Uber exec's conviction sends chilling message to CISOs

Former Uber security chief Joe Sullivan’s conviction for mishandling a 2016 data breach is renewing long-held fears among chief information security officers that they could be "sacrificial lambs" when cyberattacks occur.

Driving the news: A jury found Sullivan guilty this week of obstructing an active FTC investigation into Uber’s security practices and concealing a 2016 data breach, which affected 50 million riders' and drivers’ personal information.

• After discovering the breach, Uber paid the hackers $100,000 to not release the data and to keep quiet about the attack. Sullivan and his team steered this payout through the company’s bug bounty program, where ethical hackers report security flaws and receive rewards.
• The hack wasn't publicly disclosed until 2017, shortly after Dara Khosrowshahi stepped into the CEO role.

The big picture: While Sullivan’s case paints a clear example of executive negligence, it is believed to be the first time a CISO has been convicted for a company breach in the U.S.

• CISOs are used to being either fired or publicly blamed for a company security incident.
• They may be offered up as “sacrificial lambs,” but Sullivan’s conviction is reminding them that jail time is also on the table, said Padraic O’Reilly, chief product officer and co-founder at CyberSaint Security.

This can be a problem because CISOs often require the buy-in of their chief executive officers and boards to get the staffing and budget they need to properly secure their operations.

• In Uber’s case, then-CEO Travis Kalanick reportedly learned of the data breach one month after it happened and approved of Sullivan’s response strategy. Several lawyers were also looped into the response, according to evidence presented at Sullivan's trial.
• Additionally, many CISOs already struggle to see eye to eye with their organizations' CEOs or company boards.

The intrigue: Cybersecurity experts are warning the conviction could dissuade people from CISO roles in the future.

• CISOs face a more challenging threat and regulatory environment than they did six years ago when Sullivan's offense happened, including a growth in ransomware attacks and a growingly complex regulatory environment.

Yes, but: Sullivan's case involves a lot of extreme examples of executive negligence that most CISOs and security professionals already know to avoid, experts tell Axios, such as not lying to regulators or abusing bug bounty programs.

• Mike Hamilton, CISO at Critical Insight, tells Axios that while the oversight and disclosure requirements fall more on a company's legal team and boards, it's still up to the CISO to steer them in the right direction.

What's next: Cybersecurity experts are eager to see how prosecutors and regulators respond to claims in the Twitter whistleblower's complaint, which alleges the company was negligent in reporting various security issues to regulators.

• "If there is a breach, and it turns out to be a breach of private information, it's going to hit the fan," Hamilton says, referring to a potential Twitter incident. "Everybody's going to pay attention."

Sign up for Axios’ cybersecurity newsletter Codebook here.