back to article Uber ex-CSO Joe Sullivan: We need security leaders running to work, not giving up

Joe Sullivan – the now-former Uber chief security officer who was found guilty of covering-up a theft of data from Uber in 2016 – remembers sitting down and thinking through the worst-case scenarios he faced following that guilty verdict in 2022. Federal prosecutors wanted to jail Sullivan for 15 months for his role in the …

  1. HuBo
    Windows

    The ChiCSO[*] puzzle

    Interesting trajectory ... not yet super-uplifting for folks interested in CISO-like positions, but given time (no pun intended), maybe a presidential pardon (in view of key contributions to American society -- cyber-bullying, suicide prevention, National commissions ...), this could develop into a textbook case study on the historical development of cybersecurity legislation (including friendly fire incidents) as well as something quite inspirational that will, retrospectively, have involved overcoming adversity.

    Whoevernot, in government, will probably want to pen a "Sullivan" (or other) Bill aimed at clarifying data breach reporting responsibilities (CEO? CSO? CISO? Legal Dept.? ...), especially when the breach was resolved by cash, if I understood well (non-expert here).

    ([*] ChiCSO is for Chief Cyber-Security Officer; meant to rhyme with jigsaw)

  2. Anonymous Coward
    Boffin

    What Caused the Uber Data Breach in 2022?

    The Uber data breach began with a hacker purchasing stolen credentials belonging to an Uber employee from a dark web marketplace. An initial attempt to connect to Uber’s network with these credentials failed because the account was protected with MFA. To overcome this security obstacle, the hacker contacted the Uber employee via What’s App and, while pretending to be a member of Uber’s security, asked the employee to approve the MFA notifications being sent to their phone.

    How did these credentials end-up on the dark web?

    1. doublelayer Silver badge

      Re: What Caused the Uber Data Breach in 2022?

      It's a good question, but probably not one we can guarantee getting an answer to. It could have been password reuse, and because the email ended in @uber.com the person with the database sold it as having access (tested or not). It could have been a computer with malware on it which keylogged someone as they logged in. It could even be the employee selling it themselves or a colleague selling their coworker's credentials that they shoulder-surfed. The problem is that, although maybe we could figure out the answer in this case, there are lots of cases possibly including this one where that answer has been lost and was never known by any of the people who might want to prevent such a thing happening again.

    2. ecofeco Silver badge

      Re: What Caused the Uber Data Breach in 2022?

      How did these credentials end-up on the dark web?

      Have you ever met users? It's no Sherlock Holmes mystery.

      Users are always, always, ALWAYS your weakest link. 2nd, is your vendors.

      1. fnusnu

        Re: What Caused the Uber Data Breach in 2022?

        Anyone who calls users "the weakest link" is an idiot who should be nowhere near information security is any way, shape or form.

        1. xXShifty51Xx

          Re: What Caused the Uber Data Breach in 2022?

          Okay, enlighten us, instead of calling people idiots. What is the weakest link in security?

    3. ChoHag Silver badge
      Facepalm

      Re: What Caused the Uber Data Breach in 2022?

      The credentials of a person who accepts an MFA request to something he's not logging in to because a random stranger on whatsapp asked him to? On the dark web?

      Nope. Truly no idea how they got there.

  3. Khaptain Silver badge

    CISO at the edge

    All CISOs are continually walking Ona very thin tight rope.

    The problem that have is what they don't know...

    They don't know if the hack will be internal or external.

    They don't don't when it will happen.

    They don't know the why, what is is the hackers objective.

    They don't know the method that will be employed.

    Some legacy systems are almost impossible to secure.

    This makes for a very difficult job indeed.

    It's not just a case of protecting data , it's also a case of understanding your data, where is it, who has access , what is it for etc which is far from obvious in large companies. And all of these points are possible entry points.

    Personally nothing.motivates me to go anywhere near that role. Those above don't want to pay, those below have other thing to do.

    It takes a lot courage to step up to that post and fully assume the consequences. You need to have your feet very firmly on the ground.

    1. ecofeco Silver badge

      Re: CISO at the edge

      All this and a baby's hand holding an apple.

      Exactly.

    2. Doctor Syntax Silver badge

      Re: CISO at the edge

      "Those above don't want to pay"

      They also don't want any security processes to apply to themselves/

  4. CowHorseFrog Silver badge

    No...

    what we need is to eliminate all the fake CXXX people who think they are important because they give themselves titles starting with C and have basically no technical skills of any kind. We also need to make them REALLY respinsible for breaches. If they are the cause of WHY a breach happened because they are clueless idiots, they need to goto jail for a long time. This will eliminate all the obvious fakes, and shoudl reduce problems a bit how surgeons need qualifications and are actually liable for mistakes.

    1. doublelayer Silver badge

      That is how you guarantee that you won't get someone with technical skills. If you go to jail if anything bad happens, why should you sign up to be responsible for security? Much better to be the person below that, who actually tries to work on security, but make sure you have a scapegoat as the boss in case you fail. You might fail because you don't have the budget. You might fail because your subordinates aren't capable. You might fail because you, personally, are incompetent. But as long as there's a scapegoat above you, who cares?

      In any disaster, people rush to find who is to blame. They don't want to go through the long process to figure out what should have been done differently at any level. They just want one person who can get all the responsibility and to see them punished. They most importantly want to make sure it's not them, so they set one up. That's what you have just called for as well.

      The problem is that you won't fix anything if you do that. One CSO who doesn't know what they're doing goes to prison (by the way, the reason he was charged isn't exactly this, so I'm speaking in general). The people who didn't secure it are still there. The people who didn't support them are still there. You've removed one link in the middle, a link that was at most incompetent, and you think that will help. They'll find someone else to be a link in the middle in case it happens again, or they'll just continue on without one. Anyone who knows what they're doing won't volunteer to be that link, so there won't be any benefit during that period before the next breech. But people will feel nice that someone was punished.

      1. CowHorseFrog Silver badge

        doublelayer: That is how you guarantee that you won't get someone with technical skills

        cow: the medical industry and pilots are examples where credentials and skills are checked. Sure they arent perfect but they are a lot better than the zero we get from cxx.

        doublelayer: If you go to jail if anything bad happens, why should you sign up to be responsible for security?

        cow:

        Way to bullshit and generate words i never said.

        People make mistakes, but thers a big difference between a fraud who cant fly a plane and bad shit happens and a pilot who can and makes mistakes. I hope i dont have to expand on why the former case should not be acceptable.

        Corporate leades are the former, they clearly do not understand the things they are supposedly "taking care of"...

        1. doublelayer Silver badge

          I'm not sure this is worth arguing, but I'll try at least once.

          For starters, you claim that I am misrepresenting you when I said "If you go to jail if anything bad happens, why should you sign up to be responsible for security?"

          I got this from this statement from you:

          "We also need to make them REALLY respinsible for breaches. If they are the cause of WHY a breach happened because they are clueless idiots, they need to goto jail for a long time."

          That seems like a clear call for punishing them with prison time. In my opinion, that is a serious enough punishment that people won't want to be in that position if they know what they're doing. The CSO is, by definition, responsible for the company's security state, and they will inevitably get blamed, at least in part, for any negative event that occurs while they're there. That's not necessarily the wrong thing to do, as quite often, they do have some responsibility. They are not omnipotent, however, and anyone with skills will understand that no level of competence on their part will eliminate the risks. You need a lot to outweigh the risks of "go[ing ]to jail for a long time", and a lot of people who know what they're doing won't take that risk.

          "the medical industry and pilots are examples where credentials and skills are checked. Sure they arent perfect but they are a lot better than the zero we get from cxx."

          Neither demonstrate the point. Pilots have to be licensed. Doctors have to be licensed. The person who tells the pilots where and when to go does not need to be a pilot. Hospital administrators don't need to be doctors. It's also irrelevant to the point about punishments and responsibility. If you're calling for a licensing test for security workers, that's a separate issue that we could discuss, but using your examples, the person managing the pilot generally isn't the one punished if a pilot flies incorrectly and crashes, nor are they if the finance department has cut down on maintenance to the extent that the plane crashes. If that guy was the one to be punished in both scenarios, you wouldn't find many people willing to be that guy, and the problem would not be solved because bad pilots and bad maintenance would both be very cheap to everyone doing it, because all the cost is paid by that guy. If you want these to stop, you have to actually figure out who is responsible with the chance that's it is a small amount each for lots of people. A license check won't do it,. Lots of punishments when you find a scapegoat you're happy enough with won't do it either.

    2. ecofeco Silver badge
      Meh

      Normally I would say this is rather naive and overly broad blaming, but then I look at the data, networks and overall info structure of the companies, both large and small, I've worked for and see it's all FUBAR from the ground up and it was deliberately made that way.

      Malfeasance at every level and the plebes had no say in it as it was ordained by the High Executives Lords of Boards.

      You know, we need a corporate crook icon here. ----------------------------------------->>>

      1. CowHorseFrog Silver badge

        Like most people you cant grasp the concept for more than one level.

        The reason the bums at the bottom are useless and make mistakes is because they were hired by idiot managers. Those idiot managers were in turn hired by another layer of idiots. Its idiots all the way down and up.

    3. Our Lord and Savior Rahl

      As someone who is a safe distance from the C Suite but has worked with many and varied over the years, I would much rather have somebody at that level who lacks some of the technical skills but has justified trust in the people who he puts beneath him, but knows how to handle the rest of the board and manage people. Those have been the ones I've considered good.

      I've worked with plenty of C level guys who are far better at the technical roles than I am, and they get mired in the weeds, lose the big picture, and fail to bat away all the BS coming from the board and foster a hideous work culture while standing over your shoulder saying "Do this thing this way, actually just let me do it".

      The good ones are hardly ever there, because they're constantly pushing your agenda at the board, dealing with the many and varied HR issues that plague most good IT departments (because lets be honest, we're not typically the best "people-people", and making sure everything we suggest as important is put forward as their view and a redline so it gets through even when it's difficult.

      Technical Skills / Leadership Skills / Management Skills are not one and the same.

      So with respect, I disagree. As a humble lead engineer ;)

      Well, I partially disagree, I definitely agree that there's a place where they should at least understand what it is their team is trying to do and be willing to put the time in to learn where it is relevant.

      It's like a ship, the captain knows how the engines work, the rules of the sea, and how to navigate. But he doesn't steer the ship, fix the engines, and empty the toilets, he's busy making sure all those teams work together and don't step on each others toes. Or he should be.

      1. CowHorseFrog Silver badge

        ourLord: Technical Skills / Leadership Skills / Management Skills are not one and the same.

        cow: Here we go another example of the brainwashed repeating words that have no meaning ...

        What exactly does leadership mean ?

        How can a person teach or lead if they dont understand anything in the first place ?

        Same q this time for management skills ?

        How can a manager manage a team if they have no idea of exactly what is being done by their team ? How can they judge what to put effort towards, or what to improve (aka security) if they have no understanding how it all works ?

    4. Bebu Silver badge
      Windows

      CXXX people?

      Normally I would expect uniform substitution for the Xs so perhaps CXYZ or CHAG?

      I gather the gist of this chap's offence was that he attempted to conceal the breach rather than any incompetence on his or his minion's part.

      So I guess as a C-suite creature you can still be abysmally incompetent and fail miserably without the risk of prosecution as long as you are candid about your phenomenal shortcomings.

      Boris Johnson the past master of the spectacular fuck up followed by the sheepish smirk is the perfect role model.

  5. Pascal Monett Silver badge
    Windows

    How credible

    The guy convicted for not doing his job calls for people to do the job.

    Look, I'm glad he has seen the light and walked the path of redemption, but maybe we can avoid making a media darling out of him ?

    What's the possibility that he damn well knows he's never going to get another job like that, so he's just milking the media circuit for all he can ?

    Next stop : his book on How I Found Security, complete with multiple seminars where he explains the pain he's been through and how you absolutely should buy his book.

    Along with talk shows and conventions where he is "invited" (with a large check) to talk about his "experience".

    What ? Me ? Cynical ? Why do you ask ?

    1. itsthemonkey

      Re: How credible

      Well said! Sadly these "meeja daahlings" know what they are doing, know what makes a good soundbite, and therefore get the coverage.

      I just saw a "tech expert" giving advice about the HUUUUUUGE risk of using public USB charging ports at airports etc, saying that they will ALL compromise your phone. Dig a little deeper and it turns out they are not a tech expert...they sell phone cases and chargers with no relevant experience or qualifications to make any such claims

      I was once told by a mechanic that you should never listen to free advice as he said that if the person that was giving free advice actually knew what they were talking about they would be able to charge for it. The only other reason for free advice (or free anything) is that the "giver" is getting something out of it a different way. In this case you are probably right, the media circuit and a book deal

      1. Sandtitz Silver badge
        Holmes

        Re: How credible

        "I was once told by a mechanic that you should never listen to free advice as he said that if the person that was giving free advice actually knew what they were talking about they would be able to charge for it. The only other reason for free advice (or free anything) is that the "giver" is getting something out of it a different way. In this case you are probably right, the media circuit and a book deal"

        You posted free advice about automatic patching couple weeks ago in another thread. Are you asking people not to heed it?

        Since you didn't charge for it, you were getting something out of it; perhaps some feel-good dopamine for your altruistic deed or hope for acknowledgement (and thumbs up) from the readers here in your quest for the coveted Gold Badge?

        1. itsthemonkey

          Re: How credible

          Do you not understand the difference between opinion and advice?

          Thanks for stalking me though, nice to we you are watching everything I post

          1. Sandtitz Silver badge

            Re: How credible

            "Do you not understand the difference between opinion and advice?"

            Why are you dishing out opinions if you don't expect them to affect people?

            "Thanks for stalking me though, nice to we you are watching everything I post"

            Aren't you the special snowflake. If you don't want your posting history visible, continue as an AC. <-- free advice.

            1. itsthemonkey

              Re: How credible

              So you do not understand the difference between an opinion and advice..thanks for making that clear

              Also, for you to go and look at my posting history is a form of stalking. I repaid the compliment and saw that you invariably post comments about other people’s comments on here, not the articles in question, which makes you both a stalker and a troll. Your use of the insult “snowflake” when you are safe from any consequences also makes you the epitome of a keyboard warrior.

              Please think twice about your behaviour, you are coming across as a really unpleasant bullying sad little person. Of course that may be exactly what you are but unlike you I don’t troll

              Have a lovely day, I will if you are not in it

      2. heyrick Silver badge

        Re: How credible

        Following on from that, be careful whose advice you pay for. People who charge for advice may well have obvious biases. A great example? Go talk to a therapist. You'll be damn lucky if one says "there's nothing at all wrong with you" because finding things to run with keeps you coming back (and paying). Or ask your bank for investment advice. What they'll tell you may make you money, but it might be suboptimal as it'll be weighed against what will make them the most money.

        So, what do you trust? Advice that is offered or advice that is paid for?

      3. ChoHag Silver badge

        Re: How credible

        > I was once told by a mechanic that you should never listen to free advice

        How much did he charge for this pearl of wisdom?

        1. itsthemonkey

          Re: How credible

          £75. That was the cost to fix the problem caused by me following incorrect “free” advice.

          Hope your day is better from knowing that

    2. OhForF' Silver badge
      Devil

      Re: How credible

      Is a conviction not the qualification people in the US look for when choosing the next leader?

      1. Anonymous Coward
        Anonymous Coward

        Re: How credible

        "Is a conviction not the qualification people in the US look for when choosing the next leader?"

        The US of A voter is looking for a leader "with conviction" !!!

        It got mangled in reception by Trump who, as usual, let his mouth lead his brain ...

        P.S. I know he has a brain because *something* is making his lips move other than Bernoulli's Principle/lift !!!

        :)

        1. CowHorseFrog Silver badge

          Re: How credible

          What does conviction mean ?

          Dont you love corporate speak ... like leadership takes responsibilities for their actions.... except they dont. THey dont goto jail when they cost cut and peope or planes crash into the ground, they dont get fired the next day if the company gores down the shitter, no they get multi million dollar parachutes...

    3. This post has been deleted by its author

  6. tiggity Silver badge

    Some form of data breach is more likely a when , rather than an if, (even if you make a really good effort on security, obviously some companies do not - but that's a separate issue, for simplicity sake lets assume Uber were making a decent fist of the security side. ) what matters is how you deal with an intrusion... Which includes not covering it up.

    Personally I thought he got off very lightly as the whole issue was not one of incompetence but of a massive cover up (even ignoring dubious morality of cover ups, that concealment broke lots of financial rules on disclosing events that could impact company health / share price). Unfortunately the "higher up" positions in organisations tend to often* be filled by those where laying & immorality is as natural as breathing, as is being a "yes man / woman" (at least until the time of the next boardroom internal coup))

    * Not always by any means, but too often for my liking

  7. quiet_reader

    "In my case, it meant I had to study the different prisons that I could ask the judge to be sentenced to"

    What the hell is this? Prison is not a room service menu.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like