[BreachExchange] It’s never the data breach -- it’s always the cover-up

[Destry Winant]

https://www.zdnet.com/article/its-never-the-data-breach-its-always-the-cover-up/

The felony charges levied against former Uber CSO paints him as
actively masterminding and executing a plan to cover up a major data
breach. This serves as a reminder that CSOs and CISOs must consider
how decisions made in the moment can be interpreted, construed, or
proven to be criminal after the fact.

The obstruction of justice and misprision of a felony charges levied
against Joseph Sullivan, former Uber chief security officer (CSO),
sent shock waves through the cybersecurity community. CSO and chief
information security officers (CISOs) rightfully wondered what these
charges mean in terms of their own culpability for decisions made on
the job.

CSOs and CISOs handle sensitive data, make difficult decisions, and
consider their responsibility to the company and its shareholders when
making those decisions. Legal, regulatory, and privacy issues also
feature heavily in these decisions.

The narrative in the charging documents (Note: This is not yet a
criminal indictment) issued by the FBI against Uber's former CSO
(Sullivan) paints him as actively masterminding and executing a plan
to cover up a major data breach, obstruct federal regulators, and
conceal activity from senior executives.

THE CASE AGAINST UBER

A data breach in 2014 exposed the records of 50,000 Uber drivers. In
2016, the Federal Trade Commission (FTC) investigated Uber for the
2014 data breach. Approximately 10 days after Sullivan provided sworn
testimony to the FTC, he learned of a second data breach involving
similar records but on a much larger scale. This time, the breach
included millions of records. Uber and Sullivan cooperated with
investigators, and the hackers were caught and charged.

According to the charging document, Sullivan, former Uber CEO Travis
Kalanick, and others took the following steps after learning of the
2016 data breach:

They confirmed the data was real.

Sullivan modified an existing bug bounty program to pay a ransom to
keep the hackers from exposing the data breach publicly.

The bounty amount paid was 10 times higher than the maximum of the
existing bug bounty program, and the breach type and records were also
not covered by the existing bug bounty program.

Sullivan required that the hackers sign a non-disclosure agreement
(NDA), another change to the existing bounty program.

Sullivan did not mention the 2016 hack to the FTC.

Sullivan did not fully explain the data breach to the new Uber CEO in
2017. Note that Sullivan is not charged for the first four. Instead,
these are being used as supporting evidence for the charges of
obstruction of justice and misprision of a felony.

THE OTHER SIDE OF THE STORY

In November 2016, Uber learned of a data breach. Hackers threatened to
expose the stolen data. Uber paid a ransom to the hackers under its
bug bounty program and made the hackers sign NDAs to avoid the breach
becoming public knowledge.

Sullivan did not inform the FTC during the sworn investigative hearing
because he couldn't have: Sullivan learned of the 2016 breach 10 days
later. To inform the FTC, Sullivan would have needed to reach out and
inform them about a separate, new, but similar breach. There's also
some confusion as to whether Sullivan was under any legal obligation
to do so.

Sullivan briefed the new CEO in 2017 but did not provide the details
necessary for the new executive. This is not necessarily surprising
since communication between senior security leaders and senior
executives remains a challenge.

This version of the facts matches the case laid out in the charging
documents but does so by examining the decisions without viewing them
as linked to criminal activity. If this case goes to trial, Sullivan's
attorneys will have a chance to offer their own version of events.

Sullivan is innocent until proven guilty. But regardless of the
outcome, for CISOs, there's a critical lesson here. You must consider
how decisions made in the moment can be interpreted, construed, or
proven to be criminal after the fact.

WHAT SHOULD CISOS TAKE AWAY FROM THE CHARGES?

Here's what senior security leaders should know and understand about
these events:

This is a warning to CSOs and CISOs: Remove all sense of impropriety
in IR. Concealing a data breach is illegal. Every decision made during
an incident might be used in litigation and will be scrutinized by
investigators. In this case, it's also led to criminal charges filed
against a well-known security leader. If your actions seem to conceal
rather than investigate and resolve a data breach, expect
consequences.

Neither the ransom nor the bug bounty are at issue here. Paying the
ransom through the bug bounty was alleged to help conceal the breach.
Firms should develop a digital extortion policy, so that there are no
allegations of impropriety should they choose to pay a ransom. In
addition, the guidelines of your bug bounty program should not be
altered on the fly to facilitate non-bug bounty program activities.

Work closely and openly with senior leadership on breaches and issues
of ransom. Sullivan tried to get the hackers to sign non-disclosure
agreements -- a legal document between two legitimate entities
effectively acknowledging the hackers as business entities -- which
allowed Uber to treat the hackers as third parties. Treating the
ransom as a "cost of doing business" helped them conceal the payment
from the management team as well. The charging documents state that
only Sullivan and Kalanick were aware of the payment and the way it
was routed through the bug bounty program. No other senior leaders
were involved.

It's the CISO's job to make leadership understand the importance of
cybersecurity. Often CISOs and other security and risk leaders will
note that it's hard to make board members and CEOs understand the
technical points around cybersecurity and breaches. While that is most
certainly true and understandable, it's not a valid reason to allow
for failures. If the board doesn't understand, the CISO must make them
understand, even if they have to whiteboard the issue. Make them
understand. Failure is not an option.

The CISO job can be high risk, high reward; take steps to protect
yourself. Burnout is a very real concern, while other risks can
include legal liability on the job and becoming a scapegoat. If you
have the ability to negotiate, consider a rider to the company's
corporate director and officer liability insurance policy, which
offers you coverage, or have your CISO position added as an officer to
the company's bylaws, which offers you the same indemnification as
other C-level officer positions. Ever hear of golden parachute clauses
for executives? CISOs can have golden bullet clauses.