Joseph Sullivan, former chief security officer for Uber, was sentenced on May 4 to a three-year term of probation, ordered to pay a fine of $50,000 and must work 200 hours of community service tied to a cover-up of Uber’s 2016 breach.
Sullivan was found guilty of obstructing justice and concealing knowledge that a federal felony had been committed. The November 2016 breach at Uber spilled data tied to 57 million users and leaked 600,000 driver’s license numbers.
U.S. attorney’s office said Sullivan attempted to conceal the breach from the public and also the Federal Trade Commission. Prosecutors said Sullivan arranged to pay $100,000 in Bitcoin through a bug bounty program to attackers in order to cover up the breach. Hackers behind the breach were asked to sign a non-disclosure agreement by Sullivan promising that they would keep the incident quiet.
Prosecutors had sought a sentence of 15 months in federal prison.
The case that kept CISOs up at night
The arrest, prosecution and sentencing of Sullivan sent shockwaves through executive suites. C-level executives expressed concerned that the Uber case was an example of the U.S. government going too far. The Sullivan case, too many within the cybersecurity community, hinted toward an adversarial relationship between private and public sector.
However, more recently top cybersecurity law enforcement agencies have tried to foster a cooperative relationship with private industry. The Cybersecurity and Infrastructure Security Agency (CISA) and FBI have urged private sector incident response teams to loop federal agencies into their investigations.
One example of recent cooperation is the FBI’s takedown of the Hive ransomware group’s website and servers. CISA and the FBI were lauded for working with hospitals and schools impacted by the ransomware, preventing them from paying millions of dollars in extortion payments by providing them Hive decryption keys during its investigation.
During RSA Conference 2023, Lisa Monaco, U.S. deputy attorney general, and Chris Krebs, former director of CISA and co-founder of Krebs Samos Group, discussed the Sullivan case at a keynote presentation.
Krebs asked Monaco how she squared the government’s prosecution of Sullivan with its message that it wants to “work together in a partnership model.”
“There's a lot of agitation and concern in the cybersecurity community that perhaps you've broken the trust [with the Sullivan case] and the DoJ has undermined the trust between the FBI and the cybersecurity community,” Krebs said. “Are you, are you worried that, that something's been lost here and that, you know, the next time a bug bounty payment comes in, maybe they're not going to call you?”
Monaco underscored that the Sullivan case had nothing to do with breaking trust, rather prosecuting a cover-up.
“Joe Sullivan went to trial, as was his right, was convicted at trial of obstruction of an FTC proceeding and of misrepresenting a felony. This means he was knowledgeable about a felony conducted by others. [Joe Sullivan’s] acts were intentional acts as was proved at trial and as the jury found. This was very different from a mistake made by a CSO or a compliance officer in the heat of a very stressful time,” she said.
“I really want to stress this was intentional conduct as was found by the jury. Our message is we are working in partnership with the CISOs, with the compliance officers and we need that partnership and we need to make sure that that trust is not broken,” she said.