Joe Sullivan (Internet security expert)

Last updated
Joe Sullivan
Born
Joseph Edmund Sullivan

1968 (age 5455)
Rutland, Vermont
Alma mater University of Miami School of Law (1993)
Occupation(s)Internet security expert, CSO at Cloudflare
Years active1993 - present time
Organisation(s) National Cyber Security Alliance (2011-2016), National Action Alliance for Suicide Prevention (2012), Commission on Enhancing National Cybersecurity (2016)
Known forChief Security Officer at Facebook (2010-2015) and Uber (2015-2017)

Joe Sullivan (born in 1968) is an American Internet security expert. Having served as a federal prosecutor with the United States Department of Justice, he worked as a CSO at Facebook, Uber and Cloudflare. For his role in covering up the 2016 data breaches at Uber, he was convicted in October 2022 on federal felony charges of obstruction and misprision. [1] In January 2023, he took on the role of CEO of Ukraine Friends, a nonprofit focused on humanitarian aid to Ukraine.

Contents

Early life and education

Sullivan was born in 1968 in Rutland, Vermont. [2] [3] He grew up in Cambridge, Massachusetts. [4] Sullivan graduated from Matignon High School in 1986, earned his Bachelor of Arts degree at Providence College in 1990, and graduated from the University of Miami School of Law in 1993. [2]

Career

US Department of Justice

After law school, Sullivan spent the first eight years of his career in the Department of Justice, having started as an intern at the DOJ Miami office in 1992 and then ultimately working at the San-Francisco office with Robert Mueller. [5] From 1997 to 1999, he served as Assistant United States Attorney at the District of Nevada in Las Vegas. [5]

From 2000 to 2002, Sullivan worked as Assistant US Attorney at the Northern District of California. [6] He was a founding member of the Computer Hacking and Intellectual Property unit at the Northern District of California. [7] In 2001 and 2002, together with Scott Frewing he represented the U.S. government in United States v. Elcom Ltd. case, the first prosecution in the U.S. under the Digital Millennium Copyright Act. [8] [9] Sullivan also worked on multiple cybercrime cases including digital evidence aspects of the 9/11 investigation, economic espionage and child predator cases. [10]

eBay

In April 2002, Sullivan joined eBay in as Senior Director of Trust and Safety. [11] [12] In a September 2006 United States congressional hearing, he described his duties as "overseeing company relations with law enforcement and regulatory agencies in the United States and Canada, directing the company's Fraud Investigations team and determining policies related to listing of items on eBay". [13] In 2003, he was criticized by Yuval Dror at the Haaretz newspaper for being willing to share eBay user's personal data with law-enforcement agencies potentially without proper legal framework. [14] [15] From 2006 to 2008 he was an Associate General Counsel at PayPal. [11] One of his top priorities was preventing phishing scams. [16]

Facebook

In 2008, he started at Facebook first as an attorney, and next as its Chief Security Officer (2010-2015). [4] Sullivan assembled a security team to handle requests from law enforcement agencies globally and fight various types of cybercrime within the social network. [4] [7] He introduced a practice of security hackathons and bug bounty programs both internally and externally, encouraging coders to find vulnerabilities. [17] [18] His team was handling complicated and large-scale security issues such as an attempt to hack the accounts of Tunisian Facebook users in the 2011 "Arab Spring" during the Tunisian Revolution. [19] [20]

Sullivan also gained a reputation as an expert at fighting online bullying. He testified on this subject before Congress in 2010, [21] and was invited to the first White House Conference on Bullying Prevention in 2011. [22]

Uber

In Spring 2015, Sullivan joined Uber as its first CSO, at the time when the company was experiencing multiple safety and security issues. [23] [24] His primary focus was on safety of riders and drivers, both in the digital space and in the physical world. [25] As an example, he was involved in investigating the 2016 Kalamazoo shootings. [26]

In November 2017, Sullivan and Craig Clark, a senior lawyer at the company, were fired for allegedly covering up a major data breach in 2016 and paying hackers $100,000. [27] [28] Later in 2018, Reuters reported that the decision not to disclose the breach was made by the company's legal department. [29]

Cloudflare

In May 2018, Sullivan joined Cloudflare as the company's first Chief Security Officer. [30] In December 2021, he was among the top Internet security experts who were exploring the Log4Shell vulnerability. [31]

Volunteer government roles

Over the years, Sullivan has held several positions at government agencies and national organizations. From 2011 to 2016, he served as a commissioner at National Cyber Security Alliance, a non-profit organization that promotes cybersecurity and privacy education, [32] [33] where he ran a number of cyber security awareness initiatives. [34] [35] In 2012, he became a board member for the National Action Alliance for Suicide Prevention and co-authored the "2012 National Strategy for Suicide Prevention". [36]

In April 2016, President Obama appointed him as a commissioner on the Commission on Enhancing National Cybersecurity, a government body that was dissolved in December 2016 after releasing recommendations to the White House on how to address the nation's cybersecurity issues. [37]

2016 Uber Data Breach, Trial and Conviction

In August 2020, the US Department of Justice announced criminal charges against Sullivan for obstruction of justice for his handling of the 2016 data breaches at Uber. The criminal complaint said Sullivan arranged, with CEO Travis Kalanick's knowledge, to pay a ransom for the breach as a "bug bounty" to conceal its true nature, and to falsify non-disclosure agreements with the hackers to say they had not obtained any data. [38] In December 2021, he faced additional charges of wire fraud. [39]

On October 6, 2022, Sullivan was convicted of one count of obstruction of justice, and one count of misprision of felony. [40] [41] He was sentenced to three years probation on May 4, 2023. [42] The trial of Sullivan represented the first United States federal prosecution of a corporate executive for the handling of a data breach. [43]

Bibliography

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cyber security, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. There are numerous measures available to prevent cyberattacks.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

<span class="mw-page-title-main">Jeff Moss (hacker)</span> American computer security expert

Jeff Moss, also known as Dark Tangent, is an American hacker, computer and internet security expert who founded the Black Hat and DEF CON computer security conferences.

<span class="mw-page-title-main">Data breach</span> Intentional or unintentional release of secure information

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

<span class="mw-page-title-main">Bill Conner</span> American businessman

F. William Conner is an American business executive. Conner has worked across a variety of high-tech industries, specializing in corporate turnaround, cybersecurity, data and infrastructure.

<span class="mw-page-title-main">Palo Alto Networks</span> American technology company

Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100. It is home to the Unit 42 threat research team and hosts the Ignite cybersecurity conference. It is a partner organization of the World Economic Forum.

Mandiant is an American cybersecurity firm and a subsidiary of Google. It rose to prominence in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireEye for $1 billion, who eventually sold the FireEye product line, name, and its employees to Symphony Technology Group for $1.2 billion in June 2021.

Lazarus Group is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and Zinc.

Vladislav Anatolievich Horohorin,, alias BadB, is a former hacker and international credit card trafficker who was convicted of wire fraud and served a seven-year prison sentence.

Election cybersecurity or election security refers to the protection of elections and voting infrastructure from cyberattack or cyber threat – including the tampering with or infiltration of voting machines and equipment, election office networks and practices, and voter registration databases.

<span class="mw-page-title-main">Alex Stamos</span> Greek American computer scientist

Alex Stamos is a Greek American computer scientist and adjunct professor at Stanford University's Center for International Security and Cooperation. He is the former chief security officer (CSO) at Facebook. His planned departure from the company, following disagreement with other executives about how to address the Russian government's use of its platform to spread disinformation during the 2016 U.S. presidential election, was reported in March 2018.

<span class="mw-page-title-main">Cybersecurity and Infrastructure Security Agency</span> Agency of the United States Department of Homeland Security

The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government's cybersecurity protections against private and nation-state hackers.

<span class="mw-page-title-main">Chris Krebs</span> American cybersecurity and infrastructure security expert (born 1977)

Christopher Cox Krebs is an American attorney who served as Director of the Cybersecurity and Infrastructure Security Agency in the United States Department of Homeland Security from November 2018 until November 17, 2020, when President Donald Trump fired Krebs for contradicting Trump's claims of election fraud in the 2020 presidential election.

Eric Friedberg is an American lawyer and a former Assistant United States Attorney who specializes in the field of cybercrime, Intellectual Property and Securities Litigation practices

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

<span class="mw-page-title-main">2022 Ukraine cyberattacks</span> Attack on Ukrainian government and websites

During the prelude to the 2022 Russian invasion of Ukraine and the 2022 Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.

<span class="mw-page-title-main">ChongLuaDao</span>

ChongLuaDao is a Vietnamese non-profit cybersecurity organization that helps clients verify the legitimacy of websites and block access to dangerous ones to keep them safe while using the internet. This non-profit project was started by a group of Vietnamese computer security specialist, including Hieu Minh Ngo, a former hacker who is now a technical expert for the National Cyber Security Centre (NCSC), Le Phuoc Hoa, Nguyen Hoang Thang, and Nguyen Hung.

References

  1. "Former Chief Security Officer Of Uber Convicted Of Federal Charges For Covering Up Data Breach Involving Millions Of Uber User Records | United States Department of Justice". www.justice.gov. 5 October 2022. Retrieved 17 November 2022.
  2. 1 2 Bessette, Chanelle (2014-07-02). "10 Questions: Joe Sullivan, chief security officer, Facebook". Fortune . Archived from the original on 2020-07-19. Retrieved 2021-12-29.(subscription required)
  3. "31st Annual Irish America Business 100". Irish America (January 2017): 76. Retrieved 2021-12-29 via Issuu.
  4. 1 2 3 Hill, Kashmir (2012-02-22). "Facebook's Top Cop: Joe Sullivan". Forbes . Archived from the original on 2020-12-19. Retrieved 2021-12-29.
  5. 1 2 Westlund, Richard (2015-10-14). "Joseph Sullivan, J.D. '93, Guards Against Security Threats". University of Miami School of Law. Archived from the original on 2015-12-20. Retrieved 2022-01-05.
  6. "Reply Comments of Rasier Ca, LLC on Phase III.B Scoping Memo and Ruling of Assigned Commissioner Track I" (PDF). California Public Utilities Commission. 2017-05-15. p. 2. Archived from the original (PDF) on 2022-01-08. Retrieved 2022-01-08.
  7. 1 2 Mills, Elinor (2011-01-31). "At Facebook, defense is offense". CNET . Archived from the original on 2022-01-08. Retrieved 2022-01-08.
  8. "Russian National Enters into Agreement with the United States on First Digital Millennium Copyright Act Case" (Press release). United States Department of Justice. 2001-12-13. Archived from the original on 2021-04-01. Retrieved 2022-01-08.
  9. Manjoo, Farhad (2002-04-01). "Adobe-Hack Lawyers: Toss the Case". Wired . Archived from the original on 2021-04-10. Retrieved 2022-01-08.
  10. Hempel, Jessi (2015-04-02). "Uber Just Poached Facebook's Security Chief Joe Sullivan". Wired . Archived from the original on 2015-04-02. Retrieved 2022-01-08.
  11. 1 2 "President Obama Announces More Key Administration Posts" (Press release). Washington, D.C.: Executive Office of the President of the United States. 2016-04-13. Archived from the original on 2021-03-22. Retrieved 2021-12-31.
  12. Hoppin, Jason (2002-05-07). "Assistant U.S. Attorney Takes Job With EBay". Law.com. Archived from the original on 2021-03-01. Retrieved 2022-01-08.
  13. Deleting Commercial Pornography Sites from the Internet: The U.S. Financial Industry's Efforts to Combat this Problem: Hearing Before the Subcommittee on Oversight and Investigations of the Committee on Energy and Commerce, House of Representatives, One Hundred Ninth Congress, Second Session. Vol. 4. United States Government Publishing Office. September 21, 2006. p. 66. ISBN   9780160783104 . Retrieved 2021-12-31 via Google Books.
  14. Dror, Yuval (2003-02-20). "Big Brother Is Watching You - and Documenting". Haaretz . Archived from the original on 2021-11-15. Retrieved 2021-12-31.
  15. Walter, Martin (2011). Mathematics for the Environment. CRC Press. p. 417. ISBN   9781439834732 . Retrieved 2021-12-31 via Google Books.
  16. Kirk, Jeremy (2007-03-27). "PayPal asking e-mail services to block messages". networkworld.com. Archived from the original on 2021-12-31. Retrieved 2021-12-31.
  17. Segall, Laurie (2011-08-30). "Facebook pays $40,000 to bug spotters". CNN Money . Archived from the original on 2011-10-15. Retrieved 2022-01-15.
  18. Constine, Josh (2014-03-18). "Inside Facebook's Efforts To Fortify Security In A Post-Snowden World". TechCrunch . Archived from the original on 2021-04-15. Retrieved 2022-01-15.
  19. Gobry, Pascal-Emmanuel (2011-01-24). "How The Tunisian Government Tried To Steal The Entire Country's Facebook Passwords". Business Insider . Archived from the original on 2020-11-11. Retrieved 2022-01-15.
  20. Madrigal, Alexis C. (2011-01-24). "The Inside Story of How Facebook Responded to Tunisian Hacks". The Atlantic . Archived from the original on 2021-12-11. Retrieved 2022-01-15.
  21. "Hearing before the Subcommitee on Crime, Terrorism, and Homeland Security of the Committee on the Judiciary House of Representatives". United States Government Publishing Office. 2010-07-28. Archived from the original on 2022-01-21. Retrieved 2022-01-21.
  22. Shepherd, Shawna (2011-03-10). "White House conference tackles bullying". CNN. Archived from the original on 2011-03-13. Retrieved 2022-01-21.
  23. The New York Times Editorial Staff (2018). Hacking and Data Privacy: How Exposed Are We?. Rosen Publishing. p. 122. ISBN   9781642820836 via Google Books.
  24. Isaac, Mike (2015-04-02). "Uber Hires a Security Chief From Facebook". The New York Times . Archived from the original on 2015-04-05. Retrieved 2022-01-21.
  25. Lashinsky, Adam (2017). Wild Ride: Inside Uber's Quest for World Domination. Penguin Books. p. 142. ISBN   9780735211407 via Google Books.
  26. Bowles, Nellie (2016-02-22). "Kalamazoo shooting spree puts Uber in spotlight over safety concerns". The Guardian . San Francisco. Archived from the original on 2021-06-18. Retrieved 2022-01-21.
  27. Weise, Elizabeth (2017-11-27). "Uber paid hackers $100,000 to hide year-old breach of 57 million users". USA Today . Archived from the original on 2021-11-27. Retrieved 2022-01-21.
  28. Perlroth, Nicole; Isaac, Mike (2018-01-12). "Inside Uber's $100,000 Payment to a Hacker, and the Fallout". The New York Times . San Francisco. Archived from the original on 2021-04-03. Retrieved 2022-01-21.
  29. Menn, Joseph; Somerville, Heather (2018-01-13). "Exclusive: Current and former Uber security staffers cast doubt on spying claims". Reuters . Archived from the original on 2020-07-19. Retrieved 2022-01-21.
  30. Aiello, Chloe (2018-05-16). "Fired Uber cybersecurity chief Joe Sullivan was just hired to run security at start-up Cloudflare". CNBC. Archived from the original on 2021-02-26. Retrieved 2022-01-01.
  31. Miller, Maggie (2021-12-10). "Officials, experts sound the alarm about critical cyber vulnerability". The Hill . Archived from the original on 2021-12-20. Retrieved 2022-01-01.
  32. "Facebook Chief Security Officer Joins National Cyber Security Alliance Board". securitytoday.com. 2011-02-07. Archived from the original on 2022-01-01. Retrieved 2022-01-01.
  33. "Joseph Sullivan". National Cyber Security Alliance . 26 April 2016. Archived from the original on 2022-01-01. Retrieved 2022-01-01.
  34. Perez, Sarah (2012-10-22). "Facebook Donates $250,000 To The University of Alabama At Birmingham Using Money Acquired From Spammers". TechCrunch . Archived from the original on 2022-01-01. Retrieved 2022-01-03.
  35. Tomkins, Richard (2014-10-01). "Nashville event kicks off National Cyber Security Awareness Month". United Press International . Archived from the original on 2020-11-11. Retrieved 2022-01-03.
  36. "2012 National Strategy for Suicide Prevention: Goals and Objectives for Action" (PDF). Surgeon General of the United States. 2012. Archived from the original (PDF) on 2018-08-20. Retrieved 2021-01-03.
  37. Rockwell, Mark (2016-12-02). "53 steps to stronger cybersecurity". Federal Computer Week . Archived from the original on 2022-01-01. Retrieved 2022-01-01.
  38. Bond, Shannon (2020-08-20). "Former Uber Executive Charged With Paying 'Hush Money' To Conceal Massive Breach". NPR. Archived from the original on 2022-01-21. Retrieved 2022-01-21.
  39. Shneider, Joe (2021-12-23). "Uber Ex-Security Chief Faces Additional Charge". Bloomberg News . Archived from the original on 2021-12-26. Retrieved 2022-01-21.
  40. Menn, Joseph (2022-10-06). "Former Uber security chief convicted of covering up 2016 data breach". Washington Post . Archived from the original on 2022-10-05. Retrieved 2022-10-06.
  41. Newman, Lily Hay. "The Uber Data Breach Conviction Shows Security Execs What Not to Do". Wired. Retrieved 17 November 2022.
  42. Menn, Joseph (May 4, 2023). "Former Uber security chief Sullivan avoids prison in data breach case". Washington Post. Retrieved May 5, 2023.
  43. "The Fallout From the First Trial of a Corporate Executive for 'Covering Up' a Data Breach". Lawfare. 19 October 2022. Retrieved 17 November 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.