The Conviction of Uber’s Chief Security Officer

I have been meaning to write about Joe Sullivan, Uber’s former Chief Security Officer. He was convicted of crimes related to covering up a cyberattack against Uber. It’s a complicated case, and I’m not convinced that he deserved a guilty ruling or that it’s a good thing for the industry.

I may still write something, but until then, this essay on the topic is worth reading.

Posted on November 7, 2022 at 6:17 AM13 Comments


George November 7, 2022 7:01 AM

Let’s say this was a public tobacco company who’s CEO purposely hid results its scientists found that their product caused cancer? Or a bank CEO who hid an internal report showing it knew its employees actions harmed the 401k plans of millions of Americans? I could go on, but I am sure you get the point I am making. Of course, these days it seems as though there is no longer any accountability for people at the top but a public company that withholds material information from its customers and regulators should be punished and its leaders held to the letter of the law including jail time. Unfortunately for him, it appears Joe Sullivan does not have the powerful friends too many other public leaders have to help get off the hook.

TimH November 7, 2022 9:04 AM

“Let’s say this was a public tobacco company who’s CEO purposely hid results…” a straw man surely? Sullivan was CSO, not CEO, and so was not the one with final responsibility.

Ted November 7, 2022 10:15 AM

More clarification from the Justice Department would be good. But that bug bounty white hat NDA thing – when 57 million people’s info was exposed – was, eh, creative. A little too creative under the circumstances.

I agree though that regulation by enforcement, rather than clear guidance, would be unnecessarily confusing and anxiety-inducing for many conscientious CSOs.

Quantry November 7, 2022 10:16 AM

What’s more, an “affirmative act of concealment” is the principle way most law enforcement works, especially when its THEIR CRIMES they are failing to apprise themselves of.

Typical Canadian example: ‘ (Lawyer Nathan Muirhead will NEVER have an exhaustive list. He got to lick the tip of the iceberg in that indictment).

“Disclosure Laws” are a fake protection, like grabbing air: ONLY a lever for hate crimes by public officials.

Hate Uber? = Jump on the lever. Hate Muslims? HIDE the lever.

… blah blah blah, endlessly…

Aaron November 7, 2022 1:39 PM

“Exactly ten days after his FTC testimony, Sullivan learned that Uber had been hacked again.”

Flagrant negligence, that is what this is.

Throw out all evidence, the testimony, the data… this alone and in less then two weeks after having cleaned up the last mess, Sullivan plants the seeds of the next catastrophe.

Life is learning from mistakes; then there is Sullivan

Clive Robinson November 7, 2022 2:17 PM

@ Bruce, ALL,

“It’s a complicated case, and I’m not convinced that he deserved a guilty ruling or that it’s a good thing for the industry.”

It also from the public looking in side, a typical witch-hunt and cankeroo-court behaviour by certain federal agencies (FBI & DoJ) of using “old law” outside of thr scope it was formed under, for political gain (which brings in the question of misfeasance).

As such, nomatter who you look at in this case it is way to easy to project a political viewpoint onto what occured and claim XXX did YYY therefor ZZZ should not have happened… And like a door it swings both ways thus one party AAA will say ZZZ should not have happened BBB will say that AAA are wrong and ZZZ, with another group CCC claiming that both AAA and BBB are wrong and the use of legislation to get ZZZ should never have happened.

Ultimately a federal authority decided to attack an individual corporate officer, for what was in all probablity a group decision by company officers, if not board directors, and major shareholders. With the individual being the one left holding the baked potato, because a “company policy” was not implemented correctly.

Reporting of events against a company to authorities has downsides, as it is oft spread across several agencies for various reasons and agency turf wars are legion, wastefull and destructive, but it is rare for agency personnel involved in such behaviours to be brought to account.

Whilst I’ve a belief that officers of “legal persons” be they companies, government agencies and other organisations should be held accountable for the actions of the “legal persons” they enact, we have to take care not to prosecute scape goats “pushed out of the herd”.

It’s a tactic that is dirty but effective, you as a preditor find the least able to defend themselves, then you make it clear to the rest of the herd that you’ve picked your prey and if they get in the way then you will rip their guts out and still go for your prey. The response of the herd is simple, rather than help defend the prey and run down the preditor, they turn and run away from the prey that then gets ripped apart not for what they did, but for the collective actions of the herd. With the herd thinking they are now safe, which of course they are not because the preditor will just come back and “rinse, wash and repeate” untill they get a taste for a new variety of fresh meat. But the fact a preditor has fat pork today and lean goat tommorow, and chicken the day after does not mean they will not get the tast for fat pork the day after that again…

It is clear that the FBI and the DoJ have decided to use old legislation that has fallen into disuse –for good reason– against new targets the framers of such legislation could not have envisioned. As such they are using the camels nose as a battering ram, and trying to force the scope of such legislation beyond it’s framers intent (see FBI-DoJ v. Apple). They get away with such behaviour because there is no downside or penalties for their egregious misuse of taxpayer resources. US law is based on old English law that is “combative” from a time when “legal persons” did not realy exist thus legislation was framed at “natural persons” that had near ewuity in combat. The fact that we have alowed “legal persons” to reach the state they have is unfortunate, but victimizing in very questionable ways “natural persons” for the “legal persons” collective behaviours is not the way to go about redressing the balance, especially as it is only going to be done to one side of any combat.

The result will be that companies will “proceadure up” via policy and the like in the short term, and will effectively “off shore” any risk to their more senior personnel and assets. Putting them out of reach of federal and state legislatures and enforcment organisations. The result will be very bad for the US tax base and the few and decreasing numbers of working citizens in economically productive employment left…

Phillip November 7, 2022 3:45 PM

Any CSO is not, per se, a “whistleblower” for simply reporting, when the CSO has a duty to report. Anyway, the archetypal whistleblower is generally not well-received. Let it be known I am against any bulk-dump, because this is what some are dealing in actual cases. Why do this bulk dump? However, prior to any breach, requiring a CSO to absolutely attest to the veracity of every security jot-and-tiddle is amazingly dumb. No CSO should be forced into it, for any paycheck, because it is absolute nonsense. I cannot “grok” all propriety code on my own system, for example. Much less, poring through every change to any open-source repository. Parse it through, yesterday-reality. Allow us to discuss it.

Tom November 7, 2022 4:58 PM

This is what happens if you hire an Attorney to lead the Cybersecurity. Do you hire a Cybersecurity Engineer to lead a law firm? Plain stupid. Happens only in America who lost all the competitive edge by outsourcing.

Cybersecurity leadership in USA is a joke compared to Europe or China. Most of them are totally unqualified including Sullivan who is just one of those millions of attorneys in this country who obviously has no idea on Security engineering and such foundations. What will an attorney do? Try to cut corners or bend the law or on those lines, which is what they are trained to do and good at any way.

Mat November 7, 2022 5:26 PM

Don’t try to protect your own gang. This is what most professions do especially these useless doctors who in most cases don’t solve the issue yet milk the insurance.

If Uber had a competent CSO with right cybersecurity background (not some random attorney like in this case with bunch of useless certifications), what’s the likelihood of such data breaches? May be the extent of damage would have been far less with right person in charge who understands proper security controls from security engineering perspective.

Israel knows very well how good these American CSOs are!
Talk to them and you will know. Because, they are one of the best when it comes to Cybersecurity competency who are smart and work hard since their childhood to get there. Not some bunch of useless attorneys. Look at their companies. All core technology development happens in Tel Aviv. Only Sales/Marketing/Support such stuff is in the US for obvious reasons. Most don’t even hire tech talent from US because they no majority won’t pass the mark.

Francis Louis Mayer November 9, 2022 4:28 PM

Well it looks as if cybersecurity professionals will need malpractice insurance to cover liability and court costs. The government should have held the company liable as a whole and the entire board should have been punished. Focusing on one person will cause the problem to persist because you will still have the executive leadership think that they can get away with things by making one executive the scape goat. I see many points about how people do not like the prosecution of this case but then where were the defense attorneys? Please note that a Federal Jury found this man guilty as charged and that there is an appeal process as well, so the system provides protections. Executives are among the elite so they have the legal defense teams that the average person can only dream about. Based on these facts, I feel that the case sets the tone of corporate governance that covering things up and obstructing investigations is unacceptable as they really should be in law. People really need to read this outstanding analysis of the case NOTE “Sullivan, who once served as a federal cybercrime prosecutor in the U.S. Attorney’s Office that is prosecuting him.” This key point must not be overlooked; he was well aware of his exposure and did it anyway.

Nick Levinson November 22, 2022 7:53 AM

The other side needs reporting. The linked-to article covers one side better, but U.S. law is practiced adversarially and the executive likely had compensation sufficient for hiring a good lawyer and this executive likely had good legal advice and turns up guilty anyway. I’d want to know more about misprision and this case from the government’s viewpoint and what relevant precedential case law says.

Some people are mandatory reporters, e.g., social workers may be required to report child abuse, depending on State law. But jaywalkers usually don’t have to be reported by passersby.

More on the elements of misprision according to the 9th Circuit Federal appellate court: a commentary by a law firm and a court opinion, but this isn’t complete research or necessarily the latest.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.