Oct 12 2022

The Cyber Letters – Uber Executive Convicted

In 1942, the author CS Lewis published a book called The Screwtape Letters. These were a series of thoughts between a mentor and mentee (uncle and nephew). A few years later the Marine Corps Gazette used this format to discuss concepts between a fictitious General and Captain called The Attritionist Letters.

We have several legal experts here at Layer 8 Security. Over the coming months, we will feature a series of debates on our blog involving legal issues that are important and relevant to the cyber community called The Cyber Letters.

Our first entrée will be a discussion on the legal case against Joseph Sullivan, a former Uber executive who has been convicted of criminal obstruction charges for his role in paying hackers who claimed to have discovered a security vulnerability within Uber’s systems.

Our bloggers identities are concealed, save their nom de guerre for this debate.

‘Claymore’ opens with these thoughts:

On Wednesday, October 5th, a San Francisco jury found Joseph Sullivan, the former Chief Security Officer for Uber, guilty of criminal obstruction and of failing to report a felony for not reporting a 2016 cyber hack to federal authorities. He may receive up to five years in prison for the obstruction charge and up to three years for the failure to report a felony charge. He should get the full eight years in prison.

The FTC was in the middle of investing Uber for a previous cyber breach when Uber was approached by anonymous hackers saying they had found a flaw in the company systems. They had downloaded sensitive company data and demanded $100,000. Instead of reporting the hack as required, they tracked down who the hackers really were, enrolled them in Uber’s bug bounty program, had them sign an NDA, and then paid the $100K in bitcoin.

Sullivan used the “bug bounty” as justification for not reporting the breach. In a real bug bounty program, the white hat hackers who discover a flaw in your systems, don’t download sensitive data on 57 million customers, and then demand a 100K, while remaining anonymous. Those are criminals.

Sullivan reported believed the customer data was now safe, because the attempted extortionists had signed an NDA which said they had not given that data to anyone and had destroyed it. An NDA signed AFTER they had already stolen the data and tried to extort money for it. Of course, I would absolutely trust the word of the criminals.

It is clear that Sullivan was blatantly trying to cover up the hack, and the exposure of all of that customer data. He deserves a heavy punishment.

‘Cicero’ defends thus:

No. In the trial of former Uber Technologies Inc. executive Joe Sullivan, in USA v. Sullivan, based on the limited information made available, I do not believe that the defendant should be subject to incarceration for his actions. Several issues, including precedent, are germane:

1. Imposing jail sentences for the decision making of executive security professionals could have deleterious effects. Most significantly, jail time for Sullivan could make attracting and retaining the best and the brightest infosec professionals difficult and could leave a lasting stain on the reputation of the field itself.

2. The issue, or non-issue, of legal precedent – While this is the first criminal case of any notoriety brought against a Chief Information Security Officer, there may not be a second. In the time that has transpired since the incident, the practice of paying off hackers has become an acceptable outcome as Insurance Companies have embraced the practice. Unless specifically paying off named Terrorist Organizations, the FBI has indicated that they will not pursue sanctions against payments.

3. Making the Security Officer a “Scapegoat” – Most significantly, Sullivan did not engage in his activity alone: it seems clear from the testimony presented that immediately upon becoming aware of the breach Sullivan informed Travis Kalanick, Uber Founder and then CEO. Throughout the trial evidence was introduced that Kalanick, Uber’s Chief Privacy officer and Legal Counsel were all kept fully in the loop, were all made aware of, and all signed off on the chosen course of action.

While we may never know what Sullivan did or did not do, or what his intentions truly were, to punish Sullivan alone, and not the decision makers, would be a real travesty.

Debate is welcome and encouraged. How does the community feel about this conviction?

Photo by charlesdeluvio on Unsplash