Joe Sullivan Tells Black Hat Europe: 'Choose Your Own Destiny'Convicted Former Uber CSO Shares Lessons Learned From Government's Case Against Him
Cybersecurity professionals, it's time to choose your own destiny, former CSO Joe Sullivan told conferencegoers at this week's Black Hat Europe conference in London.
"I believe that our future is about to go in one of two directions," Sullivan, the former CSO of Facebook, Uber and Cloudflare, said in his Thursday morning keynote speech (see: Previewing Black Hat Europe 2023 in London: 16 Hot Sessions).
Either CISOs will remain down in the weeds, technically speaking, or they'll be true senior executives and be treated as such, he said, adding that clearly the industry needs to embrace the latter. "The challenge for all of you is: What profession do you want to be in?"
Sullivan took to the stage to share lessons learned from the U.S. government's case against him, which resulted in a jury finding him guilty of two felonies: obstruction of a government investigation and misprision of a felony, which he described as being "a gift to the United States from the British," where under common law, if someone helps cover up a felony, that's a felony too. Because he's currently appealing the verdict, he said his talk would focus on what he saw and heard in the courtroom.
Sullivan is a former federal prosecutor who moved to the private sector, serving as CSO of Facebook and then Uber. In 2016, Uber suffered a data breach, which resulted in the company paying $100,000 in bitcoin to two hackers who stole driver and rider account data of 57 million individuals in exchange for assurances they had deleted exfiltrated data (see: Joe Sullivan: What's a Breach? 'It's a Complicated Question').
Who Wants to Be a CISO?
The case against Sullivan was closely watched by security professionals, as are U.S. Securities and Exchange Commission charges unveiled against SolarWinds and its CISO in October, accusing them of fraud and internal control failures and of misleading investors about the company's cybersecurity practices and risks.
Sullivan said that throughout his career, the principle questions he heard from cybersecurity professionals - and helped mentor them on - were: How do I break into the industry? How do I become a CISO?
Following his felony convictions and the SEC's allegations against SolarWinds, he said the question from potential CISO job candidates has shifted to: "Joe, do I really want to do this?"
He sees too many CISOs being handcuffed by changing public expectations about data breaches and jobholders who have the word "security" in their title but don't have the resources or stature in their company to deliver, he said.
"We have to figure out how to keep our hand in the technical stuff, but we also have to learn how to become real executives," capable of strategic leadership, reading a profit and loss statement and much more, Sullivan said.
"You've got to know how to argue with the board, not just get in front of the board and present some slides that you put together," he said. "The world's changing right now and we've got to get on with it or we're going to be left behind."
Sullivan's crime wasn't that a breach happened on his watch but that he obstructed an ongoing investigation by the Federal Trade Commission into Uber's data security practices in the wake of an earlier data breach in 2014.
Prosecutors argued that Sullivan, who provided sworn testimony to the FTC about its cybersecurity practices shortly before the 2016 breach occurred, misled the agency about the extent of Uber's security revamp. "You can see him realizing, 'Oh, no, this is exactly the sort of thing we told the FTC wouldn't happen anymore,'" prosecutors said in court.
After being fired by Uber, which agreed to assist in the U.S. government's case against him, Sullivan joined Cloudflare as its CSO. He left the company after the government filed charges against him and now leads U.S.-based nonprofit organization Ukraine Friends, devoted to giving "laptops to kids who've lost a parent and can't afford a laptop." Because of safety concerns or their schools having been destroyed, "half the kids in Ukraine are in remote schooling," Sullivan said.
Despite prosecutors in Sullivan's case seeking a 15-month sentence, Judge William Orrick of the U.S. District Court for the Northern District of California in May told Sullivan he would not impose prison time due to the unprecedented nature of the case "and because of your good character."
The judge questioned why prosecutors had not pursued charges against Uber itself, as well as why the CEO at the time of the breach didn't appear in his courtroom.
The judge also stressed that the case wasn't about prosecuting security teams for doing their job, but rather centered on a breach that prosecutors proved should have been reported to the FTC, which was probing Uber's cybersecurity practices.
"If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison," Orrick said.
Industry Set to Mature?
Before welcoming Sullivan to the stage, Jeff Moss, the founder and creator of Black Hat, whose first job in the field was for now-defunct firewall manufacturer Computer Sciences Corp. in the late 1990s, posed this question: "As an industry, what's forcing us to mature?"
Historically, the answer has been "very little," although that appears to be changing, Moss said.
Moss believes the industry might be "entering our own Sarbanes-Oxley era," referring to the pioneering 2002 law in the U.S. that holds CEOs personally accountable for the integrity of their financial statements.
"How many breaches will we suffer until the government says, 'Enough is enough'?" Moss said. "I believe our responsibilities are about to take a turn. It might not change this year, but if you look at potential bills and what's being talked about in the United States, it's going to change."
Moss said change in the U.S. seems to be coming from lawmakers and their staff, who have grown up with the internet, and perhaps from cryptocurrency attracting regulatory attention and giving lawmakers a greater appetite for dealing with all things digital.