Security chiefs fear ‘CISO scapegoating’ following Uber-Sullivan verdict

Chief information security officers are split on whether Wednesday’s conviction of Uber’s former security chief Joe Sullivan will have more wide-ranging consequences for people in their position. 

The Record spoke to more than a dozen security executives about the ruling, and their reactions differed widely. Some, like Digital Shadows CISO Rick Holland, said the case will prompt more CISO whistleblowers in the future. Others, like CyberSaint co-founder Padriac O'Reilly, said security chiefs should be prepared to be held responsible for incidents that they are involved in.

The decision this week put a striking finish on an already dramatic security saga. A federal jury convicted Sullivan of two charges related to his attempted cover-up of a 2016 security incident at Uber, where hackers stole the personal details of 57 million customers and the personal information of 600,000 Uber drivers.

Prosecutors said Sullivan "took deliberate steps to conceal, deflect, and mislead the Federal Trade Commission about the [2016] breach" — something U.S. Attorney for the Northern District of California Stephanie Hinds reiterated in a statement. 

“Technology companies in the Northern District of California collect and store vast amounts of data from users. We expect those companies to protect that data and to alert customers and appropriate authorities when such data is stolen by hackers,” she said. “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught. We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users.“

Uber was mandated by the FTC to report all breaches after a 2014 hack exposed the names and driver's license numbers of 50,000 people. 

But when two hackers emailed Sullivan in 2016 to tell him they had broken into the rideshare company’s platform, he paid them $100,000 in Bitcoin and did not notify the FTC. 

The situation has caused a fierce debate among CISOs. Some believe more people were to blame beyond Sullivan, while others say he fully knew the consequences of not informing the FTC.

While prosecutors said then Uber-CEO Travis Kalanick and in-house Uber lawyer Craig Clark were informed of the breach within six hours, there was not enough evidence to charge Kalanick with any wrongdoing and Clark was given immunity to testify against Sullivan. 

A lot of people are conflating legal issues when discussing the Joe Sullivan/Uber - be careful of the red herrings. It’s not about breach notification, it’s not about bug bounties—it’s about lying to a regulator about information responsive to an open investigation and subpoena.

— Whitney Merrill (@wbm312) October 6, 2022

‘Expect more whistleblower CISOs’

Casey Ellis, CTO at Bugcrowd, said the verdict has already “sent shockwaves through the CISO community” and highlights the personal liability involved in being a CISO in a dynamic policy, legal, and attacker environment.

Deepwatch vice president of security strategy Bill Bernard told The Record that CISOs are already under enormous pressure from a company’s board, shareholders and C-level peers to minimize security incidents

“I expect more ‘whistleblower’ CISOs to come out of the woodwork over time. The pressure as a CISO is overwhelming to spend no money, plug all the holes, and never have an incident to report,” he said. “We have to move to an understanding beyond this: there will always be breaches, we have to accept that. It is how we address the breaches when they happen, and how we improve the programs by which CISOs need to be judged.”

Digital Shadows' Holland said the conviction opens up the prospect of "CISO scapegoating,” making an already challenging job even harder. 

Holland echoed Bernard in theorizing whether there will be more whistleblower cases as was seen recently with Twitter’s former security leader. 

Several security experts said CISOs may approach management directly to ask how they would respond to the situation Uber faced. 

“I expect to see more CISOs negotiating ”directors and officers” insurance into their employment contracts. D&O insurance offers personal liability coverage for decisions and actions the CISO might take,” Holland explained. 

“In addition, in the same way that both the CEO and CFO became responsible for corruption on the heels of Sarbanes Oxley and the Enron scandal, CISOs shouldn't be the only roles guilty in the event of wrongdoing around intrusions and breaches. CISOs must effectively communicate risks to the company's leadership team but shouldn't be solely responsible for cybersecurity risks.”

Who is liable?

Other CISOs were more critical of Uber and felt like the company’s other executives effectively used Sullivan as a scapegoat. 

Contrast Security CISO David Lindner said Sullivan deserved to be convicted for attempting to cover up a breach, but that there needs to be even more accountability of top executives and even board members. 

The case has set a terrible precedent that “creates confusion around who should take liability for decisions during an incident response event,” according to JupiterOne CISO Sounil Yu. 

“In this particular case, it was clear that Joe Sullivan coordinated his actions with the blessing of executive management, yet Joe was the one that ended up holding the bag. This is like court martialing a soldier but letting their commanding officer who gave the order go scot free,” Yu said. 

“We CISOs will need to closely review our incident reporting policies (perhaps with our own personal attorney) to ensure that it is clear how and when liability for certain decisions are transferred to the firm or to other identified executives. Until there is greater clarity on who owns the liability, the net effect may be that CISOs will push to report more than the executive management may be comfortable with.”

Cerberus Sentinel vice president Chris Clements explained that the temptation to hide or deny a security incident is going to occur – especially if the cause is embarrassing. Considering most breaches are not the result of sophisticated attacks, this feeling is incredibly prevalent among CISOs, Clements said. 

He noted that after the breach was discovered, it was communicated to an internal lawyer and the CEO who okayed the plan to conceal the incident. Clements said he believes the conviction will have an impact on how CISOs approach their job. 

“If CISOs believe that the organization isn’t giving them the support and resources they need to be successful, they need to be very vocal about it by documenting as much as possible. If it’s a situation that doesn’t improve, they are much more likely to look for a role elsewhere with less risk,” he noted.  

“It will also reinforce their need to be honest with investigators, and honesty that might keep them out of legal trouble but introduce professional consequences. It’s important to acknowledge that whatever the cause and associated impact of the breach, the punishment of the CISO was for lying to regulators during the ensuing investigation. If they had been open and honest about the situation, it’s almost certain this wouldn’t have been the outcome.”

‘There is a C in the CISO’

Other CISOs were less forgiving of Sullivan, with a number of security leaders telling The Record that part of what comes with the title is a sense of responsibility. 

Padriac O'Reilly, co-founder of cybersecurity company CyberSaint, said CISOs should in theory face liability if they misrepresent practices or hide information from regulators, as was done in Uber’s situation. 

“There is a C in the CISO title, after all. There is a bit of gallows humor among those who hold the position, and it relates to their culpability for incidents or practices that may pre-date their arrival as chief information security officer,” O'Reilly said. “They tend to be held responsible, in other words, for things they might not have had a say in. It would be surprising, then, to hear that collectively they would be surprised to be held accountable for something they directly participated in doing.”

He added that there are practices in risk management that allow CISOs to socialize risk, control damage, and do this all out in the open.

O'Reilly said the CISO role is evolving and will now have to accept that it faces the same scrutiny as CEOs and other leaders. 

Bugcrowd’s Ellis said one side effect of the conviction may be a greater focus on the need for federal privacy legislation, which would have provided a clearer understanding on the ramifications of mishandling user data or vulnerability information. 

But SafeBreach CISO Avishai Avivi said the issues raised during the trial and with Sullivan’s conviction are ones good CISOs should have already been considering. 

“In a sense, those who only now consider these factors concerning their interest in the CISO role are probably not ready to shoulder the responsibility the role brings with it,” Avivi said. 

“To paraphrase U.S. President Truman, ’The cybersecurity buck stops with the CISO.’ Every officer of the company bears responsibility and liability for the role."