Former Uber chief security officer (CSO), Joe Sullivan, recently spoke out about his conviction related to the 2016 data breach at Uber. Sullivan, who had previously served as a federal prosecutor specializing in computer hacking and IP issues, found himself on the other side of the justice system when a San Francisco jury found him guilty of obstructing an official proceeding and failing to report wrongdoing. Despite the initial shock of the conviction, Sullivan now aims to be a better person and to advocate for stronger regulations in the cybersecurity industry.
Sullivan’s conviction and subsequent advocacy for stronger cybersecurity regulations highlight the need for collaboration between the public and private sectors. He emphasizes the importance of industry leaders speaking out to shape future regulations and ensure the cybersecurity industry promotes and maintains strong security practices.
Background: The Uber Data Breach Case
The case against Sullivan arose from a breach of Uber’s systems in 2016, which resulted in hackers threatening to expose the data of 50 million customers and drivers. The verdict focused on Uber’s decision not to report the breach to the Federal Trade Commission, as the company was required to do so after a previous hack in 2014. Sullivan’s expectations of winning the trial were shattered, as his lawyers advised against a strong defense and he did not testify in court.
Initial Impact and Community Response
Sullivan admits that losing the trial took a toll on him. However, he has since received support from fellow CSOs and CISOs who wrote letters to the case’s sentencing judge, expressing their concerns about potential legal repercussions for cybersecurity professionals performing their jobs. The case has sparked anxiety within the cybersecurity community, with professionals questioning whether they should continue in the industry due to the risks involved.
Looking Towards the Future and Fixing the Industry
Sullivan now serves as the CEO of a nonprofit organization dedicated to providing humanitarian and technology aid to Ukraine. He believes that public-private sector collaboration and stringent regulations are necessary to address the flaws in the cybersecurity industry. Despite his personal experience of being regulated, Sullivan acknowledges the importance of government regulations and praises the incoming data breach disclosure rules set by the U.S. Securities and Exchange Commission. He encourages professionals in the field to actively engage in shaping future regulations and become leaders who can advocate for cybersecurity best practices.