About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Cybersecurity history books will have at least one chapter covering the events of this week. If you’re a CISO, you’re probably well aware of what I’m talking about, but for everyone else, let me explain what’s going on.
In 2016, the ride-sharing company Uber fell victim to a data breach that exposed the personal information of 600,000 drivers and 57 million riders. It was a big breach but otherwise unremarkable. The attackers did not deploy any particularly novel techniques or do much damage with the stolen data. The attack was ordinary; the response was not (allegedly).
Joe Sullivan, a former federal prosecutor and something of a celebrity in cybersecurity circles, was Uber’s CISO at the time. He led the response to the 2016 data breach…and now he’s on trial for his actions.
I will reserve as much judgment as possible as I outline what happened. My goal is not to root for one outcome or another. No, my goal is only to call attention to a fascinating situation in progress that will have repercussions for the entire cybersecurity community and beyond. No matter what happens, cybersecurity will not be the same after this trial.
A Fixer or a Fall Guy?
Joe Sullivan’s trial for obstruction and failure to report a felony began this week. The government essentially accuses Sullivan of failing to report the 2016 data breach to the Federal Trade Commission (FTC) and hiding it from his employers.
That accusation stems from the fact that Sullivan, upon learning about the breach, made contact with the two hackers responsible and offered them each a payment of $100,000 in exchange for signing a non-disclosure agreement. Those payments came through Uber’s bug bounty program.
Government lawyers accuse Sullivan of using these payments to essentially hide the attack from both regulators and his bosses at Uber. At the time, Uber was under strict scrutiny from the FTC because of a previous data breach in 2014. Framing the payment as a bounty (something minor) rather than a payoff (something major) allowed Sullivan to keep the existence of the data breach a secret, according to prosecutors, and avoid the ire of the FTC.
Sullivan sees things differently. He alleges that payments through bug bounty programs and enhanced secrecy following an attack are not unusual. He also claims the breach was widely known about within Uber’s security team, and that responsibility for disclosing the attack to the FTC fell on Uber’s legal team. Sullivan believes he’s become the fall guy for an organization eager to make excuses for past failures instead of making improvements.
Did Joe Sullivan cover up the attack of follow standard operating procedure? That’s the question at the heart of the trial, and it’s sparking heated debates across cybersecurity. Some see Joe Sullivan as a dedicated defender using clever and necessary tactics to deal with the attackers (who were both eventually arrested and prosecuted). Others think Sullivan exemplifies the worst instinct in cybersecurity: to sweep attacks under the rug rather than strive to be transparent and accountable.
There’s more grey area here – much of it about the letter of the law rather than cybersecurity best practices – than either side would probably like to admit. But, to me, what’s even more interesting than the outcome of the trial is the fact that it’s happening at all.
CISOs in the Hot Seat
The government accuses Sullivan of violating federal and state laws mandating breach notifications. But the penalty for breaking those laws is to pay a fine, not to have the CISO stand trial, so why is Joe Sullivan in court?
Prosecutors are applying several legal theories that are interesting and worth diving into (but also long, complex, and densely argued). Rather than rehashing those arguments here, suffice it to say that the government has concocted an argument that could, from here out, expose CISOs to criminal charges and sweeping legal liabilities for attacks (successful or otherwise) against their employer.
This obviously raises the stakes for being a CISO. And given the worsening state of cybersecurity, it could make serving as a CISO an extremely risky job, certainly compared to any other member of the C-Suite. Will that risk prompt companies to take cybersecurity extremely seriously? Or will it just make it extremely hard to recruit CISOs? I’m not sure, but I’m confident it will change the character of cybersecurity as we know it.
Provided it comes to fruition. Joe Sullivan’s trial is a test of the government’s legal arguments, and whether the court finds them convincing remains to be seen. A not guilty verdict could restore the status quo – but I think change is coming, either now or later.
In many ways, the prosecution of Joe Sullivan is punishment for Uber’s repeated and often egregious disregard for data security. They poked the bear one too many times. I think this prosecution, no matter how it plays out, signals a desire on the part of the FTC specifically and the government more broadly to enforce strong cybersecurity standards. Whether that results in CISOs going to jail or something else, I think the era of hiding or excusing cyber attacks is over. The risk far outweighs the reward.
What’s the fate of Joe Sullivan? I don’t know. No matter what, he’s cemented his place in cybersecurity history. 