Modern Workplace

Should we be freaking out about CISO scapegoating?

Nov 03, 2022
CISO Scapegoating

Almost as soon as the news broke that Uber CSO Joe Sullivan was convicted of attempting to cover up a data breach from the FTC, pundits took to their keyboards to either assure CXOs they had nothing to worry about or urge them to save themselves from an inevitable backstabbing.

To recap, in early October, Sullivan was found guilty by a federal jury of "obstruction of proceedings of the Federal Trade Commission (“FTC”) and misprision of felony in connection with his attempted cover-up of a 2016 hack of Uber." 

At the time, Sullivan was cooperating with the FTC to investigate an earlier data breach, but he elected to pay the perpetrators of the 2016 incident $100,000 in Bitcoin in exchange for deleting the data and signing a non-disclosure agreement. 

He reportedly did not notify the FTC of this decision. He is said to have instead instructed subordinates not to let news of the breach go public and to have kept tight control over information pertaining to the breach, even within the company. As a result, Sullivan was found guilty of obstructing court proceedings and awaits sentencing. 

While it’s true that Sullivan’s situation was shaped by particular circumstances, it remains to be seen what sort of effect the decision will have on the behavior of the wider CXO community.

Some fear it will legitimize the practice of “CISO scapegoating,” where criminal blame is assigned arbitrarily following a cyber incident as a form of damage control. Others hope it will encourage security executives to be more forthright about breaches involving customer data (records belonging to about 57 million Uber users were supposed to have been stolen in the incident in question). 

“The message in today’s guilty verdict is clear: companies storing their customers’ data have a responsibility to protect that data and do the right thing when breaches occur,” an FBI agent is quoted as saying by the DoJ. 

But the true impact of Uber’s breach and Sullivan’s conviction will inevitably involve sparking conversations about the extent of a CXOs liability in the wake of a significant cybersecurity incident. 

Martyrdom or malpractice?

Paying a ransom for the destruction or return of stolen data isn’t a crime. Law enforcement agencies certainly advise against it, but some organizations see it as the best way to resolve an incident quickly and perhaps save face. In Sullivan’s case, paying a ransom did prevent sensitive data from being made public.

But some worry that this verdict "could create a public perception that it is never legal or acceptable to pay ransomware actors or hackers attempting to extort payment to keep stolen data private."

The DoJ filing makes it clear that it had at least two specific issues with how Sullivan and Uber ultimately decided to buck up (more on third later): 

  1. The true identities of the hackers were still unknown
  2. They were continuing to actively target businesses

Given that cybercriminals rarely make their offline identities known voluntarily, the first issue seems like it would be a sticking point in most instances. Ransomware groups and other bad actors don’t typically retire after a single successful instance of extortion, either. So the second issue also seems to be a non-starter for ransom payments. 

If these two conditions are met in nearly every online extortion event, is that a de-facto declaration that ransomware payments are punishable by law enforcement? Whatever the answer, a third factor is damning for Sullivan. The Washington Post reported that the money paid to hackers was made as a part of Uber’s bug bounty program, something the court disputed during his trial. This claim, along with the use of a non-disclosure agreement, contributed to the court’s decision to find Sullivan guilty of attempting a coverup. 

So, where does this leave the rest of us?

The reality is, Sullivan violated basic principles of morality intelligible to school-aged children during this incident. He instructed subordinates to keep information about the 2016 breach under wraps, even as he worked with the FTC on an investigation into a 2014 breach. He willingly mischaracterized the extortion payment as a bug bounty. He even kept the fact that the breach occurred from Uber’s own legal team. His non-disclosure resulted in another business, the online learning platform, being compromised by the same two hackers. 

California’s data privacy protection laws also mandated that he disclose the breach. The CCPA states that anytime data belonging to more than 500 California citizens is compromised, the incident must be reported to the attorney general. While this would have required a slightly more sophisticated understanding of data privacy law, someone in Sullivan’s position should be expected to understand relevant regulations.

My point is, these aren’t circumstances one would stumble into without first making some deliberate and, at best, morally shaky decisions. That’s why I think the cybercrime commentary class is ultimately right about CISO scapegoating being probably overblown. The breathless headlines about CXOs being sacrificial lambs were a tad knee-jerk. 

If we act with integrity, keep in mind who we’re supposed to be protecting, and remember our high-school ethics educations, we’re unlikely to wind up in Joseph Sullivan’s position. 

What do you think?

What to read next

‘Cyber isolationism’ is making CXOs’ jobs more complicated – and more critical

The CISOs Report: A spotlight on today’s cybersecurity challenges