Cybersecurity industry scrutinizes case of former Uber security chief as trial looms

When Uber’s former security chief Joe Sullivan announced on LinkedIn last month that he was taking time off to prepare for his upcoming criminal trial on charges of concealing a 2016 data breach from federal investigators, the response from cybersecurity pros was practically uniform.

Nearly 650 people from around the world expressed their virtual support. More than 70 posted a version of the same comment: You got this Joe.

“Joe, the historical significance of this trial reminds me of Galileo's trial by inquisition,” Shahrokh Shahidzadeh, a chief technology officer from Portland, Oregon, wrote. “I would press that it is our Government that is responsible and needs to take more accountability against cyber attacks.”

Sullivan’s trial, set to begin Sept. 6 in San Francisco, involves criminal charges that he obstructed an investigation by the US Federal Trade Commission and tried to prevent the agency from discovering a 2016 data breach that exposed the personal information of more than 55 million Uber passengers and drivers.

It’s clear, however, that many in the cybersecurity industry are rooting for Sullivan. If Sullivan, a well-respected former federal prosecutor once eagerly courted by Silicon Valley’s most successful companies, can find himself in the government’s crosshairs over his handling of a data breach, anyone can, cyber pros warned.

Others, however, have been more critical. “Tribalism is a powerful force,” Jamil Farshchi, Chief Information Officer at Equifax, said in a separate post about a week later. “The key lesson here is one that almost every CISO has experienced first-hand: when faced with a lose-lose decision, do the right thing (or at least the lawful one).”

The two sides agree on one point. In what is believed to be the first criminal case against an executive stemming from a company’s response to a security incident, the stakes for the cybersecurity industry and cyber security professionals couldn’t be higher.

From prosecutor to cyber pro

Supporters point to Sullivan’s long, successful career in cybersecurity as evidence that this could happen to any well-intentioned cybersecurity officer caught in a difficult situation at a troubled company.

Sullivan’s career in cybersecurity began when he was a young, ambitious federal prosecutor. In 1999, when then-FBI Director Robert Mueller was putting together a team of high-tech prosecutors in Silicon Valley, Sullivan was among the first recruits. He handled early online fraud and software piracy cases, but he also worked on the 9/11 investigation and child predator cases.

It wasn’t long before Sullivan became one of Silicon Valley’s most highly sought after cyber security experts. In 2002 he went to eBay, where he oversaw security for PayPal and Skype.

After he moved to Facebook in 2008, the media took notice, profiling him in magazines such as Fortune and Forbes. At Facebook, Sullivan managed the teams responsible for information security and product security, and navigated the company’s relationship with law enforcement and investigations.

He also became well known as an early backer of bug bounties, which many tech companies will pay to programmers who discover software vulnerabilities. During his tenure at Facebook was one of the first social-media platforms to adopt a bug-bounty program.

The program helped make up for companies’ typically limited cyber security resources, he said at the time. “We have a very small security team,” Sullivan told Forbes in an interview in 2012. “So we’re trying to turn our users into patrol guards.”

It’s also “a great way to engage with the security research community, and an even better way to improve security across a complex technological environment,” he wrote in a Facebook blog post in 2011.

When President Obama held a Summit on Cybersecurity and Consumer Protection at Stanford University, Sullivan was there, representing Facebook.

Recruited by Uber

In 2015, Uber disclosed that hackers had breached its systems and accessed the names and license numbers of some 50,000 current and former Uber drivers in the US.

A month later, Sullivan left Facebook to oversee global cybersecurity at the ride-hailing-app, then a $40 billion startup whose co-founder and CEO, Travis Kalanick, was grappling with rapidly escalating security concerns, one of many controversies circling the disruptive startup. It was Sullivan’s job to keep riders and passengers safe.

Sullivan also set up a bug bounty program at Uber, and it was his too-cozy relationship with hackers that would later land Sullivan in trouble with his former employer, according to the DOJ. Now several of Sullivan’s former colleagues at Uber are listed as potential witnesses at his upcoming criminal trial, including the company’s current and former CEO.

FTC charges

According to the DOJ, when Sullivan joined Uber, the US Federal Trade Commission was already investigating a 2014 data breach at the company, and Sullivan knew how extensive that investigation was.

But when Sullivan learned in 2016 that hackers had stolen data Uber stored on Amazon Web Services, including approximately 600,000 driver’s license numbers, he never told the FTC, according to the DOJ.

Instead, Sullivan tried to prevent news about the breach from getting out by paying the hackers $100,000, disguised as a bug bounty, and then getting the hackers to sign a non-disclosure agreement, according to the DOJ.

Sullivan didn’t just hide the breach from the FTC, according to the DOJ, which said he hid the breach from Uber’s new CEO, Dara Khosrowshahi, too.

Sullivan’s defense is expected to be that he acted with the knowledge of Uber’s legal team and senior executives, and that a database code-named the “Preacher Central Tracker” documenting Uber’s internal review of the 2016 breach was widely shared within the company.

Uber avoided criminal charges by accepting responsibility for covering up the data breach as part of a settlement with US prosecutors in July.

The two hackers who received the payment, Brandon Glover and Vasile Mereacre, pleaded guilty to charges of computer hacking and an extortion conspiracy in 2019 and are awaiting sentencing. Glover may testify about how Uber’s conduct differed from other companies he dealt with in similar negotiations.

Sullivan has been employed as chief security officer at Cloudflare since 2018. He declined to comment.

Cybersecurity pros watching

The cybersecurity industry will be watching Sullivan’s trial closely, and it’s clear that many are worried. Whatever a federal jury concludes, it could make their jobs even harder, multiple executives posted on LinkedIn.

Among the dozens of well-wishes to Sullivan were warnings from many in the cybersecurity industry who argued the industry is facing stricter scrutiny, and more rules and regulations. At the same time, threats from hackers and ransomware are growing.

There was ample speculation about whether Sullivan should have been better protected by Uber’s legal department and attorney-client privilege. Or whether he could have evaded prosecution by filing a whistleblower complaint. What if the company’s top executive or board members support hiding a breach, they asked.

“Simply put, Joe Sullivan's upcoming trial is the most critically important trial in the nascent history of Cybersecurity, and whatever the outcome, it will be impactful on all CISO / Risk Executive professionals,” Robert Rodriquez said in a LinkedIn post.

Many agreed.

“Having worked with Joe in multiple roles throughout my career, I know how deliberate, thoughtful and high integrity he is,” Chad Greene, director of security at Facebook, posted in response. “The outcome here is critical for any of us in a risk management role.”

Sullivan's trial is going to make it harder to recruit and keep quality professionals, cybersecurity expert and author Deb Radcliff replied.

“It comes down to why would federal agencies who NEED CISOs, who BEG to have relationships with CISOs, put CISOs in their crosshairs like this?” Radcliff wrote. “CHILLING.”

Not surprisingly, Michael Daugherty, former CEO of LabMD, which went out of business fighting FTC allegations over a data breach, argued on LinkedIn that the government is setting a dangerous precedent.

“What is really going on here is the government is wanting to jail executives,” he wrote in response to Farshchi’s post about the trial. “And many in this industry are happy to cooperate.”

Equifax’s Farshchi conceded that his view “may be in the minority.”

“I just hope the reason isn’t tribe mentality,” Farshchi said. “People make mistakes. Everyone deserves a second chance. But accountability matters too.”