The trial of former Uber CISO Joe Sullivan marks the first time a cybersecurity chief has faced potential criminal liability. Sullivan is charged with trying to conceal from federal investigators the details of a 2016 hack at Uber that exposed the email addresses and phone numbers of 57 million drivers and passengers. The two charges against Sullivan, obstruction of justice and failure to report a crime, carry potential jail time of five and three years, respectively, in a watershed case that has drawn the attention of security professionals.
In a sardonic coincidence, Sullivan’s trial began days before news broke that Uber had been hacked again. Uber says that a hacking group run by teenagers called LAPSUS$ likely stole an employee’s credential to gain wide-ranging access to Uber’s internal systems including the company’s Amazon Web Services console, VMware vSphere/ESXi virtual machines, Google Workspace admin dashboard for managing the Uber email accounts, Slack server, and bug bounty program portal. Uber confirmed the breach and claimed it has no evidence that the hacker gained access to sensitive user data.
The latest Uber breach doesn’t appear to involve any malfeasance on the part of Uber’s security team. Nonetheless, its timing underscores that corporate cybersecurity chiefs remain in uncertain legal territory regarding significant hacks. Although the issue of some form of personal liability insurance, or directors-and-officers (D&O) insurance, for CISOs has been raised in the context of Sullivan’s woes, experts say they aren’t seeing demand for it yet.
Sullivan’s attorneys argue he’s not responsible
The 2016 breach involved admitted hackers Vasile Mereacre, who went by the name John Doughs, and Brandon Glover hacking into an Uber S3 folder containing more than 200 users’ private data files. They stole the names, email addresses, and phone numbers of 57 million app users, along with 600,000 driver’s license numbers. They then contacted Uber seeking a ransom payment. The hackers mostly communicated with Rob Fletcher, a company security response team member, although they also contacted Sullivan.
Uber ultimately agreed to pay the pair $100,000 to delete the data as a “bug bounty” and asked them to sign a non-disclosure agreement (NDA), allegedly to conceal the whole affair from the public and regulators. The incident remained under wraps until 2017, when Dara Khosrowshahi became Uber’s new chief executive and fired Sullivan.
This past summer, Uber entered a non-prosecution agreement with federal prosecutors to resolve a criminal investigation into the cover-up of the 2016 breach, given that the Federal Trade Commission (FTC) had a pending investigation into the company’s data security practices at the time. Prosecutors contend that as the security chief for Uber, Sullivan was obligated to disclose the breach to the FTC. Sullivan’s attorneys argue that Uber’s legal team and not Sullivan was obliged to report the breach to the FTC.
Andrew Dawson, an assistant US attorney, said, “This is a case about a cover-up, about payoffs and about lies. The evidence will show that Mr. Sullivan paid for the hackers’ silence because Uber was being investigated by the FTC.”
Gray areas such as ransomware could leave CISOs responsible
Given the rapid spike in ransomware attacks over the past three years, many organizations have chosen to pay the ransom to attackers in a manner not dissimilar to what Sullivan did. Even Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger has said, despite the FBI’s advice never to pay a ransom, “We recognize…that companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data. And that is why — given the rise in ransomware and given, frankly, the troubling trend we see of often targeting companies who have insurance and maybe richer targets — that we need to look thoughtfully at this area.”
Although most organizations are not under investigation by the FTC and wouldn’t go to the lengths that Uber did to conceal a payment to hackers, gray areas could conceivably emerge, depending on the circumstances, that could leave a CISOs vulnerable to subsequent legal actions, and potentially costly legal bills, if they participated in a decision to pay a ransom or deal with a cybersecurity incident in an unconventional way.
CISOs don’t seem to be seeking additional insurance
While CISOs are no doubt watching Sullivan’s trial nervously to determine whether they should demand D&O insurance, the same kind of liability protection that corporate directors and officers receive at significant corporations, “right now the primary focus for CISOs is on the general cyber liability insurance front,” Steven Aiello, security practice director at Ahead, tells CSO. “With the CISOs that I’m having conversations with, the additional forms of insurance are not something they’re bringing up as a point of concern right now. I’m not saying that they shouldn’t have it. What I’m saying is that the CISOs that I’m having discussions with, that’s definitely not something that they’re bringing to the table as a concern.”
It’s no surprise that general cybersecurity insurance is a current focus of attention, given that policies written in the insurance market are becoming increasingly precarious. One leading underwriter, Lloyds of London, will soon exempt state-backed attacks from their coverage. Moreover, some companies are ditching the coverage altogether following a 74% spike in cyber insurance premiums.
D&O insurance could also be overkill for most CISOs because, “When you look at an organizational structure, the CISO’s role is still really more of a VP, SVP position than a true C-level position,” Aiello says. “It’s, unfortunately, still not a true C-level position. If you look at the organizational structures, a lot of CSOs either roll up to a CFO or a CIO.”
Yet as cybersecurity becomes more sophisticated and government agencies spell out more guidance on achieving security and resiliency in their organizations, CISOs have a right to be nervous, given possible accusations that might crop up in the future if they fail to follow the emerging guidance today. “Take the case with Uber. That happened post-attack, what we call, right of boom. If you covered it up, that seems to be something that, of course, gets you exposed,” Ian Bramson, global head of industrial cybersecurity at compliance firm ABSG Consulting, tells CSO.
“But as regulations come in and say you have to report an incident in X amount of time, or you have to do X, Y, and Z. When they start being more prescriptive, and companies aren’t following that, then the executives will be more exposed as they go along,” Bramson says. “There’s an overall impact dimension, meaning what did you do to prepare? Did you not prepare well enough? Then you might be liable for that.”
Bramson thinks CISOs on the OT side of the business might face more significant risks than pure IT cybersecurity leaders because liability protection is less mature in industrial environments, and “I can shut stuff down. I can blow stuff up on the OT side.”
The best bet for CISOs is protective governance policy
Aiello thinks that most organizations won’t pay for D&O insurance, or any other kind of professional liability insurance, for their CISOs because those policies can cost $100,000 or more per year. CISOs are unlikely to pay for that kind of insurance out of their own pockets “to absolve themselves of some personal risk.” If that were the case, most CISOs wouldn’t take the job, “because you can be a lower level resource and make just as much money and not have to carry that risk and not have to carry that cost,” says Aiello.
The better bet for CISOs is to ensure that corporate governance policies provide them with protection. “I would absolutely make sure that when the organization chose to accept a risk by not getting cyber liability insurance or by failing to fund a project, it should be documented that it wasn’t the CSO that chose to accept this risk; it was the CEO or the CFO or the COO that chose to accept that risk.”
Copyright © 2022 IDG Communications, Inc.