It’s never the data breach — it’s always the cover-up
The obstruction of justice and misprision of a felony charges levied against Joseph Sullivan, former Uber chief security officer (CSO), sent shock waves through the cybersecurity community. CSO and chief information security officers (CISOs) rightfully wondered what these charges mean in terms of their own culpability for decisions made on the job.
CSOs and CISOs handle sensitive data, make difficult decisions, and consider their responsibility to the company and its shareholders when making those decisions. Legal, regulatory, and privacy issues also feature heavily in these decisions.
The narrative in the charging documents (Note: This is not yet a criminal indictment) issued by the FBI against Uber’s former CSO (Sullivan) paints him as actively masterminding and executing a plan to cover up a major data breach, obstruct federal regulators, and conceal activity from senior executives.
The Case Against Uber
A data breach in 2014 exposed the records of 50,000 Uber drivers. In 2016, the Federal Trade Commission (FTC) investigated Uber for the 2014 data breach. Approximately 10 days after Sullivan provided sworn testimony to the FTC, he learned of a second data breach involving similar records but on a much larger scale. This time, the breach included millions of records. Uber and Sullivan cooperated with investigators, and the hackers were caught and charged.
According to the charging document, Sullivan, former Uber CEO Travis Kalanick, and others took the following steps after learning of the 2016 data breach:
They confirmed the data was real.
Sullivan modified an existing bug bounty program to pay a ransom to keep the hackers from exposing the data breach publicly.
The bounty amount paid was 10 times higher than the maximum of the existing bug bounty program, and the breach type and records were also not covered by the existing bug bounty program.
Sullivan required that the hackers sign a non-disclosure agreement (NDA), another change to the existing bounty program.
Sullivan did not mention the 2016 hack to the FTC.
Sullivan did not fully explain the data breach to the new Uber CEO in 2017. Note that Sullivan is not charged for the first four. Instead, these are being used as supporting evidence for the charges of obstruction of justice and misprision of a felony.
The Other Side Of The Story
In November 2016, Uber learned of a data breach. Hackers threatened to expose the stolen data. Uber paid a ransom to the hackers under its bug bounty program and made the hackers sign NDAs to avoid the breach becoming public knowledge.
Sullivan did not inform the FTC during the sworn investigative hearing because he couldn’t have: Sullivan learned of the 2016 breach 10 days later. To inform the FTC, Sullivan would have needed to reach out and inform them about a separate, new, but similar breach. There’s also some confusion as to whether Sullivan was under any legal obligation to do so.
Sullivan briefed the new CEO in 2017 but did not provide the details necessary for the new executive. This is not necessarily surprising since communication between senior security leaders and senior executives remains a challenge.
This version of the facts matches the case laid out in the charging documents but does so by examining the decisions without viewing them as linked to criminal activity. If this case goes to trial, Sullivan’s attorneys will have a chance to offer their own version of events.
Sullivan is innocent until proven guilty. But regardless of the outcome, for CISOs, there’s a critical lesson here. You must consider how decisions made in the moment can be interpreted, construed, or proven to be criminal after the fact.
What Should CISOs Take Away From The Charges?
Here’s what senior security leaders should know and understand about these events:
This is a warning to CSOs and CISOs: Remove all sense of impropriety in IR. Concealing a data breach is illegal. Every decision made during an incident might be used in litigation and will be scrutinized by investigators. In this case, it’s also led to criminal charges filed against a well-known security leader. If your actions seem to conceal rather than investigate and resolve a data breach, expect consequences.
Neither the ransom nor the bug bounty are at issue here. Paying the ransom through the bug bounty was alleged to help conceal the breach. Firms should develop a digital extortion policy, so that there are no allegations of impropriety should they choose to pay a ransom. In addition, the guidelines of your bug bounty program should not be altered on the fly to facilitate non-bug bounty program activities.
Work closely and openly with senior leadership on breaches and issues of ransom. Sullivan tried to get the hackers to sign non-disclosure agreements — a legal document between two legitimate entities effectively acknowledging the hackers as business entities — which allowed Uber to treat the hackers as third parties. Treating the ransom as a “cost of doing business” helped them conceal the payment from the management team as well. The charging documents state that only Sullivan and Kalanick were aware of the payment and the way it was routed through the bug bounty program. No other senior leaders were involved.
It’s the CISO’s job to make leadership understand the importance of cybersecurity. Often CISOs and other security and risk leaders will note that it’s hard to make board members and CEOs understand the technical points around cybersecurity and breaches. While that is most certainly true and understandable, it’s not a valid reason to allow for failures. If the board doesn’t understand, the CISO must make them understand, even if they have to whiteboard the issue. Make them understand. Failure is not an option.
The CISO job can be high risk, high reward; take steps to protect yourself. Burnout is a very real concern, while other risks can include legal liability on the job and becoming a scapegoat. If you have the ability to negotiate, consider a rider to the company’s corporate director and officer liability insurance policy, which offers you coverage, or have your CISO position added as an officer to the company’s bylaws, which offers you the same indemnification as other C-level officer positions. Ever hear of golden parachute clauses for executives? CISOs can have golden bullet clauses.
For more cybersecurity insights, be sure to register for Forrester’s Security & Risk Global, a live, virtual event on September 22–23, 2020, to learn about emerging cyberthreats, new regulatory requirements, and the latest tools and strategies needed to keep your enterprise secure.
This post was written by Principal Analyst Jeff Pollard, and it originally appeared here.