Joe Sullivan (Internet security expert)

Last updated
Joe Sullivan
Born
Joseph Edmund Sullivan

1968 (age 5556)
Rutland, Vermont
Alma mater University of Miami School of Law (1993)
Occupation(s)Internet security expert, CSO at Cloudflare
Years active1993 - present time
Organisation(s) National Cyber Security Alliance (2011-2016), National Action Alliance for Suicide Prevention (2012), Commission on Enhancing National Cybersecurity (2016)
Known forChief Security Officer at Facebook (2010-2015) and Uber (2015-2017)

Joe Sullivan (born in 1968) is an American Internet security expert. Having served as a federal prosecutor with the United States Department of Justice, he worked as a CSO at Facebook, Uber and Cloudflare. For his role in covering up the 2016 data breaches at Uber, he was convicted in October 2022 on federal felony charges of obstruction and misprision. [1] In January 2023, he took on the role of CEO of Ukraine Friends, a nonprofit focused on humanitarian aid to Ukraine. [2]

Contents

Early life and education

Sullivan was born in 1968 in Rutland, Vermont. [3] [4] He grew up in Cambridge, Massachusetts. [5] Sullivan graduated from Matignon High School in 1986, earned his Bachelor of Arts degree at Providence College in 1990, and graduated from the University of Miami School of Law in 1993. [3]

Career

US Department of Justice

After law school, Sullivan spent the first eight years of his career in the Department of Justice, having started as an intern at the DOJ Miami office in 1992 and then ultimately working at the San-Francisco office with Robert Mueller. [6] From 1997 to 1999, he served as Assistant United States Attorney at the District of Nevada in Las Vegas. [6]

From 2000 to 2002, Sullivan worked as Assistant US Attorney at the Northern District of California. [7] He was a founding member of the Computer Hacking and Intellectual Property unit at the Northern District of California. [8] In 2001 and 2002, together with Scott Frewing he represented the U.S. government in United States v. Elcom Ltd. case, the first prosecution in the U.S. under the Digital Millennium Copyright Act. [9] [10] Sullivan also worked on multiple cybercrime cases including digital evidence aspects of the 9/11 investigation, economic espionage and child predator cases. [11]

eBay

In April 2002, Sullivan joined eBay in as Senior Director of Trust and Safety. [12] [13] In a September 2006 United States congressional hearing, he described his duties as "overseeing company relations with law enforcement and regulatory agencies in the United States and Canada, directing the company's Fraud Investigations team and determining policies related to listing of items on eBay". [14] In 2003, he was criticized by Yuval Dror at the Haaretz newspaper for being willing to share eBay user's personal data with law-enforcement agencies potentially without proper legal framework. [15] [16] From 2006 to 2008 he was an Associate General Counsel at PayPal. [12] One of his top priorities was preventing phishing scams. [17]

Facebook

In 2008, he started at Facebook first as an attorney, and next as its Chief Security Officer (2010-2015). [5] Sullivan assembled a security team to handle requests from law enforcement agencies globally and fight various types of cybercrime within the social network. [5] [8] He introduced a practice of security hackathons and bug bounty programs both internally and externally, encouraging coders to find vulnerabilities. [18] [19] His team was handling complicated and large-scale security issues such as an attempt to hack the accounts of Tunisian Facebook users in the 2011 "Arab Spring" during the Tunisian Revolution. [20] [21]

Sullivan also gained a reputation as an expert at fighting online bullying. He testified on this subject before Congress in 2010, [22] and was invited to the first White House Conference on Bullying Prevention in 2011. [23]

Uber

In Spring 2015, Sullivan joined Uber as its first CSO, at the time when the company was experiencing multiple safety and security issues. [24] [25] His primary focus was on safety of riders and drivers, both in the digital space and in the physical world. [26] As an example, he was involved in investigating the 2016 Kalamazoo shootings. [27]

In November 2017, Sullivan and Craig Clark, a senior lawyer at the company, were fired for allegedly covering up a major data breach in 2016 and paying hackers $100,000. [28] [29] Later in 2018, Reuters reported that the decision not to disclose the breach was made by the company's legal department. [30]

Cloudflare

In May 2018, Sullivan joined Cloudflare as the company's first chief security officer. [31] In December 2021, he was among the top Internet security experts who were exploring the Log4Shell vulnerability. [32]

Volunteer government roles

Over the years, Sullivan has held several positions at government agencies and national organizations. From 2011 to 2016, he served as a commissioner at National Cyber Security Alliance, a non-profit organization that promotes cybersecurity and privacy education, [33] [34] where he ran a number of cyber security awareness initiatives. [35] [36] In 2012, he became a board member for the National Action Alliance for Suicide Prevention and co-authored the "2012 National Strategy for Suicide Prevention". [37]

In April 2016, President Obama appointed him as a commissioner on the Commission on Enhancing National Cybersecurity, a government body that was dissolved in December 2016 after releasing recommendations to the White House on how to address the nation's cybersecurity issues. [38]

2016 Uber Data Breach, Trial and Conviction

In August 2020, the US Department of Justice announced criminal charges against Sullivan for obstruction of justice for his handling of the 2016 data breaches at Uber. The criminal complaint said Sullivan arranged, with CEO Travis Kalanick's knowledge, to pay a ransom for the breach as a "bug bounty" to conceal its true nature, and to falsify non-disclosure agreements with the hackers to say they had not obtained any data. [39] In December 2021, he faced additional charges of wire fraud. [40]

On October 6, 2022, Sullivan was convicted of one count of obstruction of justice, and one count of misprision of felony. [41] [42] He was sentenced to three years probation on May 4, 2023. [43] The trial of Sullivan represented the first United States federal prosecution of a corporate executive for the handling of a data breach. [44]

Bibliography

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that may result in unauthorized information disclosure, theft of hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

<span class="mw-page-title-main">Jeff Moss (hacker)</span> American computer security expert (born 1975)

Jeff Moss, also known as Dark Tangent, is an American hacker, computer and internet security expert who founded the Black Hat and DEF CON computer security conferences.

Fidelis Security, LLC is an American cybersecurity company focused on threat detection, hunting, and targeted response of advanced threats and data breaches. The company was established in 2002 by Timothy Sullivan, a former Marine commander, and Gene Savchuk, a technologist. Among its customers includes IBM, the United States Army and the United States Department of Commerce.

<span class="mw-page-title-main">Palo Alto Networks</span> American technology company

Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. The company serves over 70,000 organizations in over 150 countries, including 85 of the Fortune 100. It is home to the Unit 42 threat research team and hosts the Ignite cybersecurity conference. It is a partner organization of the World Economic Forum.

Mandiant is an American cybersecurity firm and a subsidiary of Google. Mandiant received attention in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireEye for $1 billion, who eventually sold the FireEye product line, name, and its employees to Symphony Technology Group for $1.2 billion in June 2021.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

Election cybersecurity or election security refers to the protection of elections and voting infrastructure from cyberattack or cyber threat – including the tampering with or infiltration of voting machines and equipment, election office networks and practices, and voter registration databases.

<span class="mw-page-title-main">Alex Stamos</span> Greek American computer scientist

Alex Stamos is an American computer scientist and adjunct professor at Stanford University's Center for International Security and Cooperation. He is the former chief security officer (CSO) at Facebook. His planned departure from the company, following disagreement with other executives about how to address the Russian government's use of its platform to spread disinformation during the 2016 U.S. presidential election, was reported in March 2018.

<span class="mw-page-title-main">Anomali</span> American cybersecurity company

Anomali Inc. is an American cybersecurity company that develops and provides threat intelligence products. In 2023, the company moved into providing security analytics powered by artificial intelligence (AI).

<span class="mw-page-title-main">Cybersecurity and Infrastructure Security Agency</span> Agency of the United States Department of Homeland Security

The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government's cybersecurity protections against private and nation-state hackers.

<span class="mw-page-title-main">Chris Krebs</span> American cybersecurity and infrastructure security expert (born 1977)

Christopher Cox Krebs is an American attorney who served as Director of the Cybersecurity and Infrastructure Security Agency in the United States Department of Homeland Security from November 2018 until November 17, 2020, when President Donald Trump fired Krebs for contradicting Trump's claims of election fraud in the 2020 presidential election.

Double Dragon is a hacking organization with alleged ties to the Chinese Ministry of State Security (MSS). Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

The Cyber Safety Review Board was established by United States Secretary of Homeland Security Alejandro Mayorkas on February 3, 2022. Modeled after the National Transportation Safety Board, the Board reviews significant cybersecurity incidents and issues reports. President Joe Biden directed the Board's creation through Section 5 of Executive Order 14028, issued on May 12, 2021.

Namespace security is a digital security discipline that refers to the practices and technologies employed to protect the names and identifiers within a digital namespace from unauthorized access, manipulation, or misuse. It involves ensuring the integrity and security of domain names and other digital identifiers within networked environments, such as the Internet's Domain Name System (DNS), software development namespaces and containerization platforms. Effective namespace security is crucial for maintaining the reliability and trustworthiness of brands and their digital services and for preventing cyber threats including impersonation, domain name hijacking or spoofing of digital identifiers like domain names and social media handles.

References

  1. "Former Chief Security Officer Of Uber Convicted Of Federal Charges For Covering Up Data Breach Involving Millions Of Uber User Records | United States Department of Justice". www.justice.gov. 5 October 2022. Retrieved 17 November 2022.
  2. Friends, Ukraine (2023-02-22). "Joe Sullivan Named CEO of Ukraine Friends". ACCESSWIRE News Room. Retrieved 2024-02-06.
  3. 1 2 Bessette, Chanelle (2014-07-02). "10 Questions: Joe Sullivan, chief security officer, Facebook". Fortune . Archived from the original on 2020-07-19. Retrieved 2021-12-29.(subscription required)
  4. "31st Annual Irish America Business 100". Irish America (January 2017): 76. December 2016. Retrieved 2021-12-29 via Issuu.
  5. 1 2 3 Hill, Kashmir (2012-02-22). "Facebook's Top Cop: Joe Sullivan". Forbes . Archived from the original on 2020-12-19. Retrieved 2021-12-29.
  6. 1 2 Westlund, Richard (2015-10-14). "Joseph Sullivan, J.D. '93, Guards Against Security Threats". University of Miami School of Law. Archived from the original on 2015-12-20. Retrieved 2022-01-05.
  7. "Reply Comments of Rasier Ca, LLC on Phase III.B Scoping Memo and Ruling of Assigned Commissioner Track I" (PDF). California Public Utilities Commission. 2017-05-15. p. 2. Archived from the original (PDF) on 2022-01-08. Retrieved 2022-01-08.
  8. 1 2 Mills, Elinor (2011-01-31). "At Facebook, defense is offense". CNET . Archived from the original on 2022-01-08. Retrieved 2022-01-08.
  9. "Russian National Enters into Agreement with the United States on First Digital Millennium Copyright Act Case" (Press release). United States Department of Justice. 2001-12-13. Archived from the original on 2021-04-01. Retrieved 2022-01-08.
  10. Manjoo, Farhad (2002-04-01). "Adobe-Hack Lawyers: Toss the Case". Wired . Archived from the original on 2021-04-10. Retrieved 2022-01-08.
  11. Hempel, Jessi (2015-04-02). "Uber Just Poached Facebook's Security Chief Joe Sullivan". Wired . Archived from the original on 2015-04-02. Retrieved 2022-01-08.
  12. 1 2 "President Obama Announces More Key Administration Posts" (Press release). Washington, D.C.: Executive Office of the President of the United States. 2016-04-13. Archived from the original on 2021-03-22. Retrieved 2021-12-31.
  13. Hoppin, Jason (2002-05-07). "Assistant U.S. Attorney Takes Job With EBay". Law.com. Archived from the original on 2021-03-01. Retrieved 2022-01-08.
  14. Deleting Commercial Pornography Sites from the Internet: The U.S. Financial Industry's Efforts to Combat this Problem: Hearing Before the Subcommittee on Oversight and Investigations of the Committee on Energy and Commerce, House of Representatives, One Hundred Ninth Congress, Second Session. Vol. 4. United States Government Publishing Office. September 21, 2006. p. 66. ISBN   9780160783104 . Retrieved 2021-12-31 via Google Books.
  15. Dror, Yuval (2003-02-20). "Big Brother Is Watching You - and Documenting". Haaretz . Archived from the original on 2021-11-15. Retrieved 2021-12-31.
  16. Walter, Martin (2011). Mathematics for the Environment. CRC Press. p. 417. ISBN   9781439834732 . Retrieved 2021-12-31 via Google Books.
  17. Kirk, Jeremy (2007-03-27). "PayPal asking e-mail services to block messages". networkworld.com. Archived from the original on 2021-12-31. Retrieved 2021-12-31.
  18. Segall, Laurie (2011-08-30). "Facebook pays $40,000 to bug spotters". CNN Money . Archived from the original on 2011-10-15. Retrieved 2022-01-15.
  19. Constine, Josh (2014-03-18). "Inside Facebook's Efforts To Fortify Security In A Post-Snowden World". TechCrunch . Archived from the original on 2021-04-15. Retrieved 2022-01-15.
  20. Gobry, Pascal-Emmanuel (2011-01-24). "How The Tunisian Government Tried To Steal The Entire Country's Facebook Passwords". Business Insider . Archived from the original on 2020-11-11. Retrieved 2022-01-15.
  21. Madrigal, Alexis C. (2011-01-24). "The Inside Story of How Facebook Responded to Tunisian Hacks". The Atlantic . Archived from the original on 2021-12-11. Retrieved 2022-01-15.
  22. "Hearing before the Subcommitee on Crime, Terrorism, and Homeland Security of the Committee on the Judiciary House of Representatives". United States Government Publishing Office. 2010-07-28. Archived from the original on 2022-01-21. Retrieved 2022-01-21.
  23. Shepherd, Shawna (2011-03-10). "White House conference tackles bullying". CNN. Archived from the original on 2011-03-13. Retrieved 2022-01-21.
  24. The New York Times Editorial Staff (2018). Hacking and Data Privacy: How Exposed Are We?. Rosen Publishing. p. 122. ISBN   9781642820836 via Google Books.
  25. Isaac, Mike (2015-04-02). "Uber Hires a Security Chief From Facebook". The New York Times . Archived from the original on 2015-04-05. Retrieved 2022-01-21.
  26. Lashinsky, Adam (2017). Wild Ride: Inside Uber's Quest for World Domination. Penguin Books. p. 142. ISBN   9780735211407 via Google Books.
  27. Bowles, Nellie (2016-02-22). "Kalamazoo shooting spree puts Uber in spotlight over safety concerns". The Guardian . San Francisco. Archived from the original on 2021-06-18. Retrieved 2022-01-21.
  28. Weise, Elizabeth (2017-11-27). "Uber paid hackers $100,000 to hide year-old breach of 57 million users". USA Today . Archived from the original on 2021-11-27. Retrieved 2022-01-21.
  29. Perlroth, Nicole; Isaac, Mike (2018-01-12). "Inside Uber's $100,000 Payment to a Hacker, and the Fallout". The New York Times . San Francisco. Archived from the original on 2021-04-03. Retrieved 2022-01-21.
  30. Menn, Joseph; Somerville, Heather (2018-01-13). "Exclusive: Current and former Uber security staffers cast doubt on spying claims". Reuters . Archived from the original on 2020-07-19. Retrieved 2022-01-21.
  31. Aiello, Chloe (2018-05-16). "Fired Uber cybersecurity chief Joe Sullivan was just hired to run security at start-up Cloudflare". CNBC. Archived from the original on 2021-02-26. Retrieved 2022-01-01.
  32. Miller, Maggie (2021-12-10). "Officials, experts sound the alarm about critical cyber vulnerability". The Hill . Archived from the original on 2021-12-20. Retrieved 2022-01-01.
  33. "Facebook Chief Security Officer Joins National Cyber Security Alliance Board". securitytoday.com. 2011-02-07. Archived from the original on 2022-01-01. Retrieved 2022-01-01.
  34. "Joseph Sullivan". National Cyber Security Alliance . 26 April 2016. Archived from the original on 2022-01-01. Retrieved 2022-01-01.
  35. Perez, Sarah (2012-10-22). "Facebook Donates $250,000 To The University of Alabama At Birmingham Using Money Acquired From Spammers". TechCrunch . Archived from the original on 2022-01-01. Retrieved 2022-01-03.
  36. Tomkins, Richard (2014-10-01). "Nashville event kicks off National Cyber Security Awareness Month". United Press International . Archived from the original on 2020-11-11. Retrieved 2022-01-03.
  37. "2012 National Strategy for Suicide Prevention: Goals and Objectives for Action" (PDF). Surgeon General of the United States. 2012. Archived from the original (PDF) on 2018-08-20. Retrieved 2021-01-03.
  38. Rockwell, Mark (2016-12-02). "53 steps to stronger cybersecurity". Federal Computer Week . Archived from the original on 2022-01-01. Retrieved 2022-01-01.
  39. Bond, Shannon (2020-08-20). "Former Uber Executive Charged With Paying 'Hush Money' To Conceal Massive Breach". NPR. Archived from the original on 2022-01-21. Retrieved 2022-01-21.
  40. Shneider, Joe (2021-12-23). "Uber Ex-Security Chief Faces Additional Charge". Bloomberg News . Archived from the original on 2021-12-26. Retrieved 2022-01-21.
  41. Menn, Joseph (2022-10-06). "Former Uber security chief convicted of covering up 2016 data breach". Washington Post . Archived from the original on 2022-10-05. Retrieved 2022-10-06.
  42. Newman, Lily Hay. "The Uber Data Breach Conviction Shows Security Execs What Not to Do". Wired. Retrieved 17 November 2022.
  43. Menn, Joseph (May 4, 2023). "Former Uber security chief Sullivan avoids prison in data breach case". Washington Post. Retrieved May 5, 2023.
  44. "The Fallout From the First Trial of a Corporate Executive for 'Covering Up' a Data Breach". Lawfare. 19 October 2022. Retrieved 17 November 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.