DOJ urges CISOs to continue working with law enforcement ahead of Uber security chief’s sentencing

SAN FRANCISCO — Deputy Attorney General Lisa Monaco urged cybersecurity and compliance leaders to continue working with law enforcement agencies, tacitly responding to concerns raised by cybersecurity officials after the conviction of Uber’s former security chief.

Joe Sullivan, who was himself a prosecutor before becoming Uber’s head of cybersecurity, will be sentenced next week after being convicted in October of two charges related to his attempted cover-up of a 2016 security incident at Uber, where hackers stole the personal details of 57 million customers and the personal information of 600,000 Uber drivers.

Prosecutors said Sullivan "took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the [2016] breach" — something U.S. Attorney for the Northern District of California Stephanie Hinds reiterated in a statement.

Several CISOs previously warned that the case would have a chilling effect on those involved in handling a company’s security incident and may make cybersecurity chiefs wary of involving law enforcement out of fear of being scapegoated.

When asked about this onstage at the RSA Conference here on Monday, Monaco said the incident involving Sullivan was vastly different from others because of specific actions he took to conceal facts from the FTC.

Uber was mandated by the FTC to report all breaches after a 2014 hack exposed the names and driver's license numbers of 50,000 people. But when two hackers emailed Sullivan in 2016 to tell him they had broken into the rideshare company’s platform, he paid them $100,000 in bitcoin and did not notify the FTC.

“Those were intentional acts, as was proved at trial, and very, very different from a mistake made by a CISO or compliance officer in the heat of a very stressful time,” she said.

“This intentional activity, misleading the FTC, has nothing to do with the well-meaning and stressful work that CISOs and compliance officers have to deal with in the heat of the worst day of their lives if they're undergoing a breach.”

Several CISOs acknowledged Sulliavan’s wrongdoing but questioned why no one else faced repercussions for the incident. Then Uber-CEO Travis Kalanick and in-house Uber lawyer Craig Clark were informed of the breach within six hours.

Prosecutors gave Clark immunity to testify against Sullivan and said there was not enough evidence to charge Kalanick with any wrongdoing. At least one CISO told Recorded Future News in October that they believed Sullivan was essentially left “holding the bag” after coordinating with the leaders of his company about an incident.

Others theorized that CISOs may begin to negotiate insurance into their contracts covering any personal liability that results from decisions or actions they may be asked to take from management.

Monaco told the RSA Conference audience that her office has sought to deepen its work with CISOs and compliance officers, many of whom need law enforcement in dire situations like breaches.

But she noted that law enforcement needs to “make sure that that trust is not broken.”

‘Pivot to disruption and prevention’

When it comes to cyber activity, the Justice Department has been forced to shift from a focus on prosecutions to actions that have real-world impact on victims, Monaco explained to interviewer and former Cybersecurity and Infrastructure Security Agency Director Chris Krebs.

Before becoming deputy attorney general, Monaco served as homeland security advisor under President Barack Obama from 2013 to 2017.

Justice Department leaders “took a hard look” at how they approached cyber, eventually realizing that they needed to “pivot to disruption and prevention.”

“The direction we've given to our prosecutors and investigators is you have to have a bias towards action to disrupt and prevent, to minimize that harm that's ongoing, to disrupt it and take that action to prevent the next victim. Doing so will not always yield a prosecution,” she said.

“It's tough for prosecutors to say that's fine, right? We're not measuring our success only with courtroom action and courtroom victories. This is about preventing and disrupting and putting the victims at the center.”

She listed off several examples, from the seizure of the ransom payment made by Colonial Pipeline to actions disrupting both the Hafnium campaign by Chinese state actors and the Cyclops Blink operation by Russian army hackers.

“We took a hard look at the Justice Department and said, ‘How can we maximize our tools’ and what we can bring to this from the Justice Department perspective?” she added. “Then the other issue is we needed to put victims at the center of our approach.”

Monaco cited the DOJ’s most recent work shutting down the Hive ransomware gang’s infrastructure, noting that in the past, an operation like that would be considered “heresy” because it was not likely to lead to prosecutions.

But the net benefit of the action – Monaco claims the decryption keys stolen from the group and distributed to victims prevented $130 million in ransoms – was more valuable than the prospect of any Hive actors seeing a courtroom.

“What we did there was use our legal authorities, get into that network – a top five ransomware network – and patiently laid in wait in a 21st century cyber stakeout to really watch what was going on,” she said.

“Doing more and more of that is what we're all about. Because we have to send the message that we cannot get after this threat if we are not working together.”