Conviction of former Uber security chief stuns cybersecurity industry

US cybersecurity professionals are shaken and stunned after a federal jury in San Francisco found former Uber Technologies security chief Joseph Sullivan guilty of covering up a 2016 data breach that affected 57 million Uber drivers and riders.

Sullivan’s conviction is the rare instance of a corporate information security officer being held liable for failing to disclose a hack, but the US Department of Justice warned there could be more.

After the jury found Sullivan guilty of obstructing US Federal Trade Commission proceedings and misprision of a felony, the DOJ made clear that corporate executives at technology companies collecting and storing “vast amounts of data” should be on alert.

“We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users,” US Attorney Stephanie M. Hinds said. “Where such conduct violates the federal law, it will be prosecuted.”

Meanwhile, dozens of cybersecurity professionals shared their dismay over Sullivan’s guilty verdict on the social networking site LinkedIn, and predicted that the job of chief information security officer just got much harder to fill.

If Sullivan, a well-respected former federal prosecutor once employed by Silicon Valley’s most successful companies, can be convicted over his handling of a data breach, any CISO can now become a scapegoat if anything goes wrong, they said.

“What might the fear of sacrifice do to the already complex dynamic between a CISO, the C Suite and the Board when the next incident occurs?” Mahdi Hedhli, CEO of computer security service company GoVanguard, wrote on LinkedIn. “Imagine the psyche and resolve, of your most valuable asset during a security incident, being compromised because they’ve been put between a rock and a hard place.”

“I’m devastated,” wrote Rinki Sethi, chief information security officer at Bill.com, saying it was “terrible and unacceptable news for the CISO and #infosec community.”

Melanie Ensign, who was part of Uber’s corporate communications team during the 2016 hack and a defense witness at trial, replied in defense of Sullivan again. She shared a story describing how Sullivan had pushed for more data security protections in 2016 and eventually succeeded.

“I was on many of these calls & emails — it was excruciating to get business & product leaders at that time to commit to VERY BASIC privacy principles, like opt-outs,” she said. “But Joe got us there.”

Security professional and NYU computer science professor John Viega derided the jury’s decision in a lengthy and rambling blog post titled “Ransoming the CISO Role,” which he posted on LinkedIn and Twitter.

“With jail time now on the table for CISOs, then the desire to be a good business partner will be dwarfed by the drive to avoid criminal prosecution,” Viega wrote. “CISOs will try to turn over as many rocks as possible, but the rest of the organization will live in fear of lots of time wasted to busy work, and try to keep the CISO’s eyes off anything that is trying to move fast.”

There could be one benefit, however, Viega said. CISOs can now begin to demand much higher salaries to compensate for the risks their jobs now entail and the additional insurance they’ll likely need, he said.

While Viega’s blog post got little notice on Twitter, it got more attention from fellow cyber executives on LinkedIn.

Not everyone agreed and the online debates became contentious at times.

“He's a bar admitted attorney who was a former federal prosecutor,” an incident response manager for a financial company in Philadelphia replied. “He knew what he was doing and that it was illegal. He just thought he was going to get away with it.”

Javed Ikbal, CISO at child care provider Bright Horizons and an adjunct faculty member at Brandeis University, wrote in a separate post on LinkedIn: “count me out.”

“I reject the narrative that this means some new, sensational risk for CISOs,” Ikbal said. “You and I got into this work knowing that there may be data breaches under our watch. If such a breach happens, and if there is a regulatory or legal requirement to report that breach, the course of action is clear: it has to be reported. There are no ifs/ands/buts about it.”