Feds Urge 15-Month Sentence for Ex-Uber CSO Joe SullivanSullivan Says Prison Sentence for Him Would Deter Others From Taking CISO Positions
Prosecutors are urging a U.S. federal judge to sentence former Uber CSO Joe Sullivan to 15 months in prison for his role in impeding an investigation into the ride-hailing company's security practices.
A jury convicted Sullivan, 54, in October on two felonies, finding him guilty of obstruction and misprision of a felony, which refers to knowing something is a felony and covering it up (see: Jury Finds Former Uber CSO Joe Sullivan Guilty of Cover-Up).
Sullivan is set for sentencing Thursday in the San Francisco courtroom of District Judge William Orrick. Sullivan's defense attorneys say he should receive no prison time, just probation.
Sullivan's much larger, 61-page written plea for leniency argues that he is extremely unlikely to engage in further criminal conduct and that prison time could deter security personnel from accepting positions as CISOs if incarceration becomes a professional risk.
In a separate letter to Orrick, Sullivan said he regrets his actions, writing that he "set a bad example." Still, he said he's proud of the work he did in locating two hackers who stole Uber driver and rider account data of 57 million individuals, including 600,000 driver's license numbers. "We found them and made sure they knew that if the data were ever publicly exposed, we would hold them accountable," Sullivan wrote.
"I believe this strategy was in the interest of the company, our customers, and our driver partners, and successfully prevented the data from ever being publicly disseminated," he added.
Prosecutors say Sullivan's case comes down to "a powerful person's intentional exploitation of his position to cover up a deeply embarrassing event - an event that also happened to be a crime."
"When given the opportunity to choose between himself and adherence to the law, he chose himself," prosecutors add in their 18-page memo.
Sullivan's tenure as Uber cheif security officer ended in 2017 after he oversaw a payment made in the guise of a bug bounty of $100,000 in bitcoin to the two hackers. Prosecutors have emphasized their case wasn't motivated by Sullivan's response to the hacking incident but by the fact that he concealed it from the Federal Trade Commission, which was investigating Uber for an earlier data breach in 2014.
Sullivan's difficulties began after he gave sworn testimony in November 2016 to the FTC asserting that Uber had encrypted account data and removed keys to its Amazon Web Services account from GitHub repositories. In fact - as the hacking incident that occurred 10 days later revealed - account data had not been encrypted and a private Uber code repository accessed by the hackers with a stolen credential had contained a key to the company's Amazon Web Services account.
Sullivan "set about ensuring that the FTC never learned the truth, either about the 2016 data breach itself or the security vulnerabilities that had allowed it to happen," prosecutors say in their sentencing memo.
Defense attorneys point to concern in the CISO community that a prison sentence would cause CISOs to refrain from acting quickly in a crisis for fear of courting a similar fate. "Not only is a custodial sentence unnecessary to deter wrongful conduct - it would create the real risk of undesirable negative consequences by over-deterring socially worthy conduct," they wrote.
Prosecutors said that argument overlooks the facts. "The case arises in the context of cybersecurity, but it is not about cybersecurity," they wrote. "It is about old-fashioned obstruction of justice, which has always been illegal, no matter what industry one works in."