Did a former Uber executive’s conviction just make the CISO job harder? It’s complicated

Federal jurors on Wednesday convicted former Uber chief security officer Joe Sullivan on two felonies related to concealing a massive hack of customer data from federal regulators. The jurors found Sullivan intentionally covered up the breach of 57 million user accounts, which constituted obstruction of a Federal Trade Commission investigation into Uber and a failure to notify law enforcement authorities about a crime. Sullivan faces up to eight years in prison, though he’s expected to receive a lesser punishment.

The case is believed to be the first time that prosecutors have charged a tech security executive with failing to disclose a breach of corporate computer systems. As a result, chief information security officers across the industry have warned that the prosecution represents a chilling attack on their role, one that could hamper efforts to recruit and retain high-quality digital security leaders.

“I fear it will lead to a lack of interest in our field, and increased skepticism about infosec overall,” Dave Shackleford, owner of the consulting firm Voodoo Security, told the Washington Post.

It’s a fair enough sentiment given the novel nature of Sullivan’s conviction. But the nitty-gritty details of the case make it difficult to draw sweeping conclusions about the broader implications for information security executives.

As some tech observers have noted, the criminal case against Sullivan stemmed from his engagement in a somewhat common security practice. After learning in 2016 that two hackers had broken into Uber’s systems and demanded ransom payments, Sullivan orchestrated a $100,000 cryptocurrency payment through the company’s “bug bounty” program, which was designed to reward so-called ethical hackers who altruistically identify security lapses. Sullivan also arranged for the signing of a non-disclosure agreement. 

At the time, federal law did not require corporate leaders to notify the government of data breaches. But a new law signed in March sets reporting requirements for cyber incidents in “critical infrastructure” sectors, including information technology. Federal officials can pursue civil and criminal charges against executives accused of violating the law or providing false information in response to subpoenas connected to cybersecurity reporting requirements.

Sullivan’s actions, however, went beyond mere failure to disclose information. As prosecutors proved at trial, Sullivan intentionally hid the hack from FTC regulators who were investigating Uber following an earlier, smaller breach of company systems. Sullivan also joined top executives in attesting to improved security protocols at Uber amid the federal inquiry. One juror told the New York Times that Sullivan’s attempts to conceal were “all dated and timed and documented very clearly.”

“It’s not about breach notification, it’s not about bug bounties—it’s about lying to a regulator about information responsive to an open investigation and subpoena,” former FTC lawyer Whitney Merrill tweeted Wednesday.

At the same time, security executives must be wondering where their legal liability begins and ends.

In Sullivan’s case, federal investigators have published evidence suggesting that Sullivan notified then-Uber CEO Travis Kalanick about the cyberattack and negotiations with the hacker. Sullivan’s indictment includes text messages between the two executives immediately after the breach, one of which features Kalanick discussing the company’s bug bounty program and the need to “document this very tightly.”

Yet Kalanick, who resigned from Uber amid multiple scandals in 2017, hasn’t been charged in connection with the concealment. Kalanick might have evaded prosecution on technical grounds—the Washington Post, citing sources familiar with the matter, reported that prosecutors felt Kalanick “was not damned by the surviving written evidence”—but the lack of criminal prosecution could leave security officers feeling left out to dry.

“The entire situation is extremely unfortunate for Uber and the broader legal/security communities,” David Lindner, the chief information security officer for Contrast Security, told The Register. “What Uber did was cover up a breach through means of hiding it as a bug bounty submission. The conviction of the security chief is a good start, but for what was disclosed, there should be even more accountability of the executives and even board members.”

The egregious nature of Sullivan’s actions renders fears of rampant CISO prosecutions a bit exaggerated. But security executives could be excused for still having plenty of questions about their responsibilities and legal exposure following this first-of-its-kind conviction.

Want to send thoughts or suggestions to Data Sheet? Drop me a line here.

Jacob Carpenter

NEWSWORTHY

Deal’s not done yet. Elon Musk and Twitter officials continued to haggle Wednesday over details of a purchase agreement that would result in the world’s wealthiest man living up to his original $44-billion commitment to buy the company, The Wall Street Journal reported. The two sides were still negotiating over the next steps in litigation tied to Musk backing out of the deal this summer, as well as issues surrounding Musk’s ability to secure debt financing for the acquisition. Musk and Twitter agreed to delay a deposition in the legal case scheduled for Thursday, giving them more time to hash out a deal.

Seventh time’s the charm? Google unveiled Thursday its latest line of Pixel smartphones and first version of a long-awaited smartwatch, products that take aim at the hardware dominance of Apple and Samsung, Bloomberg reported. The devices are all priced slightly lower than phones and watches released this month by Apple, which continues to far outpace the Alphabet unit’s hardware sales. Nikkei Asia also reported Thursday that Google has ordered 8 million units of the Pixel 7 line, as it aims to double sales of the smartphone in 2023.

Quite an ultimatum. Peloton CEO Barry McCarthy said the embattled fitness-tech company likely can’t survive as a standalone company unless it shows signs of a significant turnaround in the next six months, The Wall Street Journal reported Thursday. McCarthy’s comments coincided with Peloton announcing layoffs totaling 500 employees, or 12% of the company’s workforce, the fourth round of job cuts this year. Peloton shares rose 5% in mid-day trading Thursday.

A ‘merci’ is in order. A French appellate court on Thursday slashed an antitrust fine levied against Apple from $1.1 billion to $366 million, Reuters reported. The penalty stemmed from an investigation into allegations of price-fixing between Apple and two distribution networks, which were accused of agreeing not to compete against each other. The appellate court dropped one of the three primary charges against Apple and used different metrics to calculate the deserved fine.

FOOD FOR THOUGHT

Permanently in park? Some prominent automotive and tech insiders are pumping the brakes on self-driving cars. Bloomberg reported Thursday that a growing chorus of industry leaders believes optimism for an autonomous driving future, at least in the near-term, is increasingly misplaced. Despite an estimated $100 billion piled into companies developing self-driving technology, there’s little evidence to suggest any automakers are remotely close to putting autonomous vehicles on the street at scale. As a result, industry analysts are questioning how long investors and corporate executives will continue to plow money into projects that might take decades to turn a profit.

From the article:

Our driverless future is starting to look so distant that even some of its most fervent believers have turned apostate. Chief among them is Anthony Levandowski, the engineer who more or less created the model for self-driving research and was, for more than a decade, the field’s biggest star. Now he’s running a startup that’s developing autonomous trucks for industrial sites, and he says that for the foreseeable future, that’s about as much complexity as any driverless vehicle will be able to handle. 

“You’d be hard-pressed to find another industry that’s invested so many dollars in R&D and that has delivered so little,” Levandowski says in an interview.

IN CASE YOU MISSED IT

Tech stocks could bounce back by next year, but it will be a ‘volatile ride,’ Citi says, by Tristan Bove

CRV is launching two funds worth $1.5 billion to back early-stage companies: ‘Some of our best investments are actually made right after these downturns’, by Alexandra Sternlicht

Paywalls are here to stay, but they’re closing off the internet. Crypto can fix that, by Jeff John Roberts

Google throws Velma from ‘Scooby-Doo’ a coming-out party on all of our screens, by Christiaan Hetzner

Biden is using IBM’s $20 billion investment to tout the manufacturing ‘boom’ sparked by his CHIPS act, by Aamer Madhani and the Associated Press

The ‘data divide’ is a new form of injustice. Ending it could help us meet humanity’s greatest challenges, by Kriss Deiglmeier

BEFORE YOU GO

Pure ad-ness. Look, up in the sky. It’s a bird, it’s a plane, it’s…the Geico gecko? As Fortune’s Alice Hearing reported Thursday, researchers and entrepreneurs are exploring the possibilities of advertising in space, with satellites projecting virtual billboards that can be seen across the world. A new study out of Russia estimates that it would cost $65 million to manufacture, launch, and support 50 satellites used for advertising, with each promo potentially generating $4.6 million. For context, a 30-second spot during last year’s Super Bowl ran $5.5 million. Thankfully, no commercial enterprise capable of launching ad satellites appears over the moon at this prospect yet.