The trial of former Uber CISO Joe Sullivan marks the first time a cybersecurity chief has faced potential criminal liability. Sullivan is accused of trying to hide details from federal investigators of a 2016 Uber hack that exposed the email addresses and phone numbers of 57 million drivers and riders. The two counts against Sullivan, obstruction of justice and failure to report a crime, carry potential jail terms of five and three years, respectively, in a climactic case that has caught the attention of security professionals.
In a sardonic coincidence, Sullivan’s trial began days before news broke that Uber had been hacked again. Uber says a teen-led hacking group called LAPSUS$ likely stole an employee’s credentials to gain extensive access to Uber’s internal systems, including the company’s Amazon Web Services console , VMware vSphere/ESXi virtual machines, Google Workspace admin dashboard for Uber management. email accounts, Slack server and Bug Bounty program portal. Uber confirmed the breach and said it had no evidence the hacker gained access to sensitive user data.
Uber’s latest breach does not appear to involve any wrongdoing by Uber’s security team. Nonetheless, its timing underscores that corporate cybersecurity chiefs remain in uncertain legal territory regarding major hacks. Although the issuance of some form of liability insuranceor directors and officers (D&O) insurance, for CISOs has been raised in the context of Sullivan’s woes, experts say they don’t see demand for it yet.
Sullivan’s lawyers say he’s not responsible
The 2016 breach involved known hackers, Vasile Mereacre, who went by the name of John Doughs, and Brandon Glover, hacking into an Uber S3 folder containing more than 200 users’ private data files. They stole the names, email addresses and phone numbers of 57 million app users, as well as 600,000 driver’s license numbers. They then contacted Uber to demand payment of a ransom. The hackers primarily communicated with Rob Fletcher, a member of the company’s security response team, although they also contacted Sullivan.
Uber eventually agreed to pay the pair $100,000 to remove the data as a “bug bounty” and asked them to sign a non-disclosure agreement (NDA), allegedly to conceal the whole matter from the public and to regulators. The incident remained secret until 2017, when Dara Khosrowshahi became Uber’s new chief executive and fired Sullivan.
Last summer, Uber Between a non-prosecution agreement with federal prosecutors to resolve a criminal investigation into the 2016 breach cover-up, as the Federal Trade Commission (FTC) had an ongoing investigation into the company’s data security practices at the time. Prosecutors argue that as Uber’s chief security officer, Sullivan was obligated to disclose the breach to the FTC. Sullivan’s attorneys argue that Uber’s legal team and not Sullivan’s was obligated to report the violation to the FTC.
Andrew Dawson, an assistant U.S. attorney, said“This is a case of cover-ups, winnings and lies. Evidence will show that Mr. Sullivan paid for the hackers’ silence because Uber was under investigation by the FTC.
Gray areas such as ransomware could leave CISOs accountable
Given the rapid increase in ransomware attacks over the past three years, many organizations have chosen to pay the ransom to attackers in a way that is no different from what Sullivan did. Even Anne Neuberger, deputy national security adviser for cybersecurity and emerging technologies, has said, despite FBI advice never to pay a ransom, “We recognize…that companies are often in a difficult position if their data is encrypted and they don’t have backups and can’t recover the data. And that’s why – given the increase in ransomware and given, frankly, the troubling trend we’re seeing of often targeting companies that have insurance and perhaps wealthier targets – that we need to look carefully this domain.
While most organizations won’t be investigated by the FTC and wouldn’t go until Uber did to hide a payment from hackers, gray areas could eventually appear, depending on the circumstances. , which could leave a CISO vulnerable to subsequent legal action, and potentially costly legal fees, if they participated in a decision to pay a ransom or handle a cybersecurity incident in an unconventional way.
CISOs don’t seem to be looking for additional insurance
As CISOs no doubt watch nervously as Sullivan’s lawsuit determines whether to demand D&O insurance, the same kind of liability protection that corporate directors and officers receive at large corporations, “on time Right now, the primary focus of CISOs is on the general cyber liability assurance front,” Steven Aiello, Director of Security Practices at Ahead, told CSO. “With CISOs that I have conversations, supplemental forms of insurance is not something they’re raising as a concern right now. I’m not saying they shouldn’t have it. What I’m saying is that the CISO that I have discussions with, it’s definitely not something they put on the table as a concern.”
It is no surprise that general cybersecurity insurance is currently in the spotlight, given that policies purchased in the insurance market are becoming increasingly precarious. A leading underwriter, Lloyds of London, will soon exempt state-sponsored attacks from their cover. In addition, some companies are dropping coverage altogether as a result of a peak of 74% in cyber insurance premiums.
D&O assurance might also be overkill for most CISOs because, “When you look at an organizational structure, the CISO role is even more of a VP, SVP position than a true C-level position,” says Aiello. “Unfortunately, it’s still not a real C-level position. If you look at organizational structures, many CSOs report to a CFO or CIO. »
Yet, as cybersecurity becomes more sophisticated and government agencies lay out more guidance to keep their organizations secure and resilient, CISOs have every right to be nervous, given the possible accusations that could arise at the moment. future if they don’t follow the new guidelines today. “Take the case of Uber. It happened after the attack, what we call, boom law. If you’ve covered it up, it seems like something that of course exposes you,” Ian Bramson, global head of industrial cybersecurity at compliance firm ABSG Consulting, told CSO.
“But as regulations come in and say you have to report an incident within X time, or you have to do X, Y and Z. When they start to be more prescriptive and companies don’t follow not that, then leaders will be more exposed as you go along,” Bramson says. “There is a dimension of overall impact, which is what have you done to prepare? are not well enough prepared?Then you could be responsible for this.
Bramson thinks that CISOs on the OT side of the business could face greater risks than pure IT cybersecurity managers because liability protection is less mature in industrial environments, and “I can stop things . I can blow things up on the OT side.
The best bet for CISOs is a protective governance policy
Aiello thinks most organizations won’t pay for D&O insurance, or any other type of professional liability insurance, for their CISOs because those policies can cost $100,000 or more per year. CISOs are unlikely to pay for this type of insurance out of their own pockets “to absolve themselves of certain personal risks”. If that were the case, most CISOs wouldn’t take the job, “because you can be a lower-level resource and make that much money without having to bear that risk or bear that cost,” says Aiello.
The best bet for CISOs is to ensure that corporate governance policies offer them protection. “I would absolutely ensure that when the organization chooses to accept risk by not purchasing cyber liability insurance or funding a project, it should be documented that it is not the CSO that has chose to accept this risk; it is the CEO, CFO or COO who has chosen to accept this risk. »
Copyright © 2022 IDG Communications, Inc.