Khosrowshahi fired Sullivan and Craig Clark, a security lawyer, in 2017. Sullivan, who prior to Uber had been the chief security officer at Facebook, is now chief information security officer for the internet infrastructure company Cloudflare. In a tweet on Thursday, Cloudflare CEO Matthew Prince wrote, “Sad to see Joe Sullivan allegations. … Anytime an opportunity arose, Joe’s advocated for us to be as transparent as possible. I hope this is resolved quickly for Joe & his family.”
According to media reports following Uber’s 2017 breach notification, other company executives and employees aside from Sullivan approved and helped to carry out the plan to treat the breach like a bug bounty disclosure and pay the hackers off through this mechanism. “I was surprised and disappointed when those who wanted to portray Uber in a negative light quickly suggested this was a cover-up,” Sullivan told The New York Times in a 2018 statement.
John Flynn, Uber’s longtime chief information security officer, who left the company in July, told the Senate Commerce Committee in February 2018 that Uber “made a misstep in not reporting to consumers, and we made a misstep in not reporting to law enforcement.”
Shawn Tuma, a partner in the law firm Spencer Fane who specializes in cybersecurity and data privacy issues, notes that Sullivan is apparently being singled out because he provided testimony and assistance to the FTC in its investigation of the company’s 2014 breach. Under the Justice Department’s standards for establishing individual accountability in corporate wrongdoing at the time of the 2016 FTC investigation, Uber needed to present individuals responsible for the misconduct to receive recognition or “credit” for cooperating with the investigation.
“You’ve already got the FTC regulators in your office, they’re already sifting through your documents, they’re already taking sworn testimony from you,” Tuma says. “And they probably say something like, ‘You have a duty to supplement this if you learn anything new.’ And then 10 days later he learned of this other breach.”
Legal analysts do have some concerns that the case could lead to overly broad interpretation of what constitutes concealing a felony in the context of vulnerability research and breach disclosure. At times, well-meaning security researchers may inadvertently violate the letter of the Computer Fraud and Abuse Act in small ways, which is why many vulnerability disclosure programs include safe harbor language. If the precedent from this case compelled companies to report even those inconsequential missteps, it could have a chilling effect on vulnerability research.
“For years we have been hearing the same kind of talk that companies aren’t going to change how they protect data until somebody goes to jail over it,” Tuma says. “But this isn’t just a typical data breach notification case. Had the FTC investigation not been going on then the question is what law would this have violated? I don’t think this would have been prosecuted in those more typical situations.”
While the case is an experiment developing more levers for corporate breach accountability, some argue that a more foundational shift is needed to meaningfully protect consumers. “There needs to be a baseline of rights for users of corporate platforms and real disincentives against violating those rights,” says Davi Ottenheimer, who runs security for the data ownership and integrity firm Inrupt. “We need to shift the mindset that this is about human rights law, not just corporate safety and governance.”
The fact that Sullivan is the only executive being indicted for something others participated in also sends a flawed message, says Katie Moussouris, a longtime bug bounty program advocate who runs the consultancy Luta Security. She points out that while CSOs should be held accountable for their actions, they shouldn’t be put forth as a convenient “Chief Sacrificial Officer.”