A CISOs Guide to Avoiding Jail After a Breach
Yahoo, Uber, SolarWinds — increasingly, the government is incentivizing better corporate security by punishing the individuals leading it. Is that a good idea? And how can security pros avoid ending up on the butt end of a lawsuit?
In April 2016, President Barack Obama appointed Uber chief security officer (CSO) Joe Sullivan to the so-called Commission on Enhancing National Cybersecurity. Four years later, Sullivan was researching prisons, and how to stay safe and sane while on the inside.
He was a strangely cast felon, having spent the first eight years of his career moving up the ladder at the US Department of Justice, and the following half-decade as an assistant US attorney. Hed even prosecuted the first-ever case pertaining to the
Digital Millennium Copyright Act
(DMCA), United States v. Elcom Ltd., on behalf of the government.
Suffice it to say that few people on earth understood the laws, the business, and the reality of cybersecurity better than Sullivan did. But for having mishandled a major data breach in November 2016, hes
still defending himself in court
to this day.
The US government has so much power, and it can steamroll people in a really unfair way, says Jess Nall, a partner at Baker McKenzie LLP. Whats evolved in the last 10 years is that CISOs and other information security professionals — including privacy and data security lawyers, and other infosec personnel — are getting thrown under the bus when major cyberattacks happen.
Nall has experience with this firsthand, having successfully defended employees of Yahoo following its
historic, farcical breaches
. Now, in
a presentation at Black Hat 2024
, shes going to share what shes learned. The upshot? Security leaders are being targeted and prosecuted like never before, but the smart ones can take steps now to avoid that fate.
For years, the government has been trying carrots and sticks that might get companies to better steward their user data. On that long history, Sullivan tells Dark Reading, I think were in the ugly middle period right now.
When he worked for the Obama administration, he recalls, The thing we wrestled with the most was: How does the federal government get corporations to commit to doing more in cybersecurity? And the approach for a long time was public-private partnerships and collaboration. You still see versions of that with a lot of the work that [the Cybersecurity and Infrastructure Security Agency] does. But the Biden administration came out with their
National Cybersecurity policy
in March 2023 that says, very clearly, that weve decided to shift responsibility to those that have the means to do so — larger corporations in the private sector.
With a polarized and flaccid Congress, lawsuits are a kind of back road for forcing good corporate behavior. The executive branch is getting yelled at by people [about cybersecurity], and is turning to enforcement actions because you can regulate by law, or you can regulate by precedent. So each case that the government brings is an effort at creating a precedent, Sullivan explains.
Of course, suing anonymous or foreign hackers does nothing for no one. And so who do they want to make an example of, for deterrence reasons? Nall asks, rhetorically. Its usually somebody here in the US, usually somebody at one of these companies thats been attacked.
The idea is that a
threat of legal penalty
will light a fire under otherwise misguided, negligent, or malicious security leaders. But there are whispers that its already having other, less desirable effects.
Theres already such a strong need for cybersecurity professionals, and I think anything that were doing as a country to deter that is bad. And I think people
are
somewhat more
reluctant to take on the CISO role
, Nall says. When the best of the best are ambivalent about taking lead, she adds, Ive heard this: that people are going into the role junior, and being pressed into service theyre not quite [ready for]. Theres such a demand that the quality control on whos in that role is falling. I think you are going to see a degradation in quality in the defenders of all of our data.
The key to avoiding trouble as a security leader, Nall says, is awareness of three things: how government investigations work, how the government interacts with companies during the process, and the incentives companies have to resolve their cases in one way or another.
When push comes to shove, for example, companies will be pressured to name and shame individuals. In his proceedings, Sullivans legal team painted a picture of a company (Uber) trying to rebrand itself, and holding him up as a lamb to the slaughter.
Its very unfortunate because the consequences are faced by one individual, or a few individuals, although the ability to make sure that [an incident] doesnt happen is a community-based effort within organizations, says ArmorCodes Karthik Swarnam, formerly chief information security officer (CISO) of Kroger, DIRECTV, and TransUnion.
To avoid being singled out (and because its good security practice),
CISOs should focus on building clear and robust lines of communication
that bring other board members into the cybersecurity decision-making process.
You need to first of all establish a risk council, in which you would have roles and responsibilities clearly defined, Swarnam recommends, adding, Managing risk takes two things: communicating the risk to the right individuals and right organizations, and working with them on a plan to get that right.
Communication and collaboration, Nall and Sullivan agree, are the safety net that security leaders will fall back on when the worst comes to pass.
Thats ultimately the through line between all these cases: that communication between the cross-functional groups wasnt there to the extent it needed to be, Nall says. And the people who took the brunt of that were not the lawyers, were not the execs, were not the board. It was infosec.
Dont miss the latest
Dark Reading Confidential podcast
, where we talk to two ransomware negotiators about how they interact with cybercriminals, including how they brokered a deal to restore operations in a hospital NICU where lives were at stake, and how they helped a church where the attackers themselves got a little religion.
Listen now!
Tags:
A CISOs Guide to Avoiding Jail After a Breach