The guilty verdict handed down to former Uber Chief Information Security Officer Joseph Sullivan has made waves in the cybersecurity industry. Sullivan was convicted of obstruction of the Federal Trade Commission and misprision of a felony. The charges were a result of Sullivan failing to report a 2016 cybersecurity incident where the personal information of 57 million Uber customers and drivers was stolen.
According to the initial complaint published by the U.S. Attorney’s Office, Northern District of California, in November of 2016, Sullivan received an email from a hacker informing him that Uber had been breached again. Sullivan’s team was able to confirm the breach within 24 hours of receiving the email. Rather than report the breach, Sullivan allegedly took deliberate steps to prevent knowledge of the breach from reaching the FTC and pay the hacker(s) through a corporate “bug bounty” program. Additionally, Sullivan asked the hackers to sign non-disclosure agreements. The agreements stated that the hackers did not take or store any data, which was not true. When another employee confronted Sullivan about false claims, he insisted they stay in the non-disclosure agreements. Moreover, after Uber personnel were able to identify two of the individuals responsible for the breach, Sullivan arranged for the hackers to sign fresh copies of the non-disclosure agreements in their true names. The new agreements retained the false condition that no data had been obtained.
The large number of articles and social media posts published following the CISO conviction have shown this is a very polarizing event. Many support the verdict while others believe that additional charges should have also been brought against some of the Uber executives at the time. While there is no doubt that Mr. Sullivan made some poor decisions, the objective of this article is not to weigh the merit of the conviction but to examine what businesses and cyber professionals can learn from it.
There are some important takeaways from the CISO conviction that can help organizations improve their security incident response and avoid making similar mistakes when responding to a cyber-attack.
Implement an Effective Incident Response Policy and Plan
When it comes to incident response, there are a few key things to keep in mind. First and foremost, it is vital to have a plan in place before an incident occurs. This plan should be well-documented and regularly updated and tested so that everyone on the incident response team is familiar with it and their role when an incident occurs. Secondly, it is crucial to act quickly when an incident does occur. Every minute that goes by without taking action is another minute that the attacker has to do damage, and, in this case, the hacker had already obtained the PII data of Uber’s customers. Finally, incident response is not something that should be done in isolation. It is important to involve stakeholders from across the organization, as well as external partners such as law enforcement and cybersecurity vendors to ensure proper visibility and compliance with local, state, and federal laws and regulations.
We must always remember that we have an ethical obligation to protect the data of our customers, employees, and other contacts. Committing to an effective Incident Response Plan will allow your organization to better respond to incidents, minimize the impact of attacks, and ensure the proper visibility of the event.
Establish Reporting Procedures
Organizations need to give employees an outlet to report violations or illegal and unethical behaviors without suffering harassment, retaliation, or adverse employment consequences. This can be accomplished with the implementation of a whistleblower policy and program.
This statement from the Sullivan complaint highlights a situation where whistleblower protections could have stopped illegal actions faster.
“Additionally, Sullivan sought to have the hackers sign non-disclosure agreements. The agreements contained a false representation that the hackers did not take or store any data. When an Uber employee asked Sullivan about this false promise, Sullivan insisted that the language stay in the non-disclosure agreements.”
An organization’s internal whistleblower policy is necessary not just to empower and protect employees, but also to protect the employer. Giving employees an avenue to report violations of the organization’s values can help prevent future instances of ethical wrongdoing. In addition, by encouraging employees to come forward with concerns, whistleblower policies can help employers identify risks and take corrective action before more serious problems arise. Organizations should implement an internal whistleblower policy as part of their commitment to creating a culture of ethics and integrity.
The CISO conviction provides us with some important lessons and reinforces that how we react during a cybersecurity incident is equally important as the steps we take to avoid a cybersecurity incident.