Before you sign up for Uber As Chief Security Officer in 2015, Joe Sullivan served two years as a federal prosecutor at the United States Department of Justice, where he specialized in computer piracy and IP issues. He worked on a number of high profile cases, from the first prosecution case in the US under the Digital Age Copyright Act in prosecuting a hacker who breached NASA’s Jet Propulsion Laboratory.
More than 20 years after joining the US government to help organizations defend against so-called bad guys, Sullivan found himself on the other side of the justice system.
In October 2022, a San Francisco jury found him guilty of obstruction of official process and misdemeanor (failure to report) charges. In May of this year, Sullivan was convicted on a three-year probation.
The irony is not lost on Sullivan, who spoke to TechCrunch in London this week ahead of his keynote address at the Black Hat Europe cybersecurity conference.
This precedent-setting case concerns a breach of Uber’s systems in 2016, where hackers threatened to expose the data of 50 million Uber customers and drivers. The verdict focused primarily on Uber’s decision not to report the breach to the Federal Trade Commission, as the company was ordered to report all breaches after an earlier hack of its systems in 2014 exposed the names and driver’s license numbers of 50,000 people.
The case did not go as expected for Sullivan, who was fired from Uber in 2017.
“We thought we would win the test. We barely defended because my lawyers said “no need”. I didn’t testify, so the jury never saw me. They just saw the unnamed Uber executive in a mask,” Sullivan told TechCrunch during the interview on Wednesday.
The first-of-its-kind verdict hit Sullivan hard at first. “When I missed the test last October, I was in a funk, I didn’t want to talk to anyone and I didn’t know what was going to happen in my life,” she said. “I just wanted to curl up in a ball.”
Sullivan’s case also caused concern among fellow CSOs and CISOs, several of whom wrote letters to the sentencing judge in the case, William Orrick, praising Sullivan’s actions and expressing fears that they too could face legal penalties for simply they did their job.
“Joe’s case has had a huge impact on the cybersecurity community,” read a letter, signed by more than 50 CISOs. “It has been the subject of frequent executive group conversations and panel discussions at industry seminars and a major driver of efforts to change policies and practices to make wrongful disclosure even as the legal requirement to do so remains unclear.”
These fears have lasted far beyond Sullivan’s conviction. The former Uber CSO, who now works as CEO of a non-profit organization dedicated to providing humanitarian and technological aid to the people of Ukraine, told TechCrunch that he gets calls every week from security professionals asking him if they should stay in the industry and if they have to interview for high-profile roles that come with more responsibility — and more risk.
“What I’m telling security executives right now is that they shouldn’t run away from the job — they should run toward it,” Sullivan said, noting that common anxiety among cybersecurity professionals, along with wanting to becoming The “better man” is part of the reason he wanted to start talking about the Uber data breach case.
“I realized that sharing what I’ve been through is better than not doing and healthier for me. It took me a year to say this, but this is the right way,” Sullivan told TechCrunch. “I was very bitter, but I want to be a better person. I also want to continue to be part of the security world, so I have to get over it.”
Sullivan told TechCrunch that another reason he wants to speak is because there have been “100 webinars, by 100 lawyers, saying ‘you’re not going to end up like Joe if you have insurance, if you bring legal and PR into the room or if you have a breach liability policy’.
“We did all these things [at Uber]Sullivan said. “We had insurance. there was a data breach policy. we met in public relations and the CEO [Travis Kalanick] signed everything, including the dollar amount,” he added, referring to the $100,000 payment made to the two young men who discovered the vulnerability that led to the Uber breach in 2016.
When asked if he thought Uber’s then-CEO should have been held responsible, Sullivan said, “I don’t think anybody did anything wrong at the end of the day.”
“Uber wouldn’t exist today — in fact, we’d still be taking taxis — if it weren’t for it [Kalanick] and his sheer power,” Sullivan added. “From above, he drove some change into the world. However, the downside, his philosophy was that the person who threw the first punch wins the fight.”
Fixing a broken industry
In what Sullivan describes as “the biggest irony of his career,” part of his role at the Justice Department involved him working closely with organizations in Silicon Valley to encourage more cooperation with the government. “That was the story of my career. trying to get the public and private sectors to work together.”
Sullivan believes that going forward, this public-private partnership, along with strong regulation, is the only way to fix the “broken” cybersecurity industry.
“When I joined, [Uber] it had the worst security of any $40 billion company, and it can no longer fly in the world. If you’re going to sell a product, your security has to be pretty good the day you sell it,” Sullivan said. “I could be very bitter about the idea of government regulation since I was regulated, but I also think we need it to make the Internet work well in the future.”
Sullivan praised the US Securities and Exchange Commission inbound data breach disclosure rules, which goes into effect on December 15, noting that while it’s not perfect, it’s a lot better than having zero guidance. “We can pick apart the details as much as we want, but this is the right way to do it,” he said. “I seem to be the person who criticizes the SEC less than everyone else because I think they should be praised for trying to set rules.”
As for CSOs and CISOs, many of whom still worry about being held personally responsible for security failures in their organization, Sullivan believes now is the time to speak up to shape any future regulation.
“We have to pull ourselves together, we have to learn the political side of it, and we have to learn how to make our voices heard,” Sullivan told TechCrunch. “I think we need to develop leaders who can be real leaders of society who are experts in our profession.”
