Uber CISO Verdict: It’s the Cover-Up

Security circles are all aflutter regarding the guilty verdict of Joe Sullivan, former CISO of Uber, on charges of obstructing justice and actively hiding a felony. You can read the Washington Post‘s coverage for more details on the verdict.

We can argue about whether the verdict was, in fact, right or wrong, but I agree with it. Sullivan hid information from his new CEO and the FTC when they were investigating Uber. He’s a former prosecutor, so I figured he would know better, no? Now, I’m not an attorney (even though I live with one) so I don’t know that my opinion holds much water. But there are some attorneys that also support the verdict.

Sullivan’s position that he was “following orders” also rings hollow. That argument hasn’t worked in the past and it shouldn’t work now. Sullivan, a former U.S. attorney, should know the difference between right and wrong.

For those who focus on the aspect of the indictment regarding the ransom paid in 2016, I think that misses the point. Nowadays many organizations pay ransom even though it’s technically illegal. I don’t believe Sullivan was prosecuted for paying off the attackers. He got fired from Uber because he wasn’t honest with the new CEO about his actions. The Department of Justice threw the book at him because he covered it up. He doctored emails, for goodness sake!

Which highlights the real situation here: It’s not the crime, necessarily; it’s the cover-up. How many examples of this have we seen? To err is human. To lie about it and cover it up is a crime.

Will this verdict have an impact on the CISO role? Many respected security folks worry this creates a clear disincentive to be a CISO, including Techstrong Group’s own Alan Shimel. After all, it seems Uber’s first CEO and the internal legal team knew what Sullivan did. Is it fair that Sullivan was held responsible and the others were not? It’s not unreasonable to put yourself in that situation and wonder if you’ll be thrown under the bus.

If you come clean during the investigation, you may be culpable for any laws broken (as you should be), but you won’t be subject to charges related to obstruction or hiding a felony. Do you really think Sullivan would have been convicted by a jury now if the trial focused only on the ransom?

And if your CEO or anyone else expects you to cover something up, it’s time to find somewhere else to work after you report that behavior to the proper authorities.

I guess it goes back to something my Dad told me when I entered the workforce. He said, “Mike, you only get one opportunity to compromise your integrity.” Joe Sullivan seems to have squandered that opportunity after a distinguished career fighting for justice, which is a shame.

But I don’t believe this has any lasting impact on the willingness of security professionals to take a CISO role after working their entire career to get there. Although maybe they’ll make sure to tell the whole truth when asked by law enforcement. Is that a bad thing?

Avatar photo

Mike Rothman

Mike is a 25+-year security veteran, specializing in the sexy aspects of security, such as protecting networks and endpoints, security management, compliance and helping clients navigate a secure evolution to the cloud.

mike-rothman has 38 posts and counting.See all posts by mike-rothman