A federal jury found former UBER CIO Joe Sullivan guilty last week of obstructing a federal proceeding and misprision of a felony for his role in both concealing and misrepresenting to his employer and the federal government about a ransomware attack on Uber in 2016.
What Happens When a Breach Gets Labeled a Bug Bounty?
Sullivan had negotiated with the hackers to pay them what he termed a “bug bounty” of $100,000, and kept those meetings secret to himself and a very few others. Uber was already being investigated by the FTC on a similar 2014 breach but was about to be cleared when the recent event occurred. It was a unique moment during the trial when the hackers involved with the Uber ransomware case were called to the stand to testify for the government about the transaction and negotiations between Sullivan and themselves, to show the control and power they held over Uber with their data. The trial lasted nearly a month but it only took the jury of 12 people two and a half months to convict Sullivan.
Sullivan, who had a fair amount of support from the CIO and CISO world during this entire ordeal, will be sentenced at a later date. He faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge. Both sides will be able to submit sentencing recommendations to a judge, who will also take into account Federal Sentencing Guidelines and an investigation into Sullivan and his background done by court services.
CISOs and CIOs Should Take Note
What does this mean in the future for CISOs and CIOs who may be faced with the same set of circumstances? The weight of the responsibility, even before this verdict, has shifted to people outside of the information security business with specific policies requiring reporting to general counsel, the board of directors of the organization, and most importantly, the cyber insurance company who may bear the burden of covering the loss. In other words, the process of cyber governance and reporting is being spelled out to the nth degree partially due to the merits of this case.
Defenders of Sullivan note that he did inform Uber’s CEO the day after the breach occurred, and Sullivan was being made a scapegoat by Uber. Jody Westby of Forbes Magazine makes that compelling argument.
Maybe this case is a fine example of two things being true at the same time and not being mutually exclusive. Sullivan had multiple opportunities to reveal this act for what it was, and not cover up the matter by calling it a “bug bounty”. His continued concealment and misrepresentation of the matter to whomever he had a legal or ethical responsibility to communicate with was ultimately his undoing. Uber, even though no other parties involved in the case were held criminally liable, still paid $148 million in fines to the federal and all 50 state governments as laid out in this very interesting DOJ Non Prosecution Agreement which stated by paying the fines and cooperating during Sullivan’s trial no one else from Uber nor the company itself would be charged criminally. Maybe the reasoning behind this was it was more beneficial to the government to seek redress from a solvent company, than to criminally hold them liable and risk getting little to nothing as Uber devalued.