Let’s talk a little bit about the Uber/Joe Sullivan case.
Yes, I know, it’s already yesterday’s news, and I’m so very late to the party.
As you know, I made my career in being a recurring non-officer CISO – a “virtual CISO” many, many times over, always for several companies at once. This, perhaps, allows me to offer a different perspective.
First of all, I feel for Joe. Even the judge, during pretrial motions, noted dryly that it seemed like Joe (in case you ever read this, I hope it’s OK for me to call you Joe, Joe) was on trial for the entire Uber corporation. There are certainly elements of this trial that hint at, uhh, extrajudicial agendas, such as the idea that Joe, who used to be an AUSA, should have known better than many of his peers who have not previously been part of law enforcement. Or more darkly, the notion that the prosecutor tried to turn Joe against the really big fish – one Travis Kalanick, who was deeply involved and called some of the important shots about the breach – but Joe wouldn’t turn.
You can read speculative articles about this until your eyes bleed. It’s the kind of thing that makes TV show producers squeal.
But I’m the stories guy, so let me tell you the story of how this stuff happens behind the scenes. Why should you care? Because, having served as CISO for so many companies, I’ve been in the hot seat around incidents, like the one Uber experienced that led to this trial, more times than you have fingers and toes. And it seems like it might be a useful perspective.
First question: is it a breach?
Unless you’re the kind of CISO that shouldn’t be, you never make decisions about whether an incident is a breach or not (the “key question”). It’s not your job. It’s never your job. You know whose job it is? Counsel. One interesting feature of Joe’s team was that he actually had counsel in his team, reporting to him, to answer this key question. This is not typical! Presumably, Joe’s prior experience in law enforcement led him to make an apparently quite advanced hire. Unfortunately for him, said lawyer (Craig Clark) ended up state’s witness, after being turned by the prosecutor in the case.
This, to me, adds an unusual dimension to the case. Were Joe operating in a more typical environment, he would have had to go to general counsel for the key question. By having his own breach counsel, Joe effectively “in-sourced” the responsibility for the key question, and became accountable to it as that lawyer’s boss. This is a nuance that I had not seen discussed elsewhere, but I feel that it’s critical. If you’re a CISO and want an immediate takeaway, I would tell you to learn from Joe’s experience, and never, ever allow a lawyer to be part of your team. Let general counsel and their team own the determination around breach notifications, as it is very much within their job description, and very much not within yours.
Does that feel oppositional? Perhaps. But keep in mind that general counsel is the company’s lawyer and as such, has certain protections built into their role that you, as CISO, do not. It also keeps things where they belong; you, as CISO, perform the job of informing and advising about the nature of the incident. You may even have an opinion, but the lawyers whose job is to know the law determine whether any legal requirements arise from the incident and importantly, the key question: whether it qualifies as a breach.
It’s an important lesson, I think.
At least you wouldn’t be the only person on trial.
Second question: should you ever override general counsel’s decision?
Ultimately, this is the real impact of this trial. If we are to follow the narrative, it goes something like this: CISOs are now going to be a lot more inclined to act as whistle blowers around security incidents, because they would be afraid of the orange jump suit. What incentive would they have to act other than extremely conservatively? In turn, companies are going to hate the people in this role even more than they do right now. You think CISOs are difficult to work with today? How you wish they could think more in terms of being business enablers instead of fear merchants?
Oh, just you wait.
Unfortunately, none of this is good for the practice of security in an organization. But, as always, there are so many glossed-over nuances here. For example, if general counsel (remember the first point above) writes to you saying “we do not believe this is a breach and it does not require notification”, then your ass is covered. It is, yes. Take a deep breath. It is. You know why? Because you didn’t hire them and they don’t work for you. You’re not their boss. So if the regulator, say the FTC, claims you lied to them, it’s a bit of a different story if the legal opinion doesn’t come from your own lawyer that reports to you.
This stuff matters.
I can’t pretend to know what sort of internal pressures Joe was facing in terms of that FTC disclosure, by the way. But I imagine that nobody at Uber wanted additional embarrassment at that point in the company’s life, leading into an IPO and all that. It’s one of the most galling aspects of this entire case, because even without knowing anything, I bet that Mr. Kalanick (for one) felt quite strongly about not talking to the FTC about it.
As for the method Joe used to “hide” the breach; here I must laugh. Let’s be clear about this: there are no “black hats” and “white hats”. There are only “gray hats”. If funneling a disclosure to a bug bounty program with the partial and explicit goal of getting the vulnerability reporters under NDA is a felony, then by all means, come arrest me now; I’ve made this recommendation quite literally hundreds of times. It’s a big part of bug bounty, that arm’s length aspect that allows us to keep an ever more complex technology environment in a more or less reasonably secure shape so the company can conduct its business. If everything was always made public immediately, as appears to be the righteous position taken by the prosecutor in this case, then companies simply could not function due to the constant barrage of security priorities, and their only option would be the discontinue their bug bounty programs.
I can’t imagine anyone in security thinks this is a good idea for data protection.
Third question. At $100,000, was it an unusually large bounty and didn’t that indicate some shady intentions to illegally hide stuff?
Sure, it was a lot. But the payment fit the disclosure. It wasn’t out of line in that sense; from what I could learn from the trial information, and based on my experience in this area, anything up to a quarter million or so would have been reasonable. So kudos to Joe’s team for negotiating a reduced payment with the hackers.
Much more importantly, Uber bought not just an NDA, but a certification of data destruction. That’s pretty good, and while of course you can’t ensure that the person on the other side isn’t lying to you (and lying isn’t a crime), at the very least it looks like Uber, through Joe, attained the best possible outcome with respect to this incident.
Incidents happen! And let me tell you, no one likes to make them public. Been there, done that, and companies, through counsel (just not your counsel, CISOs), will always choose not to notify the public* if they have reasonable legal grounds to avoid the notification. That in itself does not implicate anyone in a crime, not even the person nominally tasked with trying to prevent incidents from happening.
Or should not, anyway.
Fourth question. Does this change the role of the ciso itself as a company officer?
Took me long enough.
It’s a tough one. From my perspective, it definitely gives CISOs a reason for pause. Here is where I think that my perspective might help: as a perennial vCISO, I’m never an employee, let alone an officer, so all I can do is recommend; there is never a question of me making a decision about the key question. It’s never my decision. In a way, it might work well for full-time CISOs to take that approach as well.
In a world that has suddenly opened the real possibility of criminal charges for simply doing your job as CISO, there might be benefit to refocusing your approach towards the more advisory side of things. Less authoritarian, more collaborative. There is a maturity element to this. Many CISOs tend to think that their job is more important than it really is – I did write a book about it, after all – and this case may provide a bit of a reality check. Joe is smart, and charismatic, and a leader. The problem arises when the role is then cast in this mold. Because it’s very easy to believe that, as CISO, you are the “protector of the company”, and demand the matching decision-making authority.
Here is the thing: people will happily let you do just that.
Do you know why?
Because when you fail, then you own the responsibility for it.
And the matching orange jump suit.
(*) yes, the issue of whether he had a legal obligation to tell the regulator (FTC) about it is of course essential to this question. Reading between the lines, it comes down to a group of people (Joe, Travis, Craig, et al) convincing themselves that it wasn’t necessary because they were afraid of what it might do at a critical time for Uber. To then single Joe out for this decision seems preposterous. If you want to charge them, then charge all of them. That’s exactly what the judge noted, and why Craig was offered immunity from prosecution in return for burning his boss. Take from this what you will.