The verdict ended a dramatic case that pitted Sullivan, a prominent security expert who was an early prosecutor of cybercrimes for the San Francisco U.S. attorney’s office, against his former government office. In between prosecuting hackers and being prosecuted, Sullivan served as the top security executive at Facebook, Uber and Cloudflare.
Judge William H. Orrick did not set a date for sentencing. Sullivan may appeal if post-trial motions fail to set the verdict aside.
“Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” Sullivan attorney David Angeli said after the 12-member jury rendered its unanimous verdict on the fourth day of deliberations.
Even without Sullivan’s job history, the trial would have been closely watched as the first major criminal case brought against a corporate executive over a breach by outsiders.
It also may be one of the last: In the five years since Sullivan was fired, payoffs to extortionists, including those who steal sensitive data, have become so routine that some security firms and insurance companies specialize in handling the transactions.
“Paying out the ransom I think is more common than we’re led to believe. There is an attitude that’s similar to a fender bender,” said Michael Hamilton, founder of security firm Critical Insight.
FBI leaders, while officially discouraging the practice, have said they will not pursue the people and companies that pay ransoms if they don’t violate sanctions prohibiting payments to named criminal groups especially close to the Russian government.
“This case will certainly make executives, incident responders and anybody else connected with deciding whether to pay or disclose ransom payments think a little harder about their legal obligations. And that’s not a bad thing,” said Brett Callow, who researches ransomware at security firm Emsisoft. “As is, too much happens in shadows, and that lack of transparency can undermine cybersecurity efforts.”
Most security professionals had been anticipating Sullivan’s acquittal, noting that he had kept the CEO and others who were not charged informed of what was happening.
“Personal liability for corporate decisions with executive stakeholder input is a new territory that’s somewhat uncharted for security executives,” said Dave Shackleford, owner of Voodoo Security. “I fear it will lead to a lack of interest in our field, and increased skepticism about infosec overall.”
John Johnson, a “virtual” chief information security officer for multiple companies, agreed. “Your company leadership could make choices that can have very personal repercussions to you and your lifestyle,” he said. “Not saying everything Joe did was right or perfect, but we can’t bury our head and say it will never happen to us.”
Prosecutors argued in Sullivan’s case that his use of a nondisclosure agreement with the hackers was evidence that he participated in a coverup. They said the break-in was a hack that was followed by extortion as the hackers threatened to publish the data they took, and so it should not have qualified for Uber’s bug bounty program to reward friendly security researchers.
But the reality is that as the hacking of corporations has gotten worse, the way companies have dealt with it has moved far past the letter of the law when Sullivan was accused of breaking it.
Bug bounties usually require nondisclosure deals, some of which last forever.
“Bug bounty programs are being misused to hide vulnerability information. In the case of Uber, they were used to cover up a breach,” Katie Moussouris, who established a bug bounty program at Microsoft and now runs her own vulnerability resolution company, said in an interview.
The case against Sullivan started when a hacker emailed Uber anonymously and described a security lapse that allowed him and a partner to download data from one of the company’s Amazon repositories. It emerged that they had used a stray digital key Uber had left exposed to get into the Amazon account, where they found and extracted an unencrypted backup of data on more than 50 million Uber riders and 600,000 drivers.
Sullivan’s team steered them toward Uber’s bounty program and noted that the top payout under it was $10,000. The hackers said they would need six figures and threatened to release the data.
A protracted negotiation ensued that ended with a $100,000 payment and a promise from the hackers that they had destroyed the data and would not disclose what they had done. While that looks like a coverup, testimony showed that Sullivan’s staff used the process to get clues that would lead them to the real identities of the perpetrators, which they felt was necessary leverage to hold them to their word. The two were later arrested and pleaded guilty to hacking charges, and one testified for the prosecution in Sullivan’s trial.
The obstruction charge drew strength from the fact that Uber at the time was nearing the end of a Federal Trade Commission investigation following a major 2014 breach.
A charge of actively hiding a felony, or misprision, could also apply to many of the corporate chiefs who send bitcoin to overseas hackers without telling anyone else what happened. While the number of those hush-ups is impossible to get, it is clearly a large figure. Otherwise, federal officials would not have pressed for recent legislation that will require ransomware notifications from critical infrastructure victims to the Cybersecurity and Infrastructure Security Agency.
The Securities and Exchange Commission is also pushing for more disclosure. The conviction stunned corporate security and compliance leaders and will rivet their attention on the details of those rules.
The case against Sullivan was weaker in some respects than one might expect from a trial aimed at setting a precedent.
While he directed the response to the two hackers, many others at the company were in the loop, including a lawyer on Sullivan’s team, Craig Clark. Evidence showed that Sullivan told Uber’s then-chief executive, Travis Kalanick, within hours of learning about the threat himself, and that Kalanick approved Sullivan’s strategy. The company’s chief privacy lawyer, who was overseeing the response to the FTC, was informed, and the head of the company’s communications team had details as well.
Clark, the designated legal lead on breaches, was given immunity to testify against his former boss. On cross-examination, he acknowledged advising the team that the attack would not have to be disclosed if the hackers were identified, agreed to delete what they had taken and could convince the company that they had not spread the data further, all of which eventually came to pass.
Prosecutors were left to challenge “whether Joe Sullivan could have possibly believed that,” as one of them put it in closing arguments Friday.
Sullivan’s attorney Angeli said that the real world functioned differently from bug bounty ideals and the policies laid out in company manuals.
“At the end of the day, Mr. Sullivan led a team that worked tirelessly to protect Uber’s customers,” Angeli told the jury.
After Kalanick was forced out of the company for unrelated scandals, his successor, Dara Khosrowshahi, came in and learned of the breach. Sullivan depicted it to him as a routine payoff, prosecutors said, editing from one email the amount of the payoff and the fact that the hackers had obtained unencrypted data, including phone numbers, on tens of millions of riders. After a later investigation turned up the full story, Khosrowshahi testified, he fired Sullivan for not telling him more, sooner.
Eager to show that it was operating in a new era, the company helped the U.S. attorney’s office build a case against Sullivan. And the prosecutors in turn unsuccessfully pressed Sullivan to implicate Kalanick, who would have been a far bigger prize but was not damned by the surviving written evidence, according to people familiar with the process.
Bug bounties were never meant to offer as much money to hackers as criminals or governments would pay. Instead, they were designed to offer some cash to those already inclined to stay above board.
But the companies are the ones paying the bill even when the programs are run by outside vendors such as HackerOne and Bugcrowd. Disputes between the researchers reporting the security holes and the companies with the holes are now common.
The two sides differ over whether a bug was “in scope,” meaning inside the areas where the company said it wanted help. They differ over how much a bug is worth, or if it is worthless because others had already found it. And they differ over how, or even if, the researcher can disclose the work after the bug has been fixed or the company opts not to change anything.
The bounty platforms have arbitration procedures for those disputes, but since the companies are footing the bill, many hackers see bias. Too much protesting, and they get booted from the platform entirely.
“If you’re hacking on a bug bounty program for the love of hacking and making security better, that’s the wrong reason, because you have no control over whether a company decides to patch in a timely matter or not,” said John Jackson, a researcher who cut back on his bounty work and…
Read More:Joe Sullivan guilty in Uber hacking case
2022-10-05 23:41:50
