As Ex-Uber Executive Heads To Trial, the Security Community Reels (nytimes.com) 67
Joe Sullivan, Uber's former chief of security, faces criminal charges for his handling of a 2016 security breach. His trial this week has divided the security industry. From a report: Joe Sullivan was a rock star in the information security world. One of the first federal prosecutors to work on cybercrime cases in the late 1990s, he jumped into the corporate security world in 2002, eventually taking on high-profile roles as chief of security at Facebook and Uber. When the security community made its annual summer pilgrimage to Las Vegas for two conferences, Mr. Sullivan was an easily recognizable figure: tall with shaggy hair, wearing sneakers and a hoodie. "Everyone knew him; I was in awe, frankly," said Renee Guttmann, who was the chief information security officer for Coca-Cola and Campbell Soup. "He was an industry leader." So it came as a shock to many in the community when Mr. Sullivan was fired by Uber in 2017, accused of mishandling a security incident the year before. Despite the scandal, Mr. Sullivan got a new job as chief of security at Cloudflare, an internet infrastructure company.
But the investigation into the incident at Uber continued, and in 2020, the same prosecutor's office where Mr. Sullivan had worked decades earlier charged him with two felonies, in what is believed to be the first time a company executive has faced potential criminal liability for an alleged data breach. Mr. Sullivan has pleaded not guilty to the charges. Mr. Sullivan stepped down from his job at Cloudflare in July, in preparation for his trial, which begins this week in U.S. District Court in San Francisco. Other chief security officers are following the case closely, worried about what it means for them. [...] At the very least, security executives are worried about being on the hook for potential legal bills. Charles Blauner, a retired CISO and cybersecurity adviser, said security chiefs had taken a strong interest in directors and officers insurance, which covers the legal costs of executives who are sued as a result of their work with a company. "A lot of sitting chief information security officers are going to their bosses and asking if they have D.&O. insurance and, if not, can I have it?" Mr. Blauner said. "They are saying, 'If I'm going to be held liable for something our company does, I want legal coverage.'" After being charged, Mr. Sullivan sued Uber to force it to pay his legal fees in the criminal case, and they reached a private settlement.
But the investigation into the incident at Uber continued, and in 2020, the same prosecutor's office where Mr. Sullivan had worked decades earlier charged him with two felonies, in what is believed to be the first time a company executive has faced potential criminal liability for an alleged data breach. Mr. Sullivan has pleaded not guilty to the charges. Mr. Sullivan stepped down from his job at Cloudflare in July, in preparation for his trial, which begins this week in U.S. District Court in San Francisco. Other chief security officers are following the case closely, worried about what it means for them. [...] At the very least, security executives are worried about being on the hook for potential legal bills. Charles Blauner, a retired CISO and cybersecurity adviser, said security chiefs had taken a strong interest in directors and officers insurance, which covers the legal costs of executives who are sued as a result of their work with a company. "A lot of sitting chief information security officers are going to their bosses and asking if they have D.&O. insurance and, if not, can I have it?" Mr. Blauner said. "They are saying, 'If I'm going to be held liable for something our company does, I want legal coverage.'" After being charged, Mr. Sullivan sued Uber to force it to pay his legal fees in the criminal case, and they reached a private settlement.
RTFA (Score:5, Informative)
Here [archive.ph] is an actual readable article, rather than a paywalled link.
Thanks for the link (Score:1)
Actually RingTFA turned out to be a waste of time because it's an excuse to say "hackers" and "hacking" a lot, then complaining about how holding the CISO accountable for the whole company is totes unfair. Notably absent is details of what really happened. The closest to a reason for prosecuting at all seems to be that there was a data breach and uber didn't notify the users or the government. This apparently isn't the CISO's call alone (or at all). The prosecutor must know this, so important parts of the s
Re: (Score:2)
According to the article, since Sullivan was a former prosecutor, he was fully aware of legal notification requirements. He can't hid behind "but CEO/Legal makes that decision" because it isn't a policy decision, it is a law.
About time (Score:4, Insightful)
It's about time people at these companies face real consequences for their misdeeds and/or incompetence.
Those fuckers at Equifax should have received this treatment, including the technical fuckers who fucked things up.
Re: (Score:3)
When you're innocent, but your boss, say, does an end-run around your policy and turns off the password for AD admin in a flagrant act of incompetence, maybe not so much. A good chunk of criminal law is founded on intent and malice.
Re: About time (Score:3)
...and negligence.
Re: (Score:2)
As a "C" level person, the boss is that amorphous group called the management committee... And he's was a part of that along with the board of directors. He was part of the decision making process, nit "just following orders".
Malice in actions becomes inherent in every act executed.
Re: (Score:2)
Which if you ask me is an argument for why the corporate veil should not be penetrated here. He did not really make this decision in isolation. Its not like the other management team was unaware of what was going on and while maybe not experts its unlikely they were unaware of the major concerns and legal questions - they chose not ask.
There were also probably persons who were 'just following orders' who more than likely would have seen or been asked to do things that did not pass the smell test. Things li
Re: (Score:2)
Re: (Score:2)
Well that is the problem. The punishments have to be severe enough that they impact the company in the same degree a prison sentence impacts ones personal life.
If the penalty isnt stiff enough for example that it allows most of near size competitors to utterly leap frog you in market share it was not enough.
Its has to be that way - enough to make the other partners, management team, and ownership all watchful and of the attitude better not let others here do shady-shit because it will bring down the entire
Re: (Score:2)
It sounds like he broke the law, and, being formerly in charge of prosecuting people who broke that law, was well aware of it.
In cases where a company comes up with a policy that leads to bad things happening, sure, hold the company responsible.
In cases where individual people knowingly make, execute or support activity that breaks the law, absolutely they should be held responsible as individuals.
Re: (Score:2)
He was part of the decision making process, nit "just following orders". Malice in actions becomes inherent in every act executed.
I can tell you that as an actual CISO at many companies, you aren't really in the "C suite." The real decision makers are the CEO, COO, CRO and General Counsel. The CISO is elevated to a "C" level position for propaganda about "we value security," but is rarely actually treated as such.
. In the case of a data breach announcement, the CISO could easily be overruled by General Counsel.
need an company level criminal liability as it can (Score:2)
need an company level criminal liability as it can be hard to pin the crime on one person even more in an big company.
In big ones executives are not the ones doing the hands on work and there are lot's budgets and other stuff that makes it kind of hard to pin it on guy.
Re: (Score:2)
I disagree. If something like this happens, the only thing that should shield the CEO and the specific c-level (here typically CISO or CSO) from liability if the actual problems were hidden very well and reasonable measures were not able to find them. That is almost never the case in the IT field.
It is, for example, the case with cleverly done insider fraud. The CFO becomes liable if controls were neglected and warning signs ignored. The CFO does not become liable if the fraud required an in-dept forensic e
C-levels yes but not the low man doing the real wo (Score:2)
C-levels yes but not the low man doing the real work.
And let's say that low man has been asking for funds to replace X old system and they did not get them and they hacked with that OLD system?.
Re: (Score:2)
C-levels yes but not the low man doing the real work.
And let's say that low man has been asking for funds to replace X old system and they did not get them and they hacked with that OLD system?.
It depends. If the "low man" is qualified and fucks it up by negligence then yes, also the "low man". If, on the other hand, the "low man" did his job, made the right recommendations and just the decisions by others did not follow through, then there is no negligence.
Re: (Score:1)
It's about time people at these companies face real consequences for their misdeeds and/or incompetence.
Sorry, but the "lock 'em up for incompetence" part sounds too much like that Karen who called 911 because McDonalds messed up her order. It should never be illegal to be an idiot at your job. Now, if a company for some reason keeps incompetent idiots on their payroll and it results in harm to the public, by all means fine the company/revoke their license/etc.
Re: (Score:2)
I dunno, I've worked for some idiots. Idiots who lost their license to do business in that State, so simply moved to another State and repeated their actions. And other idiots who would have lost their license to do business but moved their official central office (albeit that constituting of a secretary and a janitor) to a "friendly" State, thus bypassing the rules of the State they actually conducted business in. And idiots who peddled drugs to their bosses in order to keep their jobs.
These are people who
Re: About time (Score:1)
There is such thing as constructive negligence. Sounds like the CISO was completely unqualified and potentially lied about his qualifications and the things he did to make himself out to be a rockstar.
Sysadmins and department/unit managers commonly carry insurance for legal liability when we screw things up because we all know the blame never bubbles up.
Re: (Score:2)
It should never be illegal to be an idiot at your job.
Wait what? No, for simple things like messing up an order? No. but for designing buildings that collapse, or foods that harm people, or devices that don't work... If you're an idiot, then you need to lose your job and be liable for your actions.
Re: (Score:3)
Ah, I don't want to drive on bridges (or in cars) in your world. One feature of actual professions is that you absolutely can be held responsible for being an idiot in your job.
Re: (Score:2)
I agree. We need executive and engineering accountability for fucking things up this badly. That said, if the people that messed it up on the tech side were not actually qualified or were not given adequate funds and time, then only the c-levels are the ones that need to be held criminally liable. You can expect a qualified engineer to work according to professional standards ans the state-of-the art. You cannot do that if the environment makes this impossible (you can expect them to quit and I know people
INFORMATION Security (Score:1)
"Security" has other meanings, so must be qualified.
An Editor would know that.
Re: (Score:1)
Yesterday I was reading the literature that came with a wireless access point. I puzzled when I read "For security reasons, don't mount with the louvers up". It took me a minute to realize that "security" meant "so it won't slip out of the mount and fall off the wall".
An interesting viewpoint (Score:5, Interesting)
"They are saying, 'If I'm going to be held liable for something our company does, I want legal coverage.'"
The company is an abstract organization. It doesn't *do* anything. The people in it do things. Apparently they're upset that they can't lay the blame for their actions on the doorstep of an abstract conception that cannot be responsible and cannot be punished.
Re: (Score:3)
Shirking personal responsibility is the whole purpose of a corporation. This is consistent with the protections the CEO enjoys when the company poisons the water supply.
Re: (Score:2)
Shirking personal responsibility is the whole purpose of a corporation.
Insulating individual investors from the actions of the corporation is their purpose. So if the responsibility can't be placed upon Uber itself, I guess all of the shareholders will have to be collectively charged with the crimes.
Re: (Score:3)
Actually, companies absolutely can and should be punished for their actions, as well as executives. Neither of these things happens enough.
In the case of a CISO, I would want in writing legal coverage should any criminal charges arise specifically from my employment. If I say "you have a legal requirement to do X", and the CEO says "oh yeah lets make sure we do X", then refuses to actually DO IT... it's not my fault.
I haven't been a CISO directly, but I've been in the situation where lip-service is paid t
Re: (Score:2)
Sure. Fire and possibly sue. But criminal actions should be reserved for explicitly criminal behaviour. In this case criminality was probably correct. "Obstructing justice and concealing a felony".
However, incompetence, and even negligence, provided it isn't explicitly criminal, should never be pursued that way.
Re: (Score:2)
Agree,
So lets make it criminal because just being civil is now just part of doing business.
Re: (Score:2)
Turning anything that is civil into criminal is not trivial. I don't like slippery slope arguments, but this is one time where it's appropriate. Let's say I'm a contractor asked to build something time sensitive for a company, with material impacts if I fail to deliver - and I do in fact fail to deliver for whatever reason. Am I risking a criminal record and jail time?
Re: (Score:2)
"If I say "you have a legal requirement to do X", and the CEO says "oh yeah lets make sure we do X", then refuses to actually DO IT... it's not my fault."
No, it's the CEO's fault. The "corporation" didn't decide not to do X, the CEO did.
Re: (Score:2)
Actually, companies absolutely can and should be punished for their actions, as well as executives. Neither of these things happens enough.
I completely agree.
I also know an ex-CISO that quit a very well-paying position after 4 weeks, because he found out that he had no chance of doing a good job because they did not want him to. They just wanted a fall-guy.
Re: (Score:2)
is this an argument against any kind of regulation and/or regulatory teeth for remedy on private sector organizations?
because I think the very fact that this isn't how things operate in practice in any developed economy - that both organizations AND people can be found responsible and punished or forced into remedial action depending on the details of events, actions, processes, policies, etc - speaks to the idea that we determined long ago that that's far too simplistic and there are Mack truck sized looph
Re: (Score:2)
The company is an abstract organization.
But sometimes a company is a person [wikipedia.org]. I guess it's up to them when to claim person-hood (when there are rights to be exercised or benefits to be collected) or become abstract when there are consequences to be held accountable for.
How can I become one of these entities and shape-shift into the most convenient legal form that suits my current purpose?
Your guess happens to be wrong (Score:2)
> I guess it's up to them when to claim person-hood
That guess happens to be wrong. If Ford sells you a lemon of a truck, you can sue Ford. That's not up to them. Ford is a legal person who can sue and be sued, every time.
You don't have to figure out which worker on the assembly line failed to tighten the bolts. If Ford sells you a truck with loose in the suspension, you can sue Ford.
If you ALSO happen to be able to identify a specific individual who did wrong, as is alleged in this case, then you can AL
Re: (Score:2)
What we don't do, but some advocate, is picking one individual to be the scapegoat
That sounds exactly like what is happening to Joe Sullivan.
Also, see Sarbanes-Oxley Act [wikipedia.org].
Re: (Score:2)
It will be up to the court to determine if he, individually, took any unlawful actions, or failed to take actions he was legally required to take, personally.
Getting those facts will require at least a day of testimony. Since It heard zero minutes of testimony, I won't presume to magically know what happened - what he did or didn't do.
Re: (Score:2)
This guy is charged with falsifying documents to conceal the nature of a breach, with the knowledge of the CEO.
In other words, it's an alleged conspiracy, something carried out by the company's leadership.
I'm not sure what the right incentives are here.
If the company has to indemnify executives, that subtracts a cost from the benefit to the company for hiding the truth, but perhaps makes it safe for executives to do dirty deeds for the company.
On the other hand, if executives themselves are personally on th
Re: (Score:1)
>"They are saying, 'If I'm going to be held liable for something our company does, I want legal coverage.'"
Interesting how? This attitude is very commonplace. Wouldn't you want legal protection as a professional, for errors, omissions, mistakes, and the like? Doctors and engineers do. You can be in a company that does everything honestly, correctly, by the book; hire security teams to double check all your work, and there can still be a breach or other fuck up you get sued for.
>The company is an abstr
Re: (Score:2)
Clippy is an abstract entity, but that doesn't mean I don't want its dessicated corpse dug up from the files, then hung, drawn and quartered for crimes against humanity (another abstract entity).
Re: (Score:2)
Not quite. Abstraction ads a layer of inflexibility. Personal liability is relevant only when you are 100% in control of all decisions.
Now this is a CIO position so it's quite possible your comment does apply in this case, but in general that abstraction shackles the ability of employees to control what they do and as such definitely absorbs a significant portion of responsibility.
an abstract conception that cannot be responsible and cannot be punished
Except it is regularly punished. Fines are levied at companies all the time. Abstraction doesn't mean your abstract entity can't
Re: (Score:2)
"They are saying, 'If I'm going to be held liable for something our company does, I want legal coverage.'"
The company is an abstract organization. It doesn't *do* anything. The people in it do things. Apparently they're upset that they can't lay the blame for their actions on the doorstep of an abstract conception that cannot be responsible and cannot be punished.
Well to be more accurate the company is a large collection of people.
I think the issue is that other individuals in the organization could put someone under a lot of pressure to break the law for the good of the organization, even if those other individuals don't quite reach the level of criminal liability themselves.
Or to think of it another way, if the company is the primary beneficiary of the illegal act it should also bear some of the punishment.
Article is click bait (Score:5, Informative)
Re: (Score:2)
Apparently as long as it's just a fine Uber will just pay it for him, at least they are not allowed to hire someone to sit in jail for him ... yet.
Re: (Score:2)
Hmm. They could pay him for his jail-time?
Re: (Score:3)
failing to report a felony
Who was charged with and found guilty of said felony?
Re: (Score:2)
I know reading is difficult for some, but here. https://archive.ph/oU2ZL [archive.ph]
Re:Article is click bait (Score:4, Informative)
Who changed the law to require charging and conviction?
18 U.S. Code sec. 4 - Misprision of felony [cornell.edu]:
Whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years, or both.
Cognizable may not be a routine word in your experience, but it doesn't mean charged and convicted. "Actual" also, quite obviously, doesn't mean charged or convicted since "some judge or other person in civil or military authority under the United States" would, by definition, already know of it.
Re: (Score:2)
Nobody has to be, it merely has to be the case that there is evidence, beyond reasonable doubt, that a felony did indeed occur and that he failed to report it. That it is not beyond an unreasonable level of doubt is not a defence.
Re: (Score:2)
Somehow, I don't think you QUITE grasped the words "reasonable", "unreasonable", and "felony".
Try again, this time with a dictionary to hand.
Re: (Score:2)
It should be illegal for awarded damage (Score:2)
The legal hurdles for personal liability are already incredibly high, allowing officers to insure themselves not just against legal fees but even against awarded damages should be illegal.
Re: (Score:2)
Can the company insure you against serving jail time? This guy might just learn the answer the hard way.
Missing a charge or two? (Score:2)
TFA is very short on details so it's impossible to know what happened. But it seems unlikely that a CISO made the decision on his own not to report the data breach - especially one who used to be a prosecutor. So I'm thinking that the blame should probably be shared by the CEO and/or other C-suite occupants.
Re: (Score:2)
I'm not going to be terribly sympathetic if the entire board of directors for Uber gets arrested and convicted.
From TFA: (Score:5, Interesting)
“He’s being scapegoated,” Mr. Sierchio said. “The government thinks he should have known better because he’s a former prosecutor.”
Err... yeah?
It may be "scapegoating" in that *other* people in the company who knew about the incident and understood their legal obligations to report the breach should *also* be prosecuted, but I'd say failing to follow the law when you're a lawyer specializing *in that very area of the law* is pretty damned inexcusable.
Here's the deal... (Score:2)
When you're a line manager, "director" etc, you can get away with the crap he pulled with more or less impunity.
Oh if you get caught doing what he did, you MIGHT get fired. Maybe.
In a "C" level position, you ARE that legal fantasy called a corporation. Personally responsible for corporate acts.
It's hard to send a fantasy to jail... But the physical representative of it in the person of "C" level and board members?
Sure thing baby!
And he didn't just go "oopsie"!
He actively tried to hide a corporate screwup.
b
Warning: (Score:2)
Why is it that Uber can be trusted to make the worst possible and least ethical choice whenever they have the opportunity to do the right thing? Did they hire their management team from Wells Fargo?
Joe Sullivan faces criminal charges (Score:1)
What specifically was the nature of this security incident?
Seems clear enough (Score:2)
Well, star security expert or not, it seems that he violated what the law explicitly demands, probably to protect his employer's backside. If he had been a prosecutor, he should have known that following what the law says to the letter isn't optional and it isn't only for the plebeians. He should be made an example.