Ex-Uber CSO Joe Sullivan on why he ‘needed to recover from’ shock of knowledge breach conviction

Earlier than becoming a member of Uber as chief safety officer in 2015, Joe Sullivan served for 2 years as a federal prosecutor with the US Division of Justice, the place he specialised in laptop hacking and IP points. He labored on numerous high-profile instances, from the first case in the U.S. of prosecution underneath the Digital Millennium Copyright Act to the prosecution of a hacker who breached NASA’s Jet Propulsion Laboratory.

Greater than 20 years after becoming a member of the U.S. authorities to assist organizations defend in opposition to the so-called dangerous guys, Sullivan discovered himself on the opposite aspect of the justice system.

In October 2022, a San Francisco jury found him guilty on costs of obstructing an official continuing and misprision of a felony (a failure-to-report-wrongdoing offense). In Might this 12 months, Sullivan was sentenced to a few years probation.

The irony shouldn’t be misplaced on Sullivan, who spoke to TechCrunch in London this week previous to his keynote speech on the cybersecurity convention Black Hat Europe.

This precedent-setting case pertains to a breach of Uber’s systems in 2016, the place hackers threatened to show the info of fifty million Uber prospects and drivers. The decision centered primarily round Uber’s determination to not report the breach to the Federal Commerce Fee, as the corporate was mandated to report all breaches after an earlier 2014 hack of its systems uncovered the names and driver’s license numbers of fifty,000 folks.

The case didn’t go as Sullivan, who was fired from Uber in 2017, had anticipated.

“We thought we were going to win the trial. We barely put on a defense because my lawyers were like, ‘we don’t need to.’ I didn’t testify, so the jury never saw me. They just saw the anonymous Uber executive with a mask on,” Sullivan informed TechCrunch in the course of the interview on Wednesday.

The primary-of-its-kind verdict hit Sullivan laborious initially. “When I lost the trial last October, I was in a funk, I didn’t want to talk to anybody, and I didn’t know what would happen to my life,” he stated. “I just wanted to curl up in a ball.”

Sullivan’s case additionally triggered nervousness amongst fellow CSOs and CISOs, numerous whom wrote letters to the case’s sentencing choose, William Orrick, praising Sullivan’s actions and voicing their fears that they too may face authorized penalties for merely doing their jobs.

“Joe’s case has had a huge impact on the cybersecurity community,” one letter, signed by greater than 50 CISOs, learn. “It has been the subject of frequent executive team conversations and panel discussions at industry seminars, and a significant driver of efforts to change policies and practices to err on the side of disclosure, even when the legal requirement to do so remains unsettled.”

These fears have lasted lengthy past Sullivan’s conviction. The previous Uber CSO, who now works as CEO at a nonprofit devoted to offering humanitarian and know-how support to the folks of Ukraine, informed TechCrunch that he receives calls each week from safety professionals asking whether or not they need to keep within the business and whether or not they need to take interviews for higher-ranking roles that include higher accountability — and higher threat.

“What I tell the security executives right now is that they shouldn’t run away from the job — they should run towards it,” Sullivan stated, noting that the shared nervousness amongst cybersecurity professionals, together with the truth that he wished to be a “better person,” is a part of the rationale he wished to begin talking out in regards to the Uber knowledge breach case.

“I realized that sharing what I’ve gone through is better than not, and healthier for me. It’s taken me a year to say that, but that’s the right way to be,” Sullivan informed TechCrunch. “I was very bitter, but I want to be a better person. I also want to continue being part of the security world, so I have to get over it.”

Sullivan informed TechCrunch that one more reason he’s eager to talk out is due to the truth that there have been “100 webinars, by 100 lawyers, saying that ‘you won’t end up like Joe if you have insurance, if you bring legal and PR into the room, or if you have a breach responsibility policy.’”

“We did all of those things [at Uber],” Sullivan stated. “We had insurance; there was a data breach response policy; we looped in PR, and the CEO [Travis Kalanick] signed off on everything, including the dollar amount,” he added, referring to the $100,000 fee that was made to the 2 younger males that found the vulnerability that led to the 2016 Uber breach.

When requested whether or not he believed Uber’s then-CEO ought to have been held accountable, Sullivan stated: “I don’t think anybody did anything wrong at the end of the day.”

“Uber wouldn’t exist today — in fact, we would still be taking taxis — if it wasn’t for [Kalanick] and his sheer forcefulness,” Sullivan added. “On the upside, he drove some change in the world. However, on the downside, his philosophy was that the person who threw the first punch wins the fight.”

Fixing a damaged business

In what Sullivan describes as “the greatest irony of his career,” a part of his function on the Division of Justice concerned him working intently with organizations in Silicon Valley to be able to encourage extra collaboration with the federal government. “That’s been the story of my career; trying to get the public and private sectors to work together.”

Sullivan believes that going ahead, this public-private sector collaboration, together with sturdy regulation, is the one solution to repair the “broken” cybersecurity business.

“When I joined, [Uber] had the worst security of any $40 billion company, and that can’t fly in the world anymore. If you’re going to sell a product, your security has to be good enough the day you sell it,” Sullivan stated. “I could be very bitter about the idea of government regulation since I was regulated, but I also think we need it for the internet to work well in the future.”

Sullivan praised the U.S. Safety and Change Fee’s incoming data breach disclosure rules, which come into impact on December 15, noting that whereas not good, it’s significantly better than having zero steerage. “We can nitpick the details as much as we want, but this is the right way to do it,” he stated. “I seem to be the person who’s criticizing the SEC less than everyone else because I think we should praise them for trying to make rules.”

As for CSOs and CISOs, lots of whom are nonetheless fearful that they’ll be held personally responsible for safety failings at their group, Sullivan believes that now’s the time to talk out to be able to form any future regulation.

“We have to pull ourselves up, we have to learn the policy side of it, and we have to learn how to make our voice heard,” Sullivan informed TechCrunch. “I think we have to develop leaders who can be real societal leaders who are experts in our profession.”