On January 11, 2023, presiding United States District Judge William Orrick in San Francisco denied the motion of Joe Sullivan, the former CISO of Uber, for a judgment of acquittal. The conviction arose from Sullivan’s agreement to pay attackers who breached the security of the online ride-sharing service and obtained personal information about thousands of users, drivers and riders. Sullivan, a lawyer and a former federal computer crime prosecutor himself, was convicted in 2022 by a jury of concealing and not reporting the Uber attack and of obstructing a federal investigation into an earlier Uber attack by the Federal Trade Commission by concealing the new breach.

The case centered on the fact that after Sullivan became aware of the breach, he took steps to prevent the breach from being publicly disclosed—noting that “This can’t get out,” and “We need to keep this tightly controlled.” Sullivan also told the incident response team that “This may also play very badly,” based on previous assertions of lack of adequate security at Uber made by the FTC in a then-ongoing civil investigation of Uber. After the breach was known to Uber, the charges alleged that Sullivan negotiated a nondisclosure agreement with the attackers; under Uber’s then-existing bug bounty program, the company would pay $100,000 if they promised to execute a document indicating that they “Did not take or store any data during or through [their] research,” and that they “Delivered to Uber or forensically destroyed all information about and/or analysis of the vulnerabilities,” the attackers discovered. The nondisclosure agreement provided that the attackers certify that they did not take data that, in fact, they had demonstrably taken.

“Corrupt” Obstruction of an FTC Proceeding

It’s important to note the crimes Sullivan was convicted of. First, he was convicted of violating 18 USC 1505, which relates to the obstruction of some governmental proceeding. In Sullivan’s case, the act of obstruction occurred when he did not reveal to the FTC that Uber had suffered a data breach after the completion of the FTC investigation of a previous data breach and when he paid the attacker to ensure that news of the new breach would not leak.

The trial court rejected Sullivan’s claims that to successfully convict him of obstruction, the government would have to prove that there was some “nexus” or connection between the thing concealed (the new breach) and the proceeding that was obstructed (the investigation of the old breach). The court ruled that no such nexus need have been proven, as long as the jury had evidence that (1) the FTC action was an agency proceeding, (2) Sullivan was aware of the proceeding and that (3) he “intentionally endeavored corruptly to influence, obstruct or impede the pending proceeding.” The court found persuasive the fact that Sullivan knew of (and indeed had testified before) the FTC proceeding, expressed his desire that the new breach be kept secret and had the attackers execute an NDA preventing them from disclosing the breach as evidence of Sullivan’s corrupt intent to conceal the breach from the FTC.

The trial court also rejected Sullivan’s claims that, to corruptly obstruct a proceeding by not disclosing something, the government would have to establish an actual legal duty to disclose that thing. The FTC was investigating a prior breach. There was no evidence that Uber or Sullivan obstructed or impeded the FTC’s investigation of that breach or concealed evidence related to that breach. However, in the course of deciding what sanction the FTC wanted to impose on Uber for the other breach (and the adequacy of Uber’s overall security program), Sullivan and Uber knew that the FTC would want to know about the new breach (which represented a lapse of security). That’s why Sullivan wanted to conceal it.

There are a lot of problems with this theory. Imagine negotiating a plea agreement for someone who was caught shoplifting. In the course of negotiating the plea, the defense lawyer learns (through a privileged conversation) that the defendant has shoplifted other items from other stores after the incident but was never caught. Is there a duty to tell the prosecution? No. In fact, it would violate privilege to do so. What if you instructed the client to either return the items or pay for them (and some extra) in return for the merchant agreeing to “settle” the case and not report it to the prosecution? Would that be “corruptly” obstructing the plea negotiations? What if, in a civil lawsuit, a client answers truthfully that he has never been accused of some relevant wrongdoing? Days after the testimony, the deponent is then accused of that wrongdoing. The testimony was truthful at the time, but certainly, the other side would like to know about the new allegations. Are you required to disclose the new allegations? Can you settle the new charges with an NDA to keep the lawyers from learning about them, or would that constitute an obstruction of a judicial proceeding? Would it matter if the allegations in the new cases had some “nexus” to the one under litigation? Would it matter if the old case had been settled? While the use of the term “corruptly” in the jury instructions implies a requirement of proof that it was the specific intent of the defendant to do something the law prohibited (or refrain from doing something that the law required), it’s not clear what Sullivan did that was “corrupt” if there was no affirmative duty to disclose. Would he still be guilty of obstruction if he did not have the attackers execute an NDA but simply did not tell the FTC of the new breach? And what if the breach were just a vulnerability that was not exploited; certainly something the FTC would want to know. It’s not clear how far the court and DOJ would extend this concept.

Uber

Misprison of a Felony

The other crime Sullivan was convicted of was “misprison of a felony,” an archaic common law inchoate crime which punishes anyone with knowledge of the commission of a felony who conceals and does not report the same. The elements of that offense, according to the court, was proof that (1) a federal felony was committed (in this case, “intentionally accessing a computer without authorization and thereby obtaining information from a protected computer, or conspiracy to extort money through a threat to impair the confidentiality of information obtained from a protected computer without authorization”); (2) Sullivan had knowledge of the commission of that felony; (3) Sullivan had knowledge that the conduct was a federal felony; (4) Sullivan failed to notify federal authorities and (5) that he did an affirmative act to conceal the crime. For this offense, there did not have to be a legal duty to disclose the felony, just that there was a felony committed.

Unlike the obstruction statute, the misprision statute requires evidence of concealment. The court held that “[t]he $100,000 payment to the hackers and NDA support this, specifically the provision where the hackers promised that they ‘have not and will not disclose anything about the vulnerabilities’ or their conversations with Uber without written permission.”

I don’t doubt that a prime motivation for paying the very high “bounty” to the hackers and having them execute the NDA was to keep quiet the attack and the vulnerabilities that were exploited.

On the other hand, responsible disclosure principles and bug bounty programs themselves often demand secrecy. This would be particularly true for a vulnerability for which no patch existed. Microsoft’s bug bounty program notes:

CONFIDENTIALITY OF SUBMISSIONS/ RESTRICTIONS ON DISCLOSURE
Protecting customers is Microsoft’s highest priority. We endeavor to address each Vulnerability report in a timely manner. While we are doing that we require that Bounty Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 30 days after the Vulnerability is fixed. Microsoft will notify you when the Vulnerability in your Submission is fixed. You may be paid prior to the fix being released and payment should not be taken as notification of fix completion. VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN ANY BOUNTIES PAID FOR THAT VULNERABILITY AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.

Of course, this compares apples with oranges. The Microsoft program is not a permanent ban on disclosure—just enforcing a responsible disclosure. In addition, the MS program relates to any relevant disclosures—vulnerabilities, attacks, etc., and not just actions which would constitute a “felony.” Does “conceal and not report” mean “conceal and never report”?

But companies have many reasons for not wanting to disclose felonies that have been committed against them. An employee steals from the company and is terminated with an NDA and a non-disparagement agreement. The company does not report the theft. Did they “conceal and not report” a felony? Certainly, or take a sextortion case where attackers obtain access to someone’s sexually explicit files or pictures and threaten to release them if a cryptocurrency payment is not made. The victim pays the ransom to avoid publicizing the fact that the images exist. Did they “conceal and not report” the felony extortion scheme? You betcha. And if payment of a ransom in a ransomware situation is partially motivated by the company’s desire to avoid publicly disclosing the fact that they were hit by ransomware (and partly to get their files back and get back to work), they are subject to prosecution under the misprision statute.

An overwhelming trend since the 1990’s has been to require companies to report—either to the public, to data protection authorities, to law enforcement, to regulators or to third parties by contract—data breaches, incidents and, in some cases, material vulnerabilities. The Sullivan case rests on the principle that, even if there is no duty to report it, you may find yourself in legal trouble if you don’t.

Checkout our previous posts on topic of CISO

InfoSec books | InfoSec tools | InfoSec services