The verdict ended a dramatic case that pitted Sullivan, a prominent security expert who was an early cybercrime prosecutor for the U.S. attorney’s office in San Francisco, against his former government office. In between prosecuting hackers and being prosecuted, Sullivan served as the chief security officer at Facebook, Uber and Cloudflare.
Judge William H. Orrick did not set a date for sentencing. Sullivan can appeal if post-trial motions fail to set aside the verdict.
“Mr. Sullivan’s sole focus — in this incident and throughout his distinguished career — has been to ensure the safety of people’s personal data on the Internet,” Sullivan attorney David Angeli said after the 12-member jury returned its unanimous verdict on the fourth day of deliberation.
Even without Sullivan’s job history, the trial would have been watched as the first major criminal case against a corporate executive over an outsider breach.
It may also be one of the last: In the five years since Sullivan was fired, payments to extortionists, including those who steal sensitive data, have become so routine that some security firms and insurance companies specialize in handling the transactions.
“Paying out ransoms is, I think, more common than we are led to believe. It’s an attitude similar to a fender bender, says Michael Hamilton, founder of security firm Critical Insight.
FBI officials, while officially discouraging the practice, have said they will not pursue the people and companies that pay the ransom if they do not violate sanctions that prohibit payments to named criminal groups that are particularly close to the Russian government.
New hacking disclosure requirements could make cyberspace less opaque
“This case is sure to make managers, rescuers and anyone else involved in deciding whether to pay or disclose ransoms think a little harder about their legal obligations. And that’s not a bad thing, says Brett Callow, who researches ransomware at security firm Emsisoft. “As it is, too much is happening in the shadows, and that lack of transparency can undermine cybersecurity efforts.”
Most security personnel had been waiting for Sullivan’s acquittal, noting that he had kept the CEO and others who were not charged informed of what was happening.
“Personal accountability for business decisions with input from executive stakeholders is new territory that is somewhat uncharted territory for security leaders,” said Dave Shackleford, owner of Voodoo Security. “I fear that it will lead to a lack of interest in our field, and increased skepticism about infosec in general.”
John Johnson, a “virtual” chief information security officer for several companies, agreed. “Your company management can make choices that can have very personal consequences for you and your lifestyle,” he said. “Not to say that everything Joe did was right or perfect, but we can’t bury our heads and say it will never happen to us.”
Prosecutors argued in Sullivan’s case that his use of a nondisclosure agreement with the hackers was evidence that he participated in a coverup. They said the breach was a hack followed by blackmail when the hackers threatened to publish the data they took, and therefore should not have qualified for Uber’s bug bounty program to reward friendly security researchers.
But the reality is that as the hacking of companies has gotten worse, the way the companies have handled it has moved far beyond the letter of the law when Sullivan was accused of breaking it.
Bug bounties usually require nondisclosure, some of which last forever.
“Bug bounty programs are abused to hide vulnerability information. In the case of Uber, they were used to cover up a breach,” said Katie Moussouris, who established a bug bounty program at Microsoft and now runs her own vulnerability resolution company, in an interview.
The case against Sullivan began when a hacker emailed Uber anonymously and described a security breach that allowed him and a partner to download data from one of the company’s Amazon warehouses. It emerged that they had used a stray digital key that Uber had left behind to get into the Amazon account, where they found and extracted an unencrypted backup of the data of more than 50 million Uber riders and 600,000 drivers.
Sullivan’s team directed them against Uber’s bounty program, noting that the top payout under it was $10,000. The hackers said they would need six figures and threatened to release the data.
A lengthy negotiation ensued that ended with a payment of $100,000 and a promise from the hackers that they had destroyed the data and would not reveal what they had done. Although it looks like a coverup, testimony showed that Sullivan’s staff used the process to get clues that would lead them to the real identities of the perpetrators, which they believed was necessary leverage to keep them at their word. The two were later arrested and pleaded guilty to hacking charges, and one testified for prosecutors at Sullivan’s trial.
The obstruction charge drew strength from the fact that Uber, at the time, was nearing the end of a Federal Trade Commission investigation into a major breach in 2014.
A charge of actively concealing a crime, or false imprisonment, could also apply to many of the business executives who send bitcoin to foreign hackers without telling anyone else what happened. While the number of these hush-ups is impossible to obtain, it is clearly a large number. Otherwise, federal officials would not have pushed for recent legislation that would require ransomware alerts from critical infrastructure victims to the Cybersecurity and Infrastructure Security Agency.
The Securities and Exchange Commission is also pushing for more disclosure. The conviction stunned corporate security and compliance leaders and will draw their attention to the details of these rules.
What the SEC says about cybersecurity disclosures
The case against Sullivan was weaker in some respects than might be expected from a trial aimed at setting a precedent.
While he directed the response to the two hackers, many others in the company were in the loop, including a lawyer on Sullivan’s team, Craig Clark. Evidence showed that Sullivan told Uber’s then-CEO, Travis Kalanick, within hours of learning about the threat himself, and that Kalanick approved of Sullivan’s strategy. The company’s chief privacy counsel, who oversaw the response to the FTC, was briefed, and the head of the company’s communications team also had details.
Clark, the designated chief legal officer for violations, was granted immunity to testify against his former boss. Under cross-examination, he acknowledged that he informed the team that the attack would not be disclosed if the hackers were identified, agreed to delete what they had taken and was able to convince the company that they had not disseminated the data, which eventually happened.
Prosecutors were left to challenge “whether Joe Sullivan could possibly have believed that,” as one of them put it in closing arguments Friday.
Sullivan’s lawyer Angeli said the real world worked differently than bug-bounty ideals and the guidelines laid out in company handbooks.
“At the end of the day, Mr. Sullivan led a team that worked tirelessly to protect Uber’s customers,” Angeli told the jury.
The Kalanick era was one of rapid expansion and scandal
After Kalanick was forced out of the company for unrelated scandals, his successor, Dara Khosrowshahi, stepped in and learned of the breach. Sullivan portrayed it to him as a routine payout, prosecutors said, redacting from one email the size of the payout and the fact that the hackers had obtained unencrypted data, including phone numbers, of tens of millions of riders. After a later investigation revealed the full story, Khosrowshahi testified, he fired Sullivan for not telling him more sooner.
Eager to show they were operating in a new era, the company helped the US attorney’s office build a case against Sullivan. And prosecutors, in turn, unsuccessfully pushed Sullivan to implicate Kalanick, which would have been a far bigger prize but was not condemned by the surviving written evidence, according to people familiar with the process.
Bug bounties were never intended to offer as much money to hackers as criminals or governments would pay. Instead, they were designed to offer money to those already inclined to stay above the board.
But it is the companies who pay the bill even when the programs are run by external providers such as HackerOne and Bugcrowd. Disputes between the researchers who report the security holes and the companies with the holes are now common.
The two sides disagree about whether a bug was “in scope,” meaning within the areas where the company said it wanted help. They differ on how much a bug is worth, or whether it is worthless because others had already found it. And they differ on how, or even if, the researcher can disclose the work after the bug is fixed or the company chooses not to change anything.
The bounty platforms have arbitration procedures for these disputes, but since the companies foot the bill, many hackers see bias. Too much protest and they get booted from the platform entirely.
“If you’re hacking a bug bounty program for the love of hacking and making security better, it’s the wrong reason, because you have no control over whether a company decides to patch in time or not,” said John Jackson. a researcher who cut back on bounty work and now sells vulnerability information whenever he can.
Casey Ellis, founder of Bugcrowd, acknowledged that some companies use bounty programs to mitigate problems that should have been disclosed under state or federal regulations.
“It’s definitely a thing that’s happening,” Ellis said.
Ransomware numbers appear to be falling, but this news may not be as good as it sounds
Ransomware attacks were rare when Sullivan was charged, and grew dramatically in the years that followed to become a threat to US national security.
The techniques of these attacks have also changed.
In early 2020, most ransomware simply encrypted files and demanded money for the key to unlock them. By the end of that year, most ransomware attacks included outright theft of files, creating a new ransom demand to prevent public release, according to a 2021 report from the Ransomware Task Force, an industry-led group that includes representatives from the US Cybersecurity and Infrastructure Security Agency , the FBI and the Secret Service.
Recently, cryptocurrency exchanges have been robbed and then negotiated to provide massive payouts to get those funds back, a freewheeling practice that bears little resemblance to traditional bounties.
“Especially in the last six months in the crypto space, the model is ‘build it until we get hacked and we’ll figure it out from there,'” Ellis said.
As average payouts zoomed past Sullivan’s, into the hundreds of thousands of dollars, more businesses turned to insurance companies for predictability.
But often the insurance companies believed that it was cheaper to pay than to cover the damages from lost files. Some paid regularly, ensuring steady income for the gangs.
Making the payments illegal, as some have suggested, would not actually stop them, the FBI has said. It would instead give the extortionists another club to hold over the victims after the payment is made.
At least so far, Congress has agreed and declined to ban the transactions. Which means deals like Sullivan’s will continue to happen every week.
Will all be disclosed when required by state law or federal consent decrees? Probably not.
But don’t expect those who raise the alarm to end up in handcuffs.