A CISO's Guide to Avoiding Jail After a Breach

In April 2016, President Barack Obama appointed Uber chief security officer (CSO) Joe Sullivan to the so-called Commission on Enhancing National Cybersecurity. Four years later, Sullivan was researching prisons, and how to stay safe and sane while on the inside.

He was a strangely cast felon, having spent the first eight years of his career moving up the ladder at the US Department of Justice, and the following half-decade as an assistant US attorney. He'd even prosecuted the first-ever case pertaining to the Digital Millennium Copyright Act (DMCA), United States v. Elcom Ltd., on behalf of the government.

Suffice it to say that few people on earth understood the laws, the business, and the reality of cybersecurity better than Sullivan did. But for having mishandled a major data breach in November 2016, he's still defending himself in court to this day.

"The US government has so much power, and it can steamroll people in a really unfair way," says Jess Nall, a partner at Baker McKenzie LLP. "What's evolved in the last 10 years is that CISOs and other information security professionals — including privacy and data security lawyers, and other infosec personnel — are getting thrown under the bus when major cyberattacks happen."

Nall has experience with this firsthand, having successfully defended employees of Yahoo following its historic, farcical breaches. Now, in a presentation at Black Hat 2024, she's going to share what she's learned. The upshot? Security leaders are being targeted and prosecuted like never before, but the smart ones can take steps now to avoid that fate.

The Federal Government v. CISOs

For years, the government has been trying carrots and sticks that might get companies to better steward their user data. On that long history, Sullivan tells Dark Reading, "I think we're in the ugly middle period right now."

When he worked for the Obama administration, he recalls, "The thing we wrestled with the most was: How does the federal government get corporations to commit to doing more in cybersecurity? And the approach for a long time was public-private partnerships and collaboration. You still see versions of that with a lot of the work that [the Cybersecurity and Infrastructure Security Agency] does. But the Biden administration came out with their National Cybersecurity policy in March 2023 that says, very clearly, that we've decided to shift responsibility to those that have the means to do so — larger corporations in the private sector."

With a polarized and flaccid Congress, lawsuits are a kind of back road for forcing good corporate behavior. "The executive branch is getting yelled at by people [about cybersecurity], and is turning to enforcement actions because you can regulate by law, or you can regulate by precedent. So each case that the government brings is an effort at creating a precedent," Sullivan explains.

Of course, suing anonymous or foreign hackers does nothing for no one. "And so who do they want to make an example of, for deterrence reasons?" Nall asks, rhetorically. "It's usually somebody here in the US, usually somebody at one of these companies that's been attacked."

The idea is that a threat of legal penalty will light a fire under otherwise misguided, negligent, or malicious security leaders. But there are whispers that it's already having other, less desirable effects.

"There's already such a strong need for cybersecurity professionals, and I think anything that we're doing as a country to deter that is bad. And I think people are somewhat more reluctant to take on the CISO role," Nall says. When the best of the best are ambivalent about taking lead, she adds, "I've heard this: that people are going into the role junior, and being pressed into service they're not quite [ready for]. There's such a demand that the quality control on who's in that role is falling. I think you are going to see a degradation in quality in the defenders of all of our data."

What Security Leaders Can Do

The key to avoiding trouble as a security leader, Nall says, is awareness of three things: how government investigations work, how the government interacts with companies during the process, and the incentives companies have to resolve their cases in one way or another.

When push comes to shove, for example, companies will be pressured to name and shame individuals. In his proceedings, Sullivan's legal team painted a picture of a company (Uber) trying to rebrand itself, and holding him up as a lamb to the slaughter.

"It's very unfortunate because the consequences are faced by one individual, or a few individuals, although the ability to make sure that [an incident] doesn't happen is a community-based effort within organizations," says ArmorCode's Karthik Swarnam, formerly chief information security officer (CISO) of Kroger, DIRECTV, and TransUnion.

To avoid being singled out (and because it's good security practice), CISOs should focus on building clear and robust lines of communication that bring other board members into the cybersecurity decision-making process.

"You need to first of all establish a risk council, in which you would have roles and responsibilities clearly defined," Swarnam recommends, adding, "Managing risk takes two things: communicating the risk to the right individuals and right organizations, and working with them on a plan to get that right."

Communication and collaboration, Nall and Sullivan agree, are the safety net that security leaders will fall back on when the worst comes to pass.

"That's ultimately the through line between all these cases: that communication between the cross-functional groups wasn't there to the extent it needed to be," Nall says. "And the people who took the brunt of that were not the lawyers, were not the execs, were not the board. It was infosec."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two ransomware negotiators about how they interact with cybercriminals, including how they brokered a deal to restore operations in a hospital NICU where lives were at stake, and how they helped a church where the attackers themselves "got a little religion." Listen now!