also convicted of a rarely charged crime called misprision, which involves knowing concealment of a crime.
Following the verdict, U.S. Attorney Stephanie Hinds said federal authorities expect companies to promptly alert customers and appropriate authorities when such data is stolen by hackers.
“Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught,” Hinds said in the announcement of the verdict by the Department of Justice. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers, than in protecting users.”
Sullivan faces up to five years in prison for obstruction and up to three years in prison for misprision of a felony.
The punishment could be his alone to bear. Uber in July entered a non-prosecution agreement with the DOJ, which allowed upper management to avoid charges, but accepted responsibility for the role of its senior executives and board of directors in the coverup.
While many experts in the cybersecurity and legal professions are outraged by the prosecution and the verdict, other experts caution that restructuring any future corporate governance will not serve as protection from some unique evidence of deliberate obstruction.
“It’s important to keep in perspective that the breach was not the reason Joe Sullivan was convicted — it was the coverup of that breach,” Jon Amato, senior director analyst at Gartner, said via email. “Outsourcing the coverup of a breach is still participating in it.”
Amato questioned whether future CISO candidates would try to negotiate some sort of language into future employment contracts that would protect them from liability.
Due to the historic nature of the CISO position in corporate governance, the addition of creative contractual language may not be enough to shield them from potential legal exposure.
“There’s a long running joke in the security community that the S in CISO does not stand for security, it stands for scapegoat,” Amato said. “That has been the case long before this incident, and unfortunately there is no reason to believe this will change in the future.”
Left hanging?
Cybersecurity experts from the law firm of Alston & Bird said the Sullivan conviction was the first major prosecution of a corporate executive for how they handled a cybersecurity incident.
It also blurs the distinction between a “coverup” and a failure to report an incident.
“I think every company is thinking, well if I’m aware of a hack, that’s a felony,” said attorney Kellen Dwyer, co-leader of Alston & Bird’s national security and digital crimes practice and a former assistant U.S. attorney for the Eastern District of Virginia. “And if I’m making a ransom payment, on the explicit or implicit promise that the hacker isn’t going to publicize the hack, is that considered concealing a valid report to law enforcement?”
Dwyer co-authored an advisory piece, along with Alston & Bird partners Kim Peretti and Mario Ayoub, with recommended structural changes in how companies should deal with incident response and ransomware negotiations following the Uber verdict.
Companies should have a written response plan and stick to the plan. One argument during the Uber case involved Sullivan keeping a small number of Uber executives involved, including at least one member of the company’s legal department and Kalanick.
Prosecutors said part of the coverup was based on Sullivan concealing the incident from Uber’s new management team.
Alston & Bird suggests companies disclose ransomware attacks to the FBI prior to paying off a threat actor. By promptly disclosing an attack, a company cannot be accused of concealing such an incident from federal authorities.
Companies should also avoid any agreement with a threat actor that involves them hiding or concealing the actual incident.
Hackers usually threaten to release proprietary data on the dark web or leverage personal information that could be embarrassing, but the Uber verdict shows that could be considered part of a coverup.
“On the one hand, CISOs should be concerned about being thrown under the bus,” said Sean Griffin, a Washington-based attorney at Dykema and a former DOJ trial lawyer. “On the other hand, I don’t know why anyone would think paying cybercriminals to sign a non-disclosure agreement containing false information would be a great way to address a cyber incident.”
Griffin points out that Martha Stewart went to prison for obstructing a federal investigation and Sullivan, a former prosecutor, should have been on record as recommending Uber disclose the 2016 breach.
Bug bounty abuse
A slightly under the radar impact of this case will be the need to change how companies manage bug bounty programs. It is routine for companies to pay security researchers or hackers who discover flaws in their software, so long as a program is established.
According to court documents, Sullivan helped arrange the $100,000 in bitcoin payments to the hackers to be paid through the company’s bug bounty program. The program was normally used to pay security researchers for disclosing vulnerabilities and had a maximum cap of $10,000 in payments.
Part of the misprision charge was based on Uber officials, including Sullivan, having the hackers sign a non-disclosure agreement to hide the fact they had stolen the company data, according to Dwyer.
“In general, having written procedures and following them is a good way for companies to protect themselves from second-guessing by regulators,” Dwyer said via email. “Conversely violating your own procedures gives regulators an easy way to find fault.”
For federal regulators, the bottom line is they will continue to work with the private sector to combat malicious threat activity, but they will demand honesty and transparency and will no longer tolerate deceptive behavior or the abuse of customer data.
“This verdict makes it clear that big tech executives are not above the law and obstructing an FTC data security investigation by hiding a serious data breach from the FTC will not be tolerated,” a spokesperson for the agency said via email.