Title: Uber CISO narrowly avoids jail
A federal judge in the United States of America has convicted Joe Sullivan following the handling of a data breach at Uber. He is given 3 years of probation and 200 hours of community service.
Hackers were reported stealing personal details of 57 million customers and personal information belonging to 600K Uber drivers.
As part of regulatory requirement, FTC (Federal Trade Commission) mandated Uber to report all breaches.
In following of the incident, according to the prosecutors, Sullivan took deliberate steps "to conceal, deflect and misleas the FTC on the 2016 breach".
Sullivan paid off the hackers under the guide of "bug bounty" in $100k bitcoin and made the hackers signed a non-disclosure agreement to keep the attack secret. Prosecutors insisted that Sulliven be given a 15 month jail sentence. Verdict handed down did not include jail sentence, but imposed a $50K fine and restriction on travel.
Straightforward case?
Federal Judge William Orrick confirmed that he received 186 letters, with at least one signed by more than 50 CISO's defending Sullivan's action, stating that the outcome of the case would have "a larger chilling effect" on the entire cybersecurity community.
Fellow CISO's argued that while Sullivan was "hung to dry" by then CEO Travis Kalanick and Uber's in house lawyer Craig Clark, both of them were informed of the breah 6 hours after it had happened. CISO's argued that it had nothing to do with the tough decisions that had to be taken during a breach, but the spotlight should be on obstruction of justice and concealment attempt.
The question on everyone's mind is that why the CEO Travis Kalanick isn't facing any charges related to the incident. To this, it was met with silence.
Point of contention is that if the details of the breach was made known to the management, then is the CISO acting alone?
Sullivan was also charged for "misprision" - meaning involving knowing concealment of a crime. This means "Sullivan affirmatively worked to hide the data breach from the FTC and took steps to prevent hackers from being caught."
What are CISO's suppose to do?
This case raised the debate of whether the CISO needs to be what the company asks them to do or what the law requires. This debate is similar to what Chief Compliance Officers face. In Malaysia, under Financial Services Act, the CISO carries personal liability in the event something like this happens.
In this case, obstruction of justice prevailed.
The outcome of the case created fear amongst CISO's as many now fears prosecution. This wouldn't be the first as CISO's before have been "hung to dry" as a key scapegoat when something fails. Shifting the burden to the CISO while keepting them at check seems to be a playbook for some organizations.
This also raises the question on accountability and transparency when it comes to policies and practices. The need for shared responsibility is now paramount.
Uber entered a non-prosecution agreement with the DOJ in July, which allowed the upper management to avoid charges, but accepted responsibility for the role of the coverup of its Board of Directors and senior executives.
The conversation continues...
Sullivan acknowledged his wrong-doing and had raised concerns that CISO may take this verdict in the wrong manner. Sullivan was a former prosecutor, which makes it even more difficult. Supposed to be the role model for other CISO's Sullivan now becomes the case study of what CISO's are expected to do. Sullivan's case now crystalised to become a reference point on the ever challenging position that CISO's now occupy.
Noteworthy that Sullivan was convicted due to the coverup of the incident, not the breach itself, according to Jon Amato of Gartner.
Back to Asia
I note that similar issues will soon come to Asia, especially Malaysia and Singapore.
Firstly I note the level of seniority and compensation for a CISO. In a bank that had reached out to me, they specifically mentioned that CISO is just a manager level role and compensation. In Singapore, I notice that in some job advertisements, the CISO role is only pegged at SGD10k per month.
So what has seniority and salary got to do with the role? Senority determines the level of visibility and reporting requirements within the organization. Seniority also determines who the role reports to. Salary ensures that in the event such an incident happens and as a CISO you are wrongly blamed, can you survive paying legal fees to lawyers and running the case which lasts a few years?
In the event that the organization scapegoats you for the role, there is no backing the organization will give except for a letter of dismissal.
***Chief Incident Scapegoat Officer? ***
This reminds me of a personal incident where I had the exact conversation with then the Chief Compliance Officer, highlighting the same issue. At that point of time, the CCO assured me that the matter will be taken into corporate consideration. One month after that conversation, the CCO had to leave under similar circumstances, further cementing this fear of corporate victimization.
Check your employment contract - whether it specifically gives you liability immunity.
While the regulators just want a neck to choke or a head to chop, is placing the burden solely on CISO's the solution? I agree the CISO carries responsibility, but worth noting whether his hands were tied or he was given the necessary room to move?
The glaring issue we see in Malaysia is the lack of reporting requirements and transparency when it comes to data breaches. While that is one case, the enforcement and seriousness of government taking this issue is yet to be seen. Case in point - Nuemera great telco leak. Till to date, not one single person has gone to jail over that leak. I was a manager during the implementation of Nuemera and we were told specifically to hand over the data because "the regulators" asked for it. In plain text. No questions asked. The regulators remain unscathed due to the incident.
The exclusion of government from privacy laws is a glaring issue. MITI data leak highlighted the need for government agencies to take data privacy seriously. Neither the minister nor any ministerial workforce were taken to task (reported publicly) over the matter.
References
[1] Ex-Uber CISO given three-year probation sentence, avoids prison after guilty verdict. (2023). Retrieved 6 May 2023, from https://therecord.media/former-uber-cso-avoids-prison-sentenced-to-three-year-probation
[2] https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach
[3] Jones, D. (2023). Uber ex-CSO verdict raises thorny issues of cyber governance and transparency. Retrieved 6 May 2023, from https://www.cybersecuritydive.com/news/uber-cso-convicted/634332/