Did Uber throw its CSO under the bus?

Uber’s CSO has been fired, according to a story in The New York Times.

That begs the question — did Uber throw Sullivan under the bus, turning him into a scapegoat for the recently disclosed year-old hack?

Sullivan’s reputation may suffer irreparable harm as a result of the high-profile termination, which is receiving widespread media attention.

That may be OK by the ex-CSO if Uber paid him a 6-figure (or, dare anyone speculate, 7-figure) fee to keep quiet (as part of a non-disclosure, severance or some other agreement) — same as they did for the hackers who stole data and were paid $100,000 to destroy it.

On the other hand, Sullivan may be getting exactly what he deserves — if in fact he knowingly violated the law.

California’s new data security laws, which require businesses and government agencies to disclose hacks in a timely fashion, went into effect Jan. 1, 2016.

Sullivan, an attorney, would, of course, be well aware of those laws.

In fairness to anyone who gets fired, after a hack, they should be able to share their side of the story — especially someone with Sullivan’s background. He spent more than five years as CSO at Facebook and was associate general counsel for the social media giant before that. His resume includes senior legal and security roles at PayPal and eBay, and he was assistant U.S. attorney for the Computer Hacking and IP Unit, Northern District of California.

In an instant, Sullivan may have gone from highly desirable to practically unhirable. Hearing his side of the story could change that.

5 questions for Uber’s ex-CSO

Should Sullivan be allowed to tell his story, here are five questions I hope he can answer:

• Did you intentionally conceal the recently disclosed Uber hack?
• Did you encourage Uber executive management to disclose the hack as required by law?
• Did you negotiate and agree to pay hackers $100,000 to destroy stolen data and keep quiet?
• Did you knowingly fail to encrypt Uber user and driver data, which in effect raised the severity level of the hack?
• Did you pay off the hackers under the guise of a bug bounty program?

If and when Sullivan answers those questions, the cybersecurity community and media will have a much clearer picture of what occurred at Uber last year.

Moving the questions over to a broader cyber forensics investigation, there are many more that Uber needs to answer.

Cyber forensic questions for Uber

Ondrej Krehel, CEO, founder and digital forensics lead at LIFARS — a global digital forensics and cybersecurity intelligence firm based in New York City — supplied five initial questions that his firm would ask if they were investigating the breach:

• How was the hacking incident discovered?
• What actions have been taken on the compromised system by IT administrators?
• How can we obtain or create a digital forensic copy of the compromised system?
• Are there any relevant logs or metadata information that can be beneficial for analysis and forensic triage?
• Can we review technical assessments conducted on the compromised infrastructure, such as secure code review or penetration test or similar?

Once a qualified investigator looks under Uber’s IT hood, there’s a lot more to be learned about the epic failure to disclose.

Regarding Sullivan, he’s innocent until proven guilty.

Visit SteveOnCyber.com to read all of my blogs and articles covering cybersecurity.

Follow me on Twitter @CybersecuritySF, or connect with me on LinkedIn. Send story tips, feedback and suggestions to me here.