Ex-Uber CSO given three-year probation sentence, avoids prison after guilty verdict

Former Uber chief security officer Joe Sullivan was given three years probation by a U.S. federal judge on Thursday following a headline-grabbing conviction last year over his handling of a data breach.

Federal judge for the Northern District of California William Orrick decided against giving Sullivan any prison time in a tense hearing that involved deep debates over how cybersecurity executives should handle law enforcement investigations.

A federal jury convicted Sullivan of two charges related to his attempted cover-up of a 2016 security incident at Uber, where hackers stole the personal details of 57 million customers and the personal information of 600,000 Uber drivers.

Uber was mandated by the Federal Trade Commission to report all breaches after a 2014 hack exposed the names and driver's license numbers of 50,000 people.

Sullivan instead paid the two hackers $100,000 and made them sign nondisclosure agreements but did not inform the FTC. He justified the payments by calling them a bug bounty.

Prosecutors said Sullivan "took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the [2016] breach."

Assistant U.S. Attorney Andrew Dawson said prosecutors wanted the judge to hand down a sentence of 15 months in prison. In addition to his three-year probation, Sullivan will have to pay a $50,000 fine, do community service and will have restrictions on his travel.

186 letters

Orrick said he had received 186 letters — at least one of which was signed by more than 50 chief information security officers (CISOs) — that not only defended Sullivan’s actions but said the case had a larger chilling effect on the entire cybersecurity industry.

Since the verdict was handed down, dozens of CISOs have argued that Sullivan was effectively scapegoated by then Uber-CEO Travis Kalanick and in-house Uber lawyer Craig Clark — both of whom were informed of the breach six hours after it happened.

During the hearing, Orrick even questioned why Kalanick had not faced any charges related to the incident, something Dawson declined to address. Orrick said Kalanick was “at least as culpable as Mr. Sullivan” and noted the peculiarity of the fact that the former Uber CEO wrote a letter in support of Sullivan but never appeared in court during the trial.

Both Orrick and Dawson took issue with how CISOs and others in the cybersecurity industry viewed the case, arguing that it had nothing to do with the tough decisions CISOs have to make when a breach occurs but instead should be focused on obstruction of justice and attempts to conceal a data breach that would have affected millions of lives.

“The subtext of some of the letters that I received was that if I sentenced Mr. Sullivan to a custodial sentence, that they would be afraid of doing their jobs because they might make the same kind of choice that Mr. Sullivan did, and be afraid of going to prison. And I'm not sure that they understand what the facts are,” Orrick said.

“The harm to the FTC and the public from what Mr. Sullivan did was very real. An intentional failure to disclose and concealment should be prosecuted and just punishment should be rendered. Before I read the CISO [letters], I was thinking that the felony conviction was enough to satisfy the terms and certainly many of the letters that I received reflected that. That wasn't clear from a lot of the letters either. And I'm not sure what obligations they understand they have when they're faced with a situation akin to this one. And I think that's perhaps because they don't understand the full facts of this case.”

Dawson said Sullivan deserved a prison sentence because the case was “not about the particularities of bug bounties or any of the cybersecurity techniques that arose here.”

A prison sentence, according to Dawson, would show CISOs that they had a duty to “do what the law required” and not “what the company wanted.”

“From our perspective, this is much better thought of as an obstruction of justice case,” Dawson said.

“I think it is telling that [CISOs] in effect are deceived as well. They have believed the defendant and they have been misled. And not even the jury's verdict or the evidence introduced at trial have disturbed that misunderstanding of what happened here.”

But Dawson was unable to provide similar cases that rose to the level of requiring prison sentences and Orrick noted that the data accessed was never leaked beyond the initial hackers.

Sullivan’s lawyer acknowledged that some of the letters from CISOs said many are “scared that if they just do their jobs, they’re going to be prosecuted.”

But he argued that the case alone had a “huge impact on the cybersecurity community” and has been “the subject of frequent executive team conversations and panel discussions at industry seminars.”

“It has been a significant driver of efforts to change policies and practices to err on the side of disclosure, even when the legal requirement to do so remains unsettled,” Sullivan’s lawyer said.

“[CISOs also wrote] that based on what they've observed, further processes will likely be implemented throughout the industry to better articulate those responsibilities and build a culture of shared accountability. They've gotten that message, your honor. There may be individual CISOs who haven't. But the community itself has.”

Sullivan speaks

Sullivan himself acknowledged some amount of wrongdoing but had a brief back-and-forth with Orrick, where the judge said he was worried CISOs were getting the wrong impression of the case due to their private conversations with Sullivan.

Sullivan noted that as a former prosecutor himself, he had previously worked alongside the FTC and admitted that he would have “done a lot of things differently” – including demanding that former Uber lawyer Clark bring another lawyer to consult on the situation.

In his conversations with other CISOs since the verdict, Sullivan said he has told everyone that they must “demand transparency” from their companies and if they are ignored, they should quit. Sullivan added that his actions hurt his peers in the cybersecurity profession as well as his own family.

“I put myself in a position throughout my career where I could have been a good role model in this case, and instead I was a bad role model. A lot of security executives don't get to the level that I get to, where my voice was actually heard inside the company,” he said.

“And I think that may be why some [CISOs] are afraid, because they don't think they have the strength to stand up in those situations. But I had the chance and I had the strength, but I didn't. I failed in this case. I should have fought for transparency.”

Last week, Deputy Attorney General Lisa Monaco urged cybersecurity and compliance leaders to continue working with law enforcement agencies in a tacit reference to Sullivan’s case.

Monaco told the RSA Conference audience that her office has sought to deepen its work with CISOs and compliance officers, many of whom need law enforcement in dire situations like breaches. But she noted that law enforcement needs to “make sure that that trust is not broken.”

Orrick similarly told Sullivan that he has a duty to become an evangelist among CISOs and spread the message that transparency and disclosure is paramount in situations like the one he faced.

“When you go out and talk to your friends, to CISOs, tell them that you got a break not because of what you did, not even because of who you are,” Orrick said. “But because this was just such an unusual one-off — the first of its kind. If there are more, people should expect to spend time in custody regardless of anything.”

Correction (5/5/23): Sullivan's title was chief security officer.