If nothing else, the guilty verdict delivered Wednesday in a case involving Uber's former security head will have this effect on how breaches are handled in the future: Executives and boards, according to information security veteran Michael Hamilton, will be "a whole lot less likely to cover things up."
Following the conviction of former Uber chief security officer Joe Sullivan, "we likely will get better voluntary reporting" of cyber incidents, said Hamilton, formerly the chief information security officer of the City of Seattle, and currently the founder and CISO at cybersecurity vendor Critical Insight.
The 2016 Uber breach involved the theft of data on 57 million Uber users as well as 600,000 driver's license numbers. Prosecutors say Sullivan took a number of steps to hide the incident from regulators, including paying the attacker $100,000 under the auspices of Uber's bug bounty program to keep quiet about the incident. Sullivan was convicted by a federal jury of "obstruction of proceedings" of the FTC, which was investigating Uber at the time, and of failure to report a felony.
Reducing the incentives for cover-ups is not a bad thing, of course. But the fact that a CSO may be sent to prison in the wake of a breach, regardless of the circumstances, has sent shockwaves through the world of information security professionals.
"This case has set a terrible precedent that creates confusion around who should take liability for decisions during an incident response event," said Sounil Yu, CISO at cybersecurity vendor JupiterOne.
In essence, it reinforces the unfair but long-running practice of blaming the CISO when things go wrong on security, when oftentimes it's a result of lack of investment by the very same people doling out the blame.
The verdict's effect on top executives, however, may still end up being the same: It's clear now that execs can be punished with something as severe as a prison sentence for how they respond to a breach.
"I think this is a shot over the bow of getting executives to wake up and realize [regulators] are serious about this," Hamilton said.
The DOJ news release announcing Sullivan's conviction says as much: "We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users," U.S. Attorney Stephanie Hinds said in the release.
But again, it's not just any executive who is being held personally liable for the handling of this breach.
Certainly, Sullivan had a choice about whether to cover up a massive breach. But when a breach occurs, many people in the security community believe that it no longer makes sense — given the intensification of cyberthreats — for the responsibility to fall totally on the shoulders of the CISO. Especially not if potential jail time is now on the table.
Debates over cyber incident reporting have already been a major feature of 2022 for the security community and, more broadly, the private sector as a whole. A number of federal proposals that would mandate reporting of major cyberattacks have been brought forward this year, most prominently, a proposed SEC rule for publicly traded companies and a Congress-led initiative, now in the hands of CISA, to require incident reporting by critical infrastructure providers.
The SEC proposal has been widely criticized by industry, while the critical infrastructure proposal, which still has a lot of specifics to be ironed out, has received less debate so far. What the two proposals have in common is that they would normalize reporting of major cyberattacks to a greater degree than we've had so far.
Part of the problem in the Uber breach response was that Sullivan and the other individuals involved thought they had a choice in the matter: They believed they could choose to not report it, and that if they were sneaky enough, then they wouldn't get caught.
The current cyber incident reporting proposals from the federal regulators — especially the proposed SEC rules, which would make incident disclosures public — would seem aimed at wiping out this mentality that no doubt still persists at many companies.
The other thing these regulations might remove, in theory, is the idea that all of the responsibility and liability for a breach is on the CISO.
"National breach notification requirements could allay some of these concerns," said Rick Holland, CISO and vice president of strategy at cybersecurity vendor Digital Shadows. "However, CISOs could still be at risk for perceptions around the security program that led to the breach itself."
Still, if cyber incident reporting becomes mandatory, every organization covered by the rules will know exactly what is on the line if they fail to report an incident, and that the consequences will affect the whole organization.
"It's a formal, legal way of saying, 'This isn't all on the CISO,'" said Padraic O'Reilly, co-founder and chief product officer at cybersecurity vendor CyberSaint. The regulations make clear that a company's board and C-suite "can't isolate itself from this aspect of running the business," O'Reilly said.
