The Uber verdict shows why mandatory disclosure maybe isn't such a bad idea

The conviction of Uber's former chief security officer, Joe Sullivan, seems likely to change some minds in the debate over proposed cyber incident reporting regulations.

SEC flag

Executives and boards will now be "a whole lot less likely to cover things up," said one information security veteran.

Photo: Al Drago/Bloomberg via Getty Images

If nothing else, the guilty verdict delivered Wednesday in a case involving Uber's former security head will have this effect on how breaches are handled in the future: Executives and boards, according to information security veteran Michael Hamilton, will be "a whole lot less likely to cover things up."

Following the conviction of former Uber chief security officer Joe Sullivan, "we likely will get better voluntary reporting" of cyber incidents, said Hamilton, formerly the chief information security officer of the City of Seattle, and currently the founder and CISO at cybersecurity vendor Critical Insight.

The 2016 Uber breach involved the theft of data on 57 million Uber users as well as 600,000 driver's license numbers. Prosecutors say Sullivan took a number of steps to hide the incident from regulators, including paying the attacker $100,000 under the auspices of Uber's bug bounty program to keep quiet about the incident. Sullivan was convicted by a federal jury of "obstruction of proceedings" of the FTC, which was investigating Uber at the time, and of failure to report a felony.

Reducing the incentives for cover-ups is not a bad thing, of course. But the fact that a CSO may be sent to prison in the wake of a breach, regardless of the circumstances, has sent shockwaves through the world of information security professionals.

"This case has set a terrible precedent that creates confusion around who should take liability for decisions during an incident response event," said Sounil Yu, CISO at cybersecurity vendor JupiterOne.

In essence, it reinforces the unfair but long-running practice of blaming the CISO when things go wrong on security, when oftentimes it's a result of lack of investment by the very same people doling out the blame.

The verdict's effect on top executives, however, may still end up being the same: It's clear now that execs can be punished with something as severe as a prison sentence for how they respond to a breach.

"I think this is a shot over the bow of getting executives to wake up and realize [regulators] are serious about this," Hamilton said.

The DOJ news release announcing Sullivan's conviction says as much: "We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users," U.S. Attorney Stephanie Hinds said in the release.

But again, it's not just any executive who is being held personally liable for the handling of this breach.

Certainly, Sullivan had a choice about whether to cover up a massive breach. But when a breach occurs, many people in the security community believe that it no longer makes sense — given the intensification of cyberthreats — for the responsibility to fall totally on the shoulders of the CISO. Especially not if potential jail time is now on the table.

Debates over cyber incident reporting have already been a major feature of 2022 for the security community and, more broadly, the private sector as a whole. A number of federal proposals that would mandate reporting of major cyberattacks have been brought forward this year, most prominently, a proposed SEC rule for publicly traded companies and a Congress-led initiative, now in the hands of CISA, to require incident reporting by critical infrastructure providers.

The SEC proposal has been widely criticized by industry, while the critical infrastructure proposal, which still has a lot of specifics to be ironed out, has received less debate so far. What the two proposals have in common is that they would normalize reporting of major cyberattacks to a greater degree than we've had so far.

Part of the problem in the Uber breach response was that Sullivan and the other individuals involved thought they had a choice in the matter: They believed they could choose to not report it, and that if they were sneaky enough, then they wouldn't get caught.

The current cyber incident reporting proposals from the federal regulators — especially the proposed SEC rules, which would make incident disclosures public — would seem aimed at wiping out this mentality that no doubt still persists at many companies.

The other thing these regulations might remove, in theory, is the idea that all of the responsibility and liability for a breach is on the CISO.

"National breach notification requirements could allay some of these concerns," said Rick Holland, CISO and vice president of strategy at cybersecurity vendor Digital Shadows. "However, CISOs could still be at risk for perceptions around the security program that led to the breach itself."

Still, if cyber incident reporting becomes mandatory, every organization covered by the rules will know exactly what is on the line if they fail to report an incident, and that the consequences will affect the whole organization.

"It's a formal, legal way of saying, 'This isn't all on the CISO,'" said Padraic O'Reilly, co-founder and chief product officer at cybersecurity vendor CyberSaint. The regulations make clear that a company's board and C-suite "can't isolate itself from this aspect of running the business," O'Reilly said.


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories