Before joining Uber as chief security officer in 2015, Joe Sullivan served for two years as a federal prosecutor with the United States Department of Justice, where he specialized in computer hacking and IP issues. He worked on a number of high-profile cases, from the first case in the U.S. of prosecution under the Digital Millennium Copyright Act to the prosecution of a hacker who breached NASA’s Jet Propulsion Laboratory.
More than 20 years after joining the U.S. government to help organizations defend against the so-called bad guys, Sullivan found himself on the other side of the justice system.
In October 2022, a San Francisco jury found him guilty on charges of obstructing an official proceeding and misprision of a felony (a failure-to-report-wrongdoing offense). In May this year, Sullivan was sentenced to three years probation.
The irony is not lost on Sullivan, who spoke to TechCrunch in London this week prior to his keynote speech at the cybersecurity conference Black Hat Europe.
This precedent-setting case pertains to a breach of Uber’s systems in 2016, where hackers threatened to expose the data of 50 million Uber customers and drivers. The verdict centered primarily around Uber’s decision not to report the breach to the Federal Trade Commission, as the company was mandated to report all breaches after an earlier 2014 hack of its systems exposed the names and driver’s license numbers of 50,000 people.
The case didn’t go as Sullivan, who was fired from Uber in 2017, had expected.
“We thought we were going to win the trial. We barely put on a defense because my lawyers were like, ‘we don’t need to.’ I didn’t testify, so the jury never saw me. They just saw the anonymous Uber executive with a mask on,” Sullivan told TechCrunch during the interview on Wednesday.
The first-of-its-kind verdict hit Sullivan hard initially. “When I lost the trial last October, I was in a funk, I didn’t want to talk to anybody, and I didn’t know what would happen to my life,” he said. “I just wanted to curl up in a ball.”
Sullivan’s case also caused anxiety among fellow CSOs and CISOs, a number of whom wrote letters to the case’s sentencing judge, William Orrick, praising Sullivan’s actions and voicing their fears that they too could face legal penalties for simply doing their jobs.
“Joe’s case has had a huge impact on the cybersecurity community,” one letter, signed by more than 50 CISOs, read. “It has been the subject of frequent executive team conversations and panel discussions at industry seminars, and a significant driver of efforts to change policies and practices to err on the side of disclosure, even when the legal requirement to do so remains unsettled.”
These fears have lasted long beyond Sullivan’s conviction. The former Uber CSO, who now works as CEO at a nonprofit dedicated to providing humanitarian and technology aid to the people of Ukraine, told TechCrunch that he receives calls every week from security professionals asking whether they should stay in the industry and whether they should take interviews for higher-ranking roles that come with greater responsibility — and greater risk.
“What I tell the security executives right now is that they shouldn’t run away from the job — they should run towards it,” Sullivan said, noting that the shared anxiety among cybersecurity professionals, along with the fact that he wanted to be a “better person,” is part of the reason he wanted to start speaking out about the Uber data breach case.
“I realized that sharing what I’ve gone through is better than not, and healthier for me. It’s taken me a year to say that, but that’s the right way to be,” Sullivan told TechCrunch. “I was very bitter, but I want to be a better person. I also want to continue being part of the security world, so I have to get over it.”
Sullivan told TechCrunch that another reason he’s keen to speak out is because of the fact that there have been “100 webinars, by 100 lawyers, saying that ‘you won’t end up like Joe if you have insurance, if you bring legal and PR into the room, or if you have a breach responsibility policy.’”
“We did all of those things [at Uber],” Sullivan said. “We had insurance; there was a data breach response policy; we looped in PR, and the CEO [Travis Kalanick] signed off on everything, including the dollar amount,” he added, referring to the $100,000 payment that was made to the two young men that discovered the vulnerability that led to the 2016 Uber breach.
When asked whether he believed Uber’s then-CEO should have been held responsible, Sullivan said: “I don’t think anybody did anything wrong at the end of the day.”
“Uber wouldn’t exist today — in fact, we would still be taking taxis — if it wasn’t for [Kalanick] and his sheer forcefulness,” Sullivan added. “On the upside, he drove some change in the world. However, on the downside, his philosophy was that the person who threw the first punch wins the fight.”
Fixing a broken industry
In what Sullivan describes as “the greatest irony of his career,” part of his role at the Department of Justice involved him working closely with organizations in Silicon Valley in order to encourage more collaboration with the government. “That’s been the story of my career; trying to get the public and private sectors to work together.”
Sullivan believes that going forward, this public-private sector collaboration, along with strong regulation, is the only way to fix the “broken” cybersecurity industry.
“When I joined, [Uber] had the worst security of any $40 billion company, and that can’t fly in the world anymore. If you’re going to sell a product, your security has to be good enough the day you sell it,” Sullivan said. “I could be very bitter about the idea of government regulation since I was regulated, but I also think we need it for the internet to work well in the future.”
Sullivan praised the U.S. Security and Exchange Commission’s incoming data breach disclosure rules, which come into effect on December 15, noting that while not perfect, it’s much better than having zero guidance. “We can nitpick the details as much as we want, but this is the right way to do it,” he said. “I seem to be the person who’s criticizing the SEC less than everyone else because I think we should praise them for trying to make rules.”
As for CSOs and CISOs, many of whom are still worried that they’ll be held personally liable for security failings at their organization, Sullivan believes that now is the time to speak out in order to shape any future regulation.
“We have to pull ourselves up, we have to learn the policy side of it, and we have to learn how to make our voice heard,” Sullivan told TechCrunch. “I think we have to develop leaders who can be real societal leaders who are experts in our profession.”
Carly Page reporting from Black Hat Europe in London.