The Serious Management Problem Illustrated by CISO Joe Sullivan’s Recent Conviction

By Charles Cresson Wood

[published in the ISSA Journal, November 2022]

Abstract: The recent conviction of Joe Sullivan has many CISOs worried about whether they too might soon be in trouble with the law. While Sullivan's failure to report a breach was a violation of the law, and in that respect not to be endorsed, he also appears to be a casualty of a major management problem that has plagued the information security and privacy field for years. That problem is the failure to clarify, document, and perform performance reviews related to roles and responsibilities, particularly those of the Directors & Officers. This article describes the problem and outlines a practical way forward.

 

While former Uber Chief Information Security Officer Joe Sullivan was definitely in the wrong because he mischaracterized, and then concealed, a serious intrusion, and subsequently failed to report it to authorities -- as he knows was required by law -- there is significantly more to the story than his high-visibility conviction. Joe Sullivan was also suffering the ill effects of a major management problem that has been plaguing the information security and privacy field for decades. It is unfortunate that he faces eight years in federal prison, and a fine of $500,000, because, at least in part, he is apparently a casualty of this serious management problem. The serious management problem is the lack of clarity about roles and responsibilities, and the lack of a clear definition of exactly what is required by law from each of the Directors & Officers. Since other CISOs could at some point in the future also suffer a similar fate, it is important that all CISOs create and regularly update, specific, practical, documented, clear, and legally grounded, role and responsibility assignments. This article briefly describes how this serious management problem can be remedied.

 

Just because Directors & Officers are not personally involved, in the operational and technical work of information security and privacy, that doesn’t mean that they don’t each have a very important role to play in this same domain.[1]Many Directors & Officers erroneously assume that this is technical and operational work, and that they really don’t need to get personally involved. As the Sullivan case revealed, not only must Directors & Officers personally get involved, but they have a legal duty to be so involved. In fact, they could go to jail and pay a hefty fine if they do not attend to their duties in this same realm. Their personal assets are also at risk if the judgement is not covered by insurance. For example, the Directors & Officers at Equifax paid $149 million to settle a recent shareholder class action suit alleging that they failed to perform their fiduciary duties in the realm of information security and privacy.[2] The recent Securities & Exchange Commission proposal in terms of increased involvement of the Directors & Officers in the realm of information security and privacy is a further indication that there are multiple forces demanding that Directors & Officers pay more attention to information security and privacy.[3]

 

Sullivan’s legal defense[4] relied primarily on the notion that it was the call of the Legal Department to determine which breach incidents should be reported to the Federal Trade Commission, and which incidents should not. While certainly there are legal issues involved here, and those issues will affect the ultimate way the reporting decision is made, these decisions are always made by executives, specifically officers of the corporation. Sullivan, acting as the Chief Information Security Officer at Uber, was one of those executives, so ultimately it was his decision, and in fact the forms filed with the FTC had Sullivan’s name on them.

 

In many corporations, there remains substantial confusion about how to make decisions such as this. Specifically, is this reporting decision made by the Chief Information Officer? Perhaps the Chief Information Security Officer?[5] Or is the decision made by the Chief Executive Officer? This author contends that it should be the latter, but in this particular instance, according to what we know about what happened at Uber during Sullivan’s tenure there, the CEO didn’t know about the intrusion. In more general terms, is this matter something that is handled by lower-level management only, or is it something that needs to be brought to the highest level of executive management? If there is to be a tiered approach, where only serious intrusions are reported to executive management, then what is the cut-off and is that cut-off indeed justifiable?

 

Beyond the requirements of the law, each organization will make these and related information security and privacy decisions a bit differently. The management keys needed for success in this area are: (a) reaching an internal consensus of clarity about the necessary roles, (b) orchestration of the coordination of roles across multiple departments, and third parties as well, (c) assignment of duties to specific roles with individual accountability, (d) regular review and update of these duties and roles (to reflect changes in both the law and new business relationships), (e) clear documentation in job descriptions, committee mission statements, and departmental mission statements, (f) regular checking to make sure essential duties are being performed (for example via performance reviews), and (g) usage of penalties/rewards based on adherence to the duties assigned (alignment of incentive systems). All this is not rocket science, but it is generally used for lower-level employees only in the domain of information security and privacy. These same generally accepted management practices need to be applied to executive management, and the board of directors as well.

 

As a bit of background to the Joe Sullivan case, by all published accounts that this author was able to locate, Sullivan was an exemplary Chief Information Security Officer, serving at Facebook, Cloudflare, as well as Uber. Before that, he worked for the US Department of Justice as an attorney prosecuting information security cases. He was generally known as one of the best practitioners in the field. One would not expect him to be convicted of criminal obstruction related to a breach that took place in 2016. Instead of doing what was required by law, i.e., reporting the breach to the federal government, under Sullivan’s guidance, the company categorized the breach, and a related $100,000 bitcoin payment to the involved hackers, as a bug bounty matter. Supposedly, that made the incident not reportable. Sullivan claimed (but the jury did not agree) that it was not his job to report the breach, that it was instead the job of the legal department to handle this work. If an attorney who specializes in this same field (Sullivan), who has many years of prior experience in this same field, still can’t get this right, then it is not surprising that other CISOs are wrestling with these matters too.[6] While there are other aspects to the story, the crux of problem here is that there was confusion about what the minimum legal obligations are, and who should be doing what, in the realm of information security and privacy.

 

The excuse that information security and privacy is a new field, and that we are still trying to understand it, still trying to appreciate what is required, is no longer going to be credible in a court of law, as the Sullivan conviction clearly shows. This field has been in existence for several decades now, and it’s now clear what must be done, although the financial resources to do those things are often not budgeted. One of the most significant reasons why these resources aren’t in the budget at many organizations, is that financial incentives push decision-makers to make decisions which favor low costs, high profits, high stock prices, high quarterly bonuses, etc.[7] When the Directors & Officers are directly and explicitly confronted with their legal duties in this realm, through the process described in this article, the resources are understandably much more likely to be forthcoming. Likewise, if their performance bonus or some other significant incentives are tied to having a successful information security and privacy effort, then too the necessary resources will be forthcoming much more readily. And having specific statements of roles and responsibilities for all involved Directors & Officers, and doing compliance auditing against that, will also go a long way towards getting an adequate budget.

 

Another excuse that is often raised when there has been no substantive action in the domain of information security and privacy roles and responsibilities, is that the field is still in flux, and that the legal and regulatory requirements have not yet been definitively clarified, and that this situation supposedly justifies a lack of action within a particular user organization. While it is true that the field is evolving rapidly, and that there are many changes on a regular basis, it is also clear that we have enough publicly accessible information on which to readily develop a definitive collection of laws, regulations, contracts, consent decrees, and other legal obligations to which a particular firm, and its Directors & Officers, are required to adhere. The fact that this definitive collection of legal obligations now exists enables many other related activities, such as use of compliance checks of the Directors & Officers by insurance companies as an application-related hurdle that must be cleared prior to the issuance/renewal of Directors & Officers liability insurance policies. Still another useful application of third-party independent compliance checking involving the Directors & Officers is as a due diligence process prior to the completion of a merger or acquisition.

 

The path to clarity of roles and responsibilities begins with a custom evaluation of the requirements dictated by laws, regulations, contracts, etc. The results of this effort will of course vary from firm to firm. For example, this unique collection of legal requirements depends on the industry, the jurisdiction (e.g., the state where the corporation is incorporated), types of information handled, types of technology deployed, contracts in force, litigation now in process, etc. After this minimum legally dictated level of roles and responsibilities is explicitly defined, it can then be used by the Compliance Department, or the Internal Audit Department, to periodically perform a compliance review, to determine whether the Directors & Officers are doing all that the law requires. Yes, Directors & Officers should be the subject of compliance reviews in the domain of information security and privacy, just like lower-level employees, and third parties as well. In fact, when the Directors & Officers go through something like this process on a regular basis, and they get a third-party lawyer auditor to perform an independent audit, the resulting professional opinion letter can be an important document helping to establish trust with third parties. And, on a related note, after the minimum required by law has been defined, then the organization can and should add additional roles and responsibilities, to achieve competitive advantage, to facilitate the operational activities related to certain products and services, etc.

 

In summary, a major problem that has caused Joe Sullivan, and so many other CISOs as well, so much trouble is the widespread failure of American corporations to adequately clarify and document the roles and responsibilities related to information security and privacy. The first factor that must be considered when attempting to remedy this major problem is to know the minimum required by law. All allocations of roles and responsibilities must cover the fundamental points found in the minimum required by law. If organizations don’t even have clarity about the minimum required by law, then they aren’t going to do a good job when it comes to allocating roles and responsibilities. And if roles and responsibilities are poorly defined, then important tasks are likely to fall between the cracks, and intrusions and other problems (as Joe Sullivan experienced) are the likely result.

 

In terms of the action steps to make substantial improvements in this area, organizations need to clarify and document what exactly the Directors & Officers are required to do by law. Then an internal compliance checking process can be undertaken. Using the traditional risk assessment process (as found in the ISO 27000 standards), an institutionalized internal compliance review process should be created and followed. After full compliance has been demonstrated, third party lawyer auditors should be retained to verify the correctness of the internal compliance review’s conclusions. Not only can this third-party review generate documentation that could legally protect the corporation, as well as the Directors & Officers, in a future court case, but this documentation can be an important motivational tool, much like annual performance reviews.

 

Furthermore, when Directors & Officers have their compliance with the minimum required by law reviewed by an independent third-party lawyer auditor, and when their incentive systems incorporate consideration of information security and privacy, that sends a very serious message. That message indicates the “tone at the top,” and that tone will flow down to the rest of the organization, and then on out to third parties as well. In that way the Directors & Officers communicate to all employees, and related third parties too, that internal controls, like information security and privacy, are important, and must be a part of business as usual. 

Endnotes

[1] See Charles Cresson Wood, “The Rules Have Now Been Clarified – The Minimum Legal Duties for Directors & Officers Are Both Established and Readily Determined,” ISSA Journal, vol. 20, issue 5, May 2022.

[2] For a high-level summary of this case, see Molly Stubbs, “Equifax Agrees to $149 Million Settlement for Infamous 2017 Data Breach,” Expert Institute, June 25, 2020. As an aside, it is unclear how much of this was paid by Directors & Officers liability insurance. There are also other recent high-visibility legal cases where the Directors & Officers paid a heavy price for failing to address information security and privacy. For example, as a result of a series of data breaches going back to 2013, the Yahoo! Directors & Officers several years ago settled with shareholders to the tune of $80 million. For the details, see Kevin LaCroix, “Yahoo Settles Data Breach-Related Securities Suit for $80 Million,” D&O Diary, March 5, 2018.

[3] See “SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” March 9, 2022, U.S. Securities and Exchange Commission (www.sec.gov/news/press-release/2022-39)

[4] For more background about the case, see Lily Hay Newman, “The Uber Data Breach Conviction Shows Security Execs What Not to Do,” Wired, October 7, 2022.

[5] Fully 36% of Chief Information Security Officers are not reporting breaches because they fear that they will lose their jobs as a result. This statistic is from a UK survey performed by Keeper Security, entitled 2021 Cybersecurity Census Report. If CISOs don’t have the budget to do the job that needs to be done, there will be serious breaches, and the cover-ups will only conceal how the system is seriously broken, until the truth comes out some other way, such as in the mass media or in a lawsuit. Being clear about the minimum duties that are required by law sets a floor below which budgets must not go, and that process of gaining clarity can serve as starting point for rationalizing, harmonizing, and aligning the broken incentive systems at many organizations.

[6] The Sullivan case, specifically the part of the case involving misprision of a felony (not reporting a breach when one has a duty to report), also makes ransomware negotiations and payments still more pressured, difficult, and complicated than they already are.

[7] For a wide-ranging discussion of the effects of incentives on information security decisions, see Charles Cresson Wood, “Solving the Information Security & Privacy Crisis by Expanding the Scope of Top Management Personal Liability,” Journal of Legislation, vol. 43, no. 1, December 2016.

Toto, I've Got a Feeling That We're Not in Kansas Anymore.

Management Summary: Compelling evidence now shows that we face a vastly more serious information security and privacy crisis than we confronted just several years ago. Considerable additional top management attention and markedly augmented resources are urgently needed to address this crisis.

That America is in serious trouble can firstly be shown by the April 2015 breach of computers at the U.S. Office of Personnel Management.[1]  That security breach resulted in personally identifiable information such as names, social security numbers, dates of birth, and addresses, being released for millions of people who had undergone military and government agency background checks. Not only does the breach pose a short-term risk of identity theft, but it will jeopardize U.S. undercover operations for a generation since those involved will be subject to blackmail, unexpected disclosure of their identities, etc. That one attack changes the balance of power between countries, alters the battlefield of international conflicts, and jeopardizes American competitiveness. That attack also points to the fact that computers and networks are the modern nervous system of our society, and they must be vigorously and effectively protected, if our now highly automated society is going to survive.

That the nation is now in a serious information security and privacy crisis can secondly be illustrated by the Sony Pictures Entertainment attack that took place on November, 24, 2014.[2] As a result of that attack, a major corporation lost the use of over 3,000 computers and 800 servers. All connections to the Internet were shut-off, including connections to other Sony units and third parties. The corporation was plunged into a pre-digital age of landline telephone and hand-delivered messages written via pen and paper. Not long after that, President Barack Obama declared a national emergency [3] and issued an executive order to deal with the “increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in part, outside the United States.” 

In other words, the game has recently changed and nation states are now actively engaged in cyber-warfare, and both corporations and government agencies are at significant risk. While those seeking to make political points (aka “hacktivists”), those seeking to show their intellectual prowess (aka “hackers”), as well as those seeking to “make a buck” from crime such as identity theft (aka “ghosts”), are certainly still serious concerns, the attackers now include agents from well-financed nation states and operatives from sophisticated organized crime gangs. [4]

While there is unquestionably a wide variety of very powerful and versatile new security and privacy technology available, the fundamental issue behind information security and privacy problems that we now experience involves people. [5] The technology alone is not going to solve information security and privacy problems. Instead, management must devote additional attention to the risks that new information systems like the Internet introduce, and they must also allocate sufficient resources so that these same security and privacy problems can be adequately addressed. Top management now stands as the gatekeeper, holding the purse strings at organizations, and it is often blocking the work on information security and privacy that must be undertaken in order to adequately protect information systems, as well as the assets – both physical and intellectual – that these information systems control. Unfortunately, the prevailing incentive systems, such as quarterly bonuses paid for high profits, encourage top management to act in a penny-pinching manner, denying these essential activities both the top management attention and the resources that these areas must now receive. [6] 

Only by redesigning incentive systems, and by reorganizing the way that people work, so that both incentives and penalties compel the involved persons to behave in a manner that supports information security and privacy, will this crisis be brought under control. 

Notes

[1] Sanger, David E., “Hacking Linked to China Exposes Millions of U.S. Workers,” The New York Times, June 5, 2015; http://www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html (accessed January 31, 2016)

[2] Grisham, Lori, “Timeline: North Korea and the Sony Pictures Hack,” USA Today, January 5, 2015; http://www.usatoday.com/story/news/nation-now/2014/12/18/sony-hack-timeline-interview-north-korea/20601645 (accessed on January 29, 2016).

[3] Exec. Order No. 13694, 80 Fed. Reg. 18077, 18077 (January 6, 2015); reflecting the serious problems in this area, one should note that President Obama has issued a total of five Executive Orders and Presidential Directives that authorize offensive and defensive actions in cyberspace. For details see Theohary, Catherine A., and Anne I. Harrington, “Cyber Operations in DOD Policy and Plans: Issues for Congress,” Congressional Research Service, January 5, 2015, p. 22; https://fas.org/sgp/crs/natsec/R43848.pdf (accessed March 17, 2016).

[4] Bergsman, Jeremy, “Information Risk – Do You Care Who’s Attacking Your Firm? Information Security Officers and Their Teams Should Collect Information on Who’s Attacking Their Firm, Rather Than Just How It’s Done,” CEB Blogs, May 13, 2015; https://www.cebglobal.com/blogs/information-security-do-you-care-whos-attacking-your-firm (accessed January 29, 2015)

[5] Parker, Donn B., “People are the Number One Problem for Computer Security: Some Suggestions for Control,” pp. 5-10, Computer Crime Digest, vol. 2, no. 6 (1984).

[6] Loveland, Gary, and Mark Lobel, “Cybersecurity: The new business priority,” PWC (Price Waterhouse Coopers), 2016; http://www.pwc.com/us/en/view/issue-15/cybersecurity-business-priority.html (accessed on January 29, 2016).