Former Uber CISO Speaks Out, After 6 Years, on Data Breach, SolarWinds

  /     /     /  
Publicated : 23/11/2024   Category : security


Former Uber CISO Speaks Out, After 6 Years, on Data Breach, SolarWinds


Joe Sullivan, spared prison time, weighs in on the lessons learned from the 2016 Uber breach and the import of the SolarWinds CISO case.



Joe Sullivan arrived at his sentencing hearing on May 4 this year, prepared to go to jail had the judge not gone with a parole boards recommendation of probation. A
federal jury convicted
the former Uber CISO months earlier on two charges of fraud for failing to alert regulators of a 2016 cybersecurity breach, but Sullivan was spared having to serve any prison time.
Instead, Judge William Orrick of the US District Court for the Northern District of
California sentenced Sullivan
to three years of probation, 200 hours of community service, and a $50,000 fine. Prosecutors were seeking 15 months of prison time for the charges alleged by the Federal Trade Commission (FTC) that Sullivan failed to report the breach that affected more than 50 million records for customers and Uber drivers.
I went to my sentencing hearing fully prepared to go to jail with a specific penitentiary area that we were going to request, Sullivan tells Dark Reading. I had to research all the different federal facilities and figure out which one would be the one that my family would be able to most visit and that I would be the safest. And I had to think about who would take care of my kids and who would pay my bills on my house and manage everything else.
Now that the matter has been decided, Sullivan is free to speak out, and he plans to
share his story
in a keynote address at
Black Hat Europe 2023
on Dec. 7. Sullivan says biting his tongue for over six years wasnt easy. My lawyers wouldnt let me say a word, Sullivan laments.
If somebody labels what youre doing a coverup, its really easy for people to buy into that idea, he says. For six years, I had to listen to and see my name in the media saying things about me that I knew werent true. And my kids had to be subjected to everybody they know asking them what they saw about their dad on the news.
In getting the minimum sentence, Sullivan says he was vindicated. The judge said we did an amazing job on the investigation, he says. We followed our playbook. What people dont understand is the company had D&O [directors and officers] insurance policies. We had a data-breach response policy that designated a specific lawyer we were supposed to call. The team called in that lawyer and called in PR. I looped in the CEO and kept him up-to-date.
Sullivan says the key mistake he made was not bringing in third-party investigators and counsel to review how his team handled the breach. The thing we didnt do was insist that we bring in a third party to validate all of the decisions that were made, he says. I hate to say it, but its more CYA.
Now, Sullivan advises other CISOs and companies about navigating their responsibilities in disclosing breaches, especially as the new Securities & Exchange Commission (SEC)
incident reporting requirements
are set to take effect. Sullivan says he welcomes the new regulations. I think anything that pushes towards more transparency is a good thing, he says. He recalls that when he was on former President Barack Obamas
Commission on Enhancing National Cybersecurity
, Sullivan was pushing to give companies immunity if they are transparent early on during security incidents.
That hasnt happened until now, according to Sullivan, who says the jury is still out on the new regulations, which will require action starting in December.
Right now, too many companies think its not in their best interest to be transparent, Sullivan says. I think the SEC is trying to change the incentives through sticks rather than carrots. But thats the tool that they have, which is better than nothing.
Meanwhile, the SEC is signaling a zero-tolerance focus when it comes to data beach mishandling, with its
recent charge of fraud
in the US District Court in the Southern District of New York against SolarWinds Corp. and its CISO Tim Brown, regarding the
software supply chain attack
on the companys Orion platform in October 2020.
But Sullivan says the SECs decision to charge SolarWinds and Brown contradicts the agencys approach in rolling out its new disclosure rules just months earlier.
On the one hand, they are engaged with the community and have set some new expectations, which I think is great because theyre trying to set some rules for the road, and they got feedback from the public, Sullivan says. But if you look at the Solar Winds and Tim Brown enforcement action, you see a very different approach, which is not so collaborative, and a lot of commentators have suggested that maybe they dont seem to fully understand what life is really like doing security inside of a corporation.
Its too early to predict how the case will play out since only the parties involved know what evidence will be presented, Sullivan says. But based on the SECs charges, he sees similarities to his own situation.
The government, the FTC in my case, felt that my company wasnt sufficiently transparent, and they sought to hold me personally accountable for that, even though it wasnt my job to be the communicator of our security posture or answer any of their questions, Sullivan says. In fact, I hadnt seen a lot of the documents. And so, their case was about me being held personally responsible for the companys approach to communication. Tim Browns case is the exact same thing.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Former Uber CISO Speaks Out, After 6 Years, on Data Breach, SolarWinds