SAN FRANCISCO — A former chief security officer for Uber was convicted Wednesday of federal charges stemming from payments he quietly authorized to hackers who breached the ride-hailing company in 2016.
The verdict ended a dramatic case that pitted Sullivan, a prominent security expert who was an early prosecutor of cybercrimes for the San Francisco U.S. attorney’s office, against his former government office. In between prosecuting hackers and being prosecuted, Sullivan served as the top security executive at Facebook, Uber and Cloudflare.
Judge William H. Orrick did not set a date for sentencing. Sullivan may appeal if post-trial motions fail to set the verdict aside.
“Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been ensuring the safety of people’s personal data on the internet,” Sullivan attorney David Angeli said after the 12-member jury rendered its unanimous verdict on the fourth day of deliberations.
Even without Sullivan’s job history, the trial would have been closely watched as the first major criminal case brought against a corporate executive over a breach by outsiders.
It also may be one of the last: In the five years since Sullivan was fired, payoffs to extortionists, including those who steal sensitive data, have become so routine that some security firms and insurance companies specialize in handling the transactions.
“Paying out the ransom I think is more common than we’re led to believe. There is an attitude that’s similar to a fender bender,” said Michael Hamilton, founder of security firm Critical Insight.
FBI leaders, while officially discouraging the practice, have said they will not pursue the people and companies that pay ransoms if they don’t violate sanctions prohibiting payments to named criminal groups especially close to the Russian government.
“This case will certainly make executives, incident responders and anybody else connected with deciding whether to pay or disclose ransom payments think a little harder about their legal obligations. And that’s not a bad thing,” said Brett Callow, who researches ransomware at security firm Emsisoft. “As is, too much happens in shadows, and that lack of transparency can undermine cybersecurity efforts.”
Most security professionals had been anticipating Sullivan’s acquittal, noting that he had kept the CEO and others who were not charged informed of what was happening.
“Personal liability for corporate decisions with executive stakeholder input is a new territory that’s somewhat uncharted for security executives,” said Dave Shackleford, owner of Voodoo Security. “I fear it will lead to a lack of interest in our field, and increased skepticism about infosec overall.”
John Johnson, a “virtual” chief information security officer for multiple companies, agreed. “Your company leadership could make choices that can have very personal repercussions to you and your lifestyle,” he said. “Not saying everything Joe did was right or perfect, but we can’t bury our head and say it will never happen to us.”
Prosecutors argued in Sullivan’s case that his use of a nondisclosure agreement with the hackers was evidence that he participated in a coverup. They said the break-in was a hack that was followed by extortion as the hackers threatened to publish the data they took, and so it should not have qualified for Uber’s bug bounty program to reward friendly security researchers.
But the reality is that as the hacking of corporations has gotten worse, the way companies have dealt with it has moved far past the letter of the law when Sullivan was accused of breaking it.
Bug bounties usually require nondisclosure deals, some of which last forever.
“Bug bounty programs are being misused to hide vulnerability information. In the case of Uber, they were used to cover up a breach,” Katie Moussouris, who established a bug bounty program at Microsoft and now runs her own vulnerability resolution company, said in an interview.
The case against Sullivan started when a hacker emailed Uber anonymously and described a security lapse that allowed him and a partner to download data from one of the company’s Amazon repositories. It emerged that they had used a stray digital key Uber had left exposed to get into the Amazon account, where they found and extracted an unencrypted backup of data on more than 50 million Uber riders and 600,000 drivers.
Sullivan’s team steered them toward Uber’s bounty program and noted that the top payout under it was $10,000. The hackers said they would need six figures and threatened to release the data.
A protracted negotiation ensued that ended with a $100,000 payment and a promise from the hackers that they had destroyed the data and would not disclose what they had done. While that looks like a coverup, testimony showed that Sullivan’s staff used the process to get clues that would lead them to the real identities of the perpetrators, which they felt was necessary leverage to hold them to their word. The two were later arrested and pleaded guilty to hacking charges, and one testified for the prosecution in Sullivan’s trial.
The obstruction charge drew strength from the fact that Uber at the time was nearing the end of a Federal Trade Commission investigation following a major 2014 breach.
A charge of actively hiding a felony, or misprision, could also apply to many of the corporate chiefs who send bitcoin to overseas hackers without telling anyone else what happened. While the number of those hush-ups is impossible to get, it is clearly a large figure. Otherwise, federal officials would not have pressed for recent legislation that will require ransomware notifications from critical infrastructure victims to the Cybersecurity and Infrastructure Security Agency.
The Securities and Exchange Commission is also pushing for more disclosure. The conviction stunned corporate security and compliance leaders and will rivet their attention on the details of those rules.
The case against Sullivan was weaker in some respects than one might expect from a trial aimed at setting a precedent.
While he directed the response to the two hackers, many others at the company were in the loop, including a lawyer on Sullivan’s team, Craig Clark. Evidence showed that Sullivan told Uber’s then-chief executive, Travis Kalanick, within hours of learning about the threat himself, and that Kalanick approved Sullivan’s strategy. The company’s chief privacy lawyer, who was overseeing the response to the FTC, was informed, and the head of the company’s communications team had details as well.
Clark, the designated legal lead on breaches, was given immunity to testify against his former boss. On cross-examination, he acknowledged advising the team that the attack would not have to be disclosed if the hackers were identified, agreed to delete what they had taken and could convince the company that they had not spread the data further, all of which eventually came to pass.
Prosecutors were left to challenge “whether Joe Sullivan could have possibly believed that,” as one of them put it in closing arguments Friday.
Sullivan’s attorney Angeli said that the real world functioned differently from bug bounty ideals and the policies laid out in company manuals.
“At the end of the day, Mr. Sullivan led a team that worked tirelessly to protect Uber’s customers,” Angeli told the jury.
After Kalanick was forced out of the company for unrelated scandals, his successor, Dara Khosrowshahi, came in and learned of the breach. Sullivan depicted it to him as a routine payoff, prosecutors said, editing from one email the amount of the payoff and the fact that the hackers had obtained unencrypted data, including phone numbers, on tens of millions of riders. After a later investigation turned up the full story, Khosrowshahi testified, he fired Sullivan for not telling him more, sooner.
Eager to show that it was operating in a new era, the company helped the U.S. attorney’s office build a case against Sullivan. And the prosecutors in turn unsuccessfully pressed Sullivan to implicate Kalanick, who would have been a far bigger prize but was not damned by the surviving written evidence, according to people familiar with the process.
Bug bounties were never meant to offer as much money to hackers as criminals or governments would pay. Instead, they were designed to offer some cash to those already inclined to stay above board.
But the companies are the ones paying the bill even when the programs are run by outside vendors such as HackerOne and Bugcrowd. Disputes between the researchers reporting the security holes and the companies with the holes are now common.
The two sides differ over whether a bug was “in scope,” meaning inside the areas where the company said it wanted help. They differ over how much a bug is worth, or if it is worthless because others had already found it. And they differ over how, or even if, the researcher can disclose the work after the bug has been fixed or the company opts not to change anything.
The bounty platforms have arbitration procedures for those disputes, but since the companies are footing the bill, many hackers see bias. Too much protesting, and they get booted from the platform entirely.
“If you're hacking on a bug bounty program for the love of hacking and making security better, that's the wrong reason, because you have no control over whether a company decides to patch in a timely matter or not,” said John Jackson, a researcher who cut back on his bounty work and now sells vulnerability information when he can.
Casey Ellis, founder of Bugcrowd, acknowledged that some companies use bounty programs to hush up problems that should have been disclosed under state or federal rules.
“That’s definitely a thing that happens,” Ellis said.
Ransomware attacks were rare when Sullivan was charged, growing dramatically in the years that followed to become a threat to U.S. national security.
The techniques in those attacks have also shifted.
At the beginning of 2020, most ransomware merely encrypted files and demanded money for the key to unlock them. By the end of that year, most ransom attacks included the outright theft of files, setting up a second ransom demand to prevent their public release, according to a 2021 report by the Ransomware Task Force, an industry-led group that includes representatives from the U.S. Cybersecurity and Infrastructure Security Agency, the FBI, and the Secret Service.
More recently, cryptocurrency exchanges have been robbed and then negotiated to give massive payments to get those funds back, a freewheeling practice bearing little resemblance to traditional bounties.
“Especially over the past six months in the crypto space, the model is ‘build it until we get hacked, and we’ll figure it out from there,’ ” said Ellis.
As average payouts zoomed past Sullivan’s, into the hundreds of thousands of dollars, more businesses turned to insurance companies for predictability.
But often, the insurance companies reasoned it was cheaper to pay than to cover the damage from lost files. Some paid regularly, ensuring steady earnings for the gangs.
Making payments illegal, as some have proposed, would not actually stop them, the FBI has said. It would instead give the extortionists yet another club to hold over their victims after payment is made.
At least so far, Congress has agreed, declining to ban the transactions. Which means that deals like Sullivan’s will continue to happen every week.
Will all of them be disclosed when required under state laws or federal consent decrees? Probably not.
But don’t expect those who hush things up to end up in handcuffs.