As the criminal charges against former Uber CISO, Joe Sullivan, hit mainstream media, there is, understandably, a sense of outrage among the security community, with some voices defending the position of CISO and some siding with the prosecution, based on the published details of the case. I’ve seen the barrage of social media posts decrying why it’s unfair for Sullivan to potentially be facing jail time. The arguments range from, “security is hard,” to “there’s no way he was the only one who knew about the breach but he might have been scared to go against his superiors,” to “what does this mean for future breaches?” On the other side of the argument, people seem relieved: “I’m glad the private sector is holding the integrity thing down,” and, “If you do what Joe Sullivan was indicted for and conceal incident info, even at the behest of your superiors, you not only destroy your career, you destroy the ability of your employer to use insurance resources to help resolve it.”i
As an analyst who speaks with enterprise CISOs daily, I can tell you that 1. security practitioners are scared for their careers, but 2. security practitioners on the end user side are more likely to be condemning of Sullivan’s actions than those who consider themselves part of the hacker community.
Let’s dive in and look at what happened before we get to personal commentary: The attack against Uber happened in November 2016. Compromised data included the names, email addresses, and phone numbers of approximately 50 million riders, and the personal information of approximately 7 million drivers, along with driver’s license information of about 600,000 U.S. drivers.ii This information was readily reported among the press, but only after a new CEO stepped in in 2017 and took responsibility for the breach; that’s when Sullivan was fired. At the time of the breach, one year before it was exposed, Uber chose to cover up the incident, all the while negotiating with U.S. federal regulators on separate claims over non-compliance with data security disclosures and the handling of consumer data. Based on this information, one can assume that a culture of irresponsibility toward the security and privacy of customer and employee data was knit into the fabric of the company under previous management.
The breach wasn’t an isolated incident and Sullivan wasn’t the only one to know about it. Not a chance.
Duty to protect
This is all bad enough: Businesses and individuals in charge of cyber security, especially, have an obligation, a legal one, to protect data assets. It could be argued that security practitioners also have a moral and ethical obligation as well—but that’s much, much more subjective. Opinions aside, the job of security practitioners is asset protection. Practitioners are obligated to take due care and must be able to demonstrate reasonable implementation of measures that protect their employers’ systems—even third-party systems like GitHub on which data is stored—networks, data, and applications. There are myriad laws and regulations requiring due care. Does this mean breaches won’t happen? Of course not. Does it mean security executives won’t be fired when a large-scale breach does happen? No. Is that right? That’s debatable.
The case against Sullivan isn’t about whether a breach happened under his watch. That shouldn’t be the subject of debate on this topic.
The facts are this: Uber was breached. In 2017 when Kalanick was ousted and new CISO was hired, the new CEO was told about the breach (again, flying in the face of the argument that anyone other than Kalanick and Sullivan knew about it), and Sullivan was fired. An investigation was instigated, and it was discovered that in efforts to “contain” the breach, Sullivan paid the attackers after they approached Uber saying they had illegally accessed the GitHub repository used by Uber engineers. They claimed to have found AWS credentials and used them to access private data (which should have been encrypted, but, technicalities…) on Uber’s AWS cloud.
Failure to report and an attempt at a cover up
So far, this is typical attacker fare. Getting attacked may be embarrassing, but Uber would have been far from the first or worst to suffer a breach like this. Why, then, the controversy? Instead of declaring a breach, as required by law, Sullivan paid the attackers—allegedly after they contacted Uber saying they had access to a treasure trove of data. He called it a bug bounty, even though the payout was 10X larger than any known bounty paid by Uber. It would not have been illegal for Sullivan to pay the $100,000 in exchange for safe return of the data and details about the exploit (theoretically to learn from the incident and prevent future breaches), despite the exorbitant fee and despite the fact that the attackers approached Uber instead of being hired by Uber to find and/or exploit vulnerabilities.
Sullivan isn’t potentially facing jail time and $500,000 in fines because of a bug bounty program. The charges against him are 1. for attempting to cover up the breach and the claw back of information by requiring the attackers to sign a non-disclosure agreement (a.k.a., a gag order) about the breach, and 2. for obstruction of justice; he failed to report the breach to the proper authorities, including the 57 million people whose records had been breached.
Who’s responsible for what?
Reasonably, the security community is crying foul here: Is the CISO personally obligated or even empowered to report a breach to the public or law enforcement? Possibly not. Does the CISO have an obligation to inform company executives? 100%. Absolutely. The head of Uber’s legal team at the time said she wasn’t informed of the extent of the breach. Possible? Yes. Unlikely? Well, considering that the company was already under legal scrutiny for associated data handling matters…sounds like willful negligence. Is the speculation? Yep. But if that’s the case, how did Uber’s Board of Directors have enough suspicion to hire outside legal counsel to investigate, at which time the breach was discovered?
So is Sullivan a bit of a fall guy? Potentially. But he made some bad, bad decisions, likely aided and abetted by some terrible decisions by fellow executives. Based on conversations with current and former CISOs, including TAG Cyber’s CEO—the former 17-year CISO of AT&T—it’s unthinkable that Sullivan acted autonomously throughout the entire kerfuffle. Yet, he paid the cyber criminals, as the CISO—a position he’d held since 2010. Not his first rodeo. Even if Sullivan’s actions were indisputably honest, there was a breach, he was CISO at the time. He knew the rules of the game.
Affirmative obligation to protect and notify
The moral of this story, then, is this: The job of a CISO is a big one: it’s stressful, it’s time-consuming, it’s hard. CISOs are responsible for everything that happens on their team, which means they are ultimately answerable for the entirety of the security team’s actions—even if a mistake was made at the sysadmin level. That’s the job. Anyone who accepts a job as CISO yet thinks they’re abdicated of responsibility when there’s a compromise of the assets they’re obligated to protect is not suited to the role. Individuals who want to take on the title and (considerable) pay of a CISO but don’t want the responsibility should probably continue to dream about riding a unicorn bounding through poppy fields in The Land of Oz.
Cyber security is a business-critical risk. Over the last 30 years (yes, 30) security practitioners have fought to earn a seat at the table. They have fought to be taken seriously. They have fought for the handsome compensation by arguing all the intricacies and difficulties and pressures of defending an entire enterprise while attackers need identify just one, small vulnerability. And it’s all true! Why, then, would anyone who has fought this hard think it’s OK for a CISO to conceal a breach by forcing criminals into non-disclosure and blatantly disregarding legal mandates? Were Sullivan’s hands tied by his internal organization? Maybe to an extent. But it’s time to grow up and accept the job or look for another one where the stakes aren’t so high.
Where do we go from here?
In the meantime, any security practitioner who feels they are being put in an untenable position or are being ignored when they are trying to do the right thing by reporting a security incident—and goodness knows corporations can make it hard on individuals who are perceived as bucking the system—the advice is this: always create an audit trail. Document, document, document. If the CEO/legal team/HR team/risk team etc. is not taking your advice seriously, if they ignore your guidance or dismiss your concerns, put it in writing. Formally submit your concerns. Treat every incident like your job depends on it, because it does. Can you still be fired? Yes. Can you get another job? Yes. If you’ve done your job with honesty and integrity, a good future employer will see that. If you’ve covered your tracks and cross the line into criminality, you could also be personally facing federal charges. Don’t be that person.
And for goodness sake, implement security measures to restrict access to systems and data, architect for zero trust, continuously monitor, review configurations, conduct regular testing, inventory your assets, encrypt, and just generally harden security controls across your environments. Do these things before a beach. Practice good cyber security hygiene. A breach might still occur under your watch, but at least you’ll know you put honest effort into the job and will be able to demonstrate due care when the time comes.
If you do what Joe Sullivan was indicted for and conceal incident info, even at the behest of your superiors, you not only destroy your career, you destroy the ability of your employer to use insurance resources to help resolve it.— mitchparkerciso speaking at Indiana IT Symposium (@mitchparkerciso) August 21, 2020
