In the event the news flew under your radar, on October 5, 2022, a verdict was handed down by the U.S. District Court for the Northern District of California that could prove highly impactful to CISOs/CSOs (Chief Information Security Officers/Chief Security Officers) in the near and distant future. Joe Sullivan, the erstwhile CSO of rideshare company Uber, was found guilty of obstructing the U.S. Federal Trade Commission’s (FTC) attempts to investigate a major data breach that affected the company in 2016. In short, it was an investigation into whether the breach that exposed over 50 million records attached to Uber customers was knowingly covered up.
Most impactful is the fact that Sullivan and Uber’s legal counsel now face significant prison time. While a sentencing date hasn’t been set, each faces up to 5 years in federal prison.
In our ongoing goal to keep an open dialogue with our customers and understand issues and concerns that affect their business, Radware asked CISOs/CSOs from our customer base how they think the verdict will affect the role of the CISO/CSO in the future.
Before we get to their responses, here’s a quick review of the Uber case and what led to the verdict.
An Interesting Back Story
The Uber breach occurred when an 18-year-old hacker unflinchingly took credit for it under an assumed entity name. He brazenly announced the breach with this post on a Uber Slack channel — “Hi @here I announce I am a hacker and Uber has suffered a data breach.” He claimed the breach — an exhaustion attack — was the result of phishing. It’s another example of the critical role employees play in combating social engineering. Unfortunately, it just takes one person to expose an attack vector.
The next day, Uber issued a statement saying that “internal software tools that we [Uber] took down as a precaution yesterday are coming back online.” However, the attacker issued screenshots that indicated the breach was deeper than Uber admitted. He insisted that with more time the breach could have been far-reaching.
The Uber breach verdict stems from the fact that Sullivan, and others, including its former CEO and in-house counsel, decided to pay off the hacker with bitcoin. But they paid for more than the hacker’s guarantee not to post the stolen data. They paid for his silence.
At the time of the breach, the FTC was investigating another Uber breach that had occurred 2 years earlier. Uber didn’t want information about the new breach to be disclosed at this sensitive time. So, they decided to purchase the hacker’s silence and fork over $100,000 in bitcoin. To add to the mess, they hid the payment in Uber’s bug bounty program, which rewards non-employees who uncover and disclose bugs in their systems and applications. However, the program pays $10,000 per disclosure, well under the bitcoin payment. It was clearly an attempt to hide the breach, cover it up and prevent news of it from reaching the FTC.
“How will the Uber verdict affect CISOs in the future?”
All but two of the polled CISOs/CSOs from Radware’s customer base thought the Uber breach verdict would significantly affect the role in the future. As always, we found their responses to questions about timely topics affecting the technology landscape interesting, engaging and highly insightful.
The majority of the responses fell into 3 areas of thought:
- The effects the verdict may have on attracting top IT talent to fill CISO positions,
- The need to ensure that compliance methodologies are established and followed, and
- The need to protect IT personnel and report on all breaches, even those that may appear insignificant and/or pose little threat.
Attracting top talent:
“It’s important to consider that executives may pass the blame and place it at their CISO’s feet because, deep down, they know there’s no such thing as being 100% secure.”
“It [the verdict] will definitely have an impact. If people fear personal responsibility for data breaches, less people are going to consider this position. As a result, there will be less talent filling those positions.”
“Now victims of a corporate data breach know they can go after more than just the company, but also the executives who shoulder that responsibility.”
“With personal liability and culpability, we’re now in somewhat uncharted territory for security executives. It will definitely lead to a lack of interest in our field and increased skepticism about InfoSec as a whole.”
Ensuring compliance mandates are met and transparency is promoted:
“Transparency is key for financial and cybersecurity matters. This goes hand-in-hand with the emerging cybersecurity incident reporting requirements of the SEC (U.S. Securities and Exchange Commission).”
“The verdict underscores the need for more transparency between the board, risk committees and the executive echelon. Transparency needs to carry across incident reporting as well as security posture gaps and audit data. In today’s cybersecurity attack surface, there is no choice but to lift the hood and measure security exposure continuously.”
“This will be a game changer for CISO’s and how they handle data breach reporting. Compliance will take on new meaning and gravity.”
“Accountability and the need for enhanced levels of it will require that everything needs to be open for audit and high scrutiny levels.”
Protecting IT personnel and reporting all breaches, regardless of size and scope:
“Now CISOs will need to think about and pay closer attention to small vulnerabilities and residual risk.”
“There will definitely be a higher standard in place for CISOs.”
“The verdict will definitely affect the CISO role because they’ll now feel more responsible for their team and their actions and decisions.”
“While CISOs who attempt to cover up breaches should bear a significant level of liability, the verdict will greatly affect InfoSec and security teams, as well.”
“With personal liability now a reality, CISOs better consider the importance of each breach and the need to report them immediately, accurately and openly.”
Bolster Your Organization’s Security Posture
There’s little doubt that the Uber verdict will affect organizational security and the CISO role in the future. A precedent has been set. It’s never been more important to ensure your organization has implemented security solutions to protect against the myriad threats lying in wait. Whether you need to secure your mission-critical and customer-facing applications, elevate your cloud security or protect against DDoS attacks, the time to act is now.
Reach out to the cybersecurity professionals at Radware. Their empirical experience and skillsets have kept customers’ employees and mission-critical data protected for years. It’s why so many of the most noted companies in the world rely on Radware.
Many thanks to the Radware customers whose responses are included: Paul Vrdoljak, Raymond Tung, Rainer Schmier, Howard Taylor, Bikash Kumar Dash, Kiran Dhondkar, Daniel Cheung, Drew Peterson, Aung Bo, Andres Vergara, Anthony Simpson, Clint Boylan and Horacio Quiteno.