Joe Sullivan (Internet security expert) explained

Joe Sullivan
Birth Name:Joseph Edmund Sullivan
Birth Place:Rutland, Vermont
Organisation:National Cyber Security Alliance (2011-2016), National Action Alliance for Suicide Prevention (2012), Commission on Enhancing National Cybersecurity (2016)
Alma Mater:University of Miami School of Law (1993)
Occupation:Internet security expert, CSO at Cloudflare
Years Active:1993 - present time
Known For:Chief Security Officer at Facebook (2010-2015) and Uber (2015-2017)

Joe Sullivan (born in 1968) is an American Internet security expert. Having served as a federal prosecutor with the United States Department of Justice, he worked as a CSO at Facebook, Uber and Cloudflare. For his role in covering up the 2016 data breaches at Uber, he was convicted in October 2022 on federal felony charges of obstruction and misprision.[1] In January 2023, he took on the role of CEO of Ukraine Friends, a nonprofit focused on humanitarian aid to Ukraine.[2]

Early life and education

Sullivan was born in 1968 in Rutland, Vermont.[3] [4] He grew up in Cambridge, Massachusetts.[5] Sullivan graduated from Matignon High School in 1986, earned his Bachelor of Arts degree at Providence College in 1990, and graduated from the University of Miami School of Law in 1993.

Career

US Department of Justice

After law school, Sullivan spent the first eight years of his career in the Department of Justice, having started as an intern at the DOJ Miami office in 1992 and then ultimately working at the San-Francisco office with Robert Mueller.[6] From 1997 to 1999, he served as Assistant United States Attorney at the District of Nevada in Las Vegas. From 2000 to 2002, Sullivan worked as Assistant US Attorney at the Northern District of California.[7] He was a founding member of the Computer Hacking and Intellectual Property unit at the Northern District of California.[8] In 2001 and 2002, together with Scott Frewing he represented the U.S. government in United States v. Elcom Ltd. case, the first prosecution in the U.S. under the Digital Millennium Copyright Act.[9] [10] Sullivan also worked on multiple cybercrime cases including digital evidence aspects of the 9/11 investigation, economic espionage and child predator cases.[11]

eBay

In April 2002, Sullivan joined eBay in as Senior Director of Trust and Safety.[12] [13] In a September 2006 United States congressional hearing, he described his duties as "overseeing company relations with law enforcement and regulatory agencies in the United States and Canada, directing the company's Fraud Investigations team and determining policies related to listing of items on eBay".[14] In 2003, he was criticized by Yuval Dror at the Haaretz newspaper for being willing to share eBay user's personal data with law-enforcement agencies potentially without proper legal framework.[15] [16] From 2006 to 2008 he was an Associate General Counsel at PayPal. One of his top priorities was preventing phishing scams.[17]

Facebook

In 2008, he started at Facebook first as an attorney, and next as its Chief Security Officer (2010-2015). Sullivan assembled a security team to handle requests from law enforcement agencies globally and fight various types of cybercrime within the social network. He introduced a practice of security hackathons and bug bounty programs both internally and externally, encouraging coders to find vulnerabilities.[18] [19] His team was handling complicated and large-scale security issues such as an attempt to hack the accounts of Tunisian Facebook users in the 2011 "Arab Spring" during the Tunisian Revolution.[20] [21] Sullivan also gained a reputation as an expert at fighting online bullying. He testified on this subject before Congress in 2010,[22] and was invited to the first White House Conference on Bullying Prevention in 2011.[23]

Uber

In Spring 2015, Sullivan joined Uber as its first CSO, at the time when the company was experiencing multiple safety and security issues.[24] [25] His primary focus was on safety of riders and drivers, both in the digital space and in the physical world.[26] As an example, he was involved in investigating the 2016 Kalamazoo shootings.[27] In November 2017, Sullivan and Craig Clark, a senior lawyer at the company, were fired for allegedly covering up a major data breach in 2016 and paying hackers $100,000.[28] [29] Later in 2018, Reuters reported that the decision not to disclose the breach was made by the company's legal department.[30]

Cloudflare

In May 2018, Sullivan joined Cloudflare as the company's first Chief Security Officer.[31] In December 2021, he was among the top Internet security experts who were exploring the Log4Shell vulnerability.[32]

Volunteer government roles

Over the years, Sullivan has held several positions at government agencies and national organizations. From 2011 to 2016, he served as a commissioner at National Cyber Security Alliance, a non-profit organization that promotes cybersecurity and privacy education,[33] [34] where he ran a number of cyber security awareness initiatives.[35] [36] In 2012, he became a board member for the National Action Alliance for Suicide Prevention and co-authored the "2012 National Strategy for Suicide Prevention".[37] In April 2016, President Obama appointed him as a commissioner on the Commission on Enhancing National Cybersecurity, a government body that was dissolved in December 2016 after releasing recommendations to the White House on how to address the nation's cybersecurity issues.[38]

2016 Uber Data Breach, Trial and Conviction

In August 2020, the US Department of Justice announced criminal charges against Sullivan for obstruction of justice for his handling of the 2016 data breaches at Uber. The criminal complaint said Sullivan arranged, with CEO Travis Kalanick's knowledge, to pay a ransom for the breach as a "bug bounty" to conceal its true nature, and to falsify non-disclosure agreements with the hackers to say they had not obtained any data.[39] In December 2021, he faced additional charges of wire fraud.[40]

On October 6, 2022, Sullivan was convicted of one count of obstruction of justice, and one count of misprision of felony.[41] [42] He was sentenced to three years probation on May 4, 2023.[43] The trial of Sullivan represented the first United States federal prosecution of a corporate executive for the handling of a data breach.[44]

Bibliography

Notes and References

  1. Web site: Former Chief Security Officer Of Uber Convicted Of Federal Charges For Covering Up Data Breach Involving Millions Of Uber User Records United States Department of Justice . www.justice.gov . 17 November 2022 . en . 5 October 2022.
  2. Web site: Friends . Ukraine . 2023-02-22 . Joe Sullivan Named CEO of Ukraine Friends . 2024-02-06 . ACCESSWIRE News Room . en.
  3. Web site: 10 Questions: Joe Sullivan, chief security officer, Facebook. Bessette. Chanelle. Fortune. 2014-07-02. https://web.archive.org/web/20200719224141/http://fortune.com/2014/07/02/10-questions-joe-sullivan-chief-security-officer-facebook/. 2020-07-19. 2021-12-29.
  4. 31st Annual Irish America Business 100. Irish America. December 2016 . 76. January 2017. Issuu. 2021-12-29.
  5. Web site: Facebook's Top Cop: Joe Sullivan. Hill. Kashmir. Forbes. 2012-02-22. https://web.archive.org/web/20201219212752/https://www.forbes.com/sites/kashmirhill/2012/02/22/facebooks-top-cop-joe-sullivan/. 2020-12-19. 2021-12-29.
  6. Web site: Joseph Sullivan, J.D. '93, Guards Against Security Threats. Westlund. Richard. University of Miami School of Law. 2015-10-14. https://web.archive.org/web/20151220152515/https://www.law.miami.edu/news/2015/october/joseph-sullivan-jd-%E2%80%9993-guards-against-security-threats. 2015-12-20. 2022-01-05.
  7. Web site: Reply Comments of Rasier Ca, LLC on Phase III.B Scoping Memo and Ruling of Assigned Commissioner Track I. 2. California Public Utilities Commission. 2017-05-15. https://web.archive.org/web/20220108085916/https://docs.cpuc.ca.gov/PublishedDocs/Efile/G000/M190/K624/190624373.PDF. 2022-01-08. 2022-01-08.
  8. Web site: At Facebook, defense is offense. Mills. Elinor. CNET. 2011-01-31. https://web.archive.org/web/20220108182039/https://www.cnet.com/tech/services-and-software/at-facebook-defense-is-offense/. 2022-01-08. 2022-01-08.
  9. Russian National Enters into Agreement with the United States on First Digital Millennium Copyright Act Case. United States Department of Justice. 2001-12-13. https://web.archive.org/web/20210401001458/https://www.justice.gov/archive/criminal/cybercrime/press-releases/2001/sklyarovAgree.htm. 2021-04-01. 2022-01-08.
  10. Adobe-Hack Lawyers: Toss the Case. Manjoo. Farhad. Wired. 2002-04-01. https://web.archive.org/web/20210410183434/http://www.wired.com/2002/04/adobe-hack-lawyers-toss-the-case/. 2021-04-10. 2022-01-08.
  11. Uber Just Poached Facebook's Security Chief Joe Sullivan. Hempel. Jessi. Wired. 2015-04-02. https://web.archive.org/web/20150402174537/https://www.wired.com/2015/04/facebook-security-chief-joe-sullivan-join-uber. 2015-04-02. 2022-01-08.
  12. President Obama Announces More Key Administration Posts. Executive Office of the President of the United States. Washington, D.C.. 2016-04-13. https://web.archive.org/web/20210322141834/https://obamawhitehouse.archives.gov/the-press-office/2016/04/13/president-obama-announces-more-key-administration-posts. 2021-03-22. 2021-12-31.
  13. Web site: Assistant U.S. Attorney Takes Job With EBay. Hoppin. Jason. Law.com. 2002-05-07. https://web.archive.org/web/20210301064145/https://www.law.com/almID/900005530164/. 2021-03-01. 2022-01-08.
  14. Book: Deleting Commercial Pornography Sites from the Internet: The U.S. Financial Industry's Efforts to Combat this Problem: Hearing Before the Subcommittee on Oversight and Investigations of the Committee on Energy and Commerce, House of Representatives, One Hundred Ninth Congress, Second Session. September 21, 2006. 66. 4. United States Government Publishing Office. 9780160783104 . Google Books. 2021-12-31.
  15. News: Big Brother Is Watching You - and Documenting. Dror. Yuval. Haaretz. 2003-02-20. https://web.archive.org/web/20211115014150/https://www.haaretz.com/1.4900415. 2021-11-15. 2021-12-31.
  16. Book: Walter, Martin. Mathematics for the Environment. CRC Press. 2011. 417. 9781439834732. Google Books. 2021-12-31.
  17. Web site: PayPal asking e-mail services to block messages. Kirk. Jeremy. networkworld.com. 2007-03-27. https://archive.today/20211231142556/https://www.networkworld.com/article/2296999/paypal-asking-e-mail-services-to-block-messages.html. 2021-12-31. 2021-12-31.
  18. Web site: Facebook pays $40,000 to bug spotters. Segall. Laurie. CNN Money. 2011-08-30. https://web.archive.org/web/20111015043425/https://money.cnn.com/2011/08/30/technology/facebook_bug_bounty/index.htm. 2011-10-15. 2022-01-15.
  19. Web site: Inside Facebook's Efforts To Fortify Security In A Post-Snowden World. Constine. Josh. TechCrunch. 2014-03-18. https://web.archive.org/web/20210415113229/https://techcrunch.com/2014/03/18/facebook-security/. 2021-04-15. 2022-01-15.
  20. Web site: How The Tunisian Government Tried To Steal The Entire Country's Facebook Passwords. Gobry. Pascal-Emmanuel. Business Insider. 2011-01-24. https://web.archive.org/web/20201111231423/https://www.businessinsider.com/tunisia-facebook-2011-1?r=DE&IR=T. 2020-11-11. 2022-01-15.
  21. Web site: The Inside Story of How Facebook Responded to Tunisian Hacks. Madrigal. Alexis C.. The Atlantic. 2011-01-24. https://web.archive.org/web/20211211203858/https://www.theatlantic.com/technology/archive/2011/01/the-inside-story-of-how-facebook-responded-to-tunisian-hacks/70044/. 2021-12-11. 2022-01-15.
  22. Web site: Hearing before the Subcommitee on Crime, Terrorism, and Homeland Security of the Committee on the Judiciary House of Representatives. United States Government Publishing Office. 2010-07-28. https://web.archive.org/web/20220121184409/https://www.govinfo.gov/content/pkg/CHRG-111hhrg57673/html/CHRG-111hhrg57673.htm. 2022-01-21. 2022-01-21.
  23. Web site: White House conference tackles bullying. Shepherd. Shawna. CNN. 2011-03-10. https://web.archive.org/web/20110313095415/http://edition.cnn.com/2011/POLITICS/03/10/obama.bullying/index.html. 2011-03-13. 2022-01-21.
  24. Book: Hacking and Data Privacy: How Exposed Are We?. The New York Times Editorial Staff. 122. Rosen Publishing. 2018. 9781642820836. Google Books.
  25. Web site: Uber Hires a Security Chief From Facebook. Isaac. Mike. The New York Times. 2015-04-02. https://web.archive.org/web/20150405005420/https://www.nytimes.com/2015/04/03/technology/uber-hires-a-security-chief-from-facebook.html. 2015-04-05. 2022-01-21.
  26. Book: Lashinsky, Adam. Wild Ride: Inside Uber's Quest for World Domination. 142. Penguin Books. 2017. 9780735211407. Google Books.
  27. News: Kalamazoo shooting spree puts Uber in spotlight over safety concerns. Bowles. Nellie. San Francisco. The Guardian. 2016-02-22. https://web.archive.org/web/20210618212311/https://www.theguardian.com/technology/2016/feb/22/uber-driver-shooting-spree-kalamazoo-michigan-ride-share-safety. 2021-06-18. 2022-01-21.
  28. Web site: Uber paid hackers $100,000 to hide year-old breach of 57 million users. Weise. Elizabeth. USA Today. 2017-11-27. https://web.archive.org/web/20211127212444/https://eu.usatoday.com/story/tech/2017/11/21/uber-kept-mum-year-hack-info-57-million-riders-and-drivers/887002001/. 2021-11-27. 2022-01-21.
  29. News: Inside Uber's $100,000 Payment to a Hacker, and the Fallout. San Francisco. Perlroth. Nicole. Isaac. Mike. The New York Times. 2018-01-12. https://web.archive.org/web/20210403153421/https://www.nytimes.com/2018/01/12/technology/uber-hacker-payment-100000.html. 2021-04-03. 2022-01-21.
  30. Web site: Exclusive: Current and former Uber security staffers cast doubt on spying claims. Menn. Joseph. Somerville. Heather. Reuters. 2018-01-13. https://web.archive.org/web/20200719155624/https://www.reuters.com/article/us-uber-sullivan-exclusive/exclusive-current-and-former-uber-security-staffers-cast-doubt-on-spying-claims-idUSKBN1F200Q. 2020-07-19. 2022-01-21.
  31. Web site: Fired Uber cybersecurity chief Joe Sullivan was just hired to run security at start-up Cloudflare. Aiello. Chloe. CNBC. 2018-05-16. https://web.archive.org/web/20210226172729/https://www.cnbc.com/2018/05/16/fired-uber-cybersecurity-chief-joe-sullivan-joins-start-up-cloudflare.html. 2021-02-26. 2022-01-01.
  32. Web site: Officials, experts sound the alarm about critical cyber vulnerability. Miller. Maggie. The Hill. 2021-12-10. https://web.archive.org/web/20211220021005/https://thehill.com/policy/cybersecurity/585370-officials-experts-sound-the-alarm-about-critical-cyber-vulnerability. 2021-12-20. 2022-01-01.
  33. Web site: Facebook Chief Security Officer Joins National Cyber Security Alliance Board. securitytoday.com. 2011-02-07. https://archive.today/20220101192759/https://securitytoday.com/articles/2011/02/07/facebook-chief-security-officer-joins-national-cybersecurity-alliance-board.aspx. 2022-01-01. 2022-01-01.
  34. Web site: Joseph Sullivan. National Cyber Security Alliance. 26 April 2016 . https://archive.today/20220101193833/https://www.nist.gov/cybercommission/joseph-sullivan. 2022-01-01. 2022-01-01.
  35. Web site: Facebook Donates $250,000 To The University of Alabama At Birmingham Using Money Acquired From Spammers. Perez. Sarah. TechCrunch. 2012-10-22. https://web.archive.org/web/20220101202509/https://techcrunch.com/2012/10/22/in-recognition-of-its-efforts-in-fighting-cybercrime-facebook-donates-250000-to-university-of-alabama-using-money-acquired-from-spammers/. 2022-01-01. 2022-01-03.
  36. Web site: Nashville event kicks off National Cyber Security Awareness Month. Tomkins. Richard. United Press International. 2014-10-01. https://web.archive.org/web/20201111203021/https://www.upi.com/Defense-News/2014/10/01/Nashville-event-kicks-off-National-Cyber-Security-Awareness-Month/6961412181419/. 2020-11-11. 2022-01-03.
  37. Web site: 2012 National Strategy for Suicide Prevention: Goals and Objectives for Action. 2012. Surgeon General of the United States. https://web.archive.org/web/20180820034513/http://johnjordanphd.com/pdf/NSSP%20Final.pdf. 2018-08-20. 2021-01-03.
  38. Web site: 53 steps to stronger cybersecurity. Rockwell. Mark. Federal Computer Week. 2016-12-02. https://archive.today/20220101184737/https://fcw.com/security/2016/12/53-steps-to-stronger-cybersecurity/220419/. 2022-01-01. 2022-01-01.
  39. News: Former Uber Executive Charged With Paying 'Hush Money' To Conceal Massive Breach. Shannon. Bond. NPR. 2020-08-20. https://web.archive.org/web/20220121203321/https://www.npr.org/2020/08/20/904113981/former-uber-executive-charged-with-paying-hush-money-to-conceal-massive-breach. 2022-01-21. 2022-01-21.
  40. Web site: Uber Ex-Security Chief Faces Additional Charge. Shneider. Joe. Bloomberg News. 2021-12-23. https://archive.today/20211226221936/https://www.bloomberg.com/news/articles/2021-12-23/uber-ex-security-chief-faces-additional-charges-of-wire-fraud. 2021-12-26. 2022-01-21.
  41. News: Former Uber security chief convicted of covering up 2016 data breach. Menn. Joseph. Washington Post. 2022-10-06. https://archive.today/20221005215258/https://www.washingtonpost.com/technology/2022/10/05/uber-obstruction-sullivan-hacking/. 2022-10-05. 2022-10-06.
  42. Newman . Lily Hay . The Uber Data Breach Conviction Shows Security Execs What Not to Do . Wired . 17 November 2022.
  43. News: Menn . Joseph . Former Uber security chief Sullivan avoids prison in data breach case . May 5, 2023 . Washington Post . May 4, 2023.
  44. Web site: The Fallout From the First Trial of a Corporate Executive for 'Covering Up' a Data Breach . Lawfare . 17 November 2022 . en . 19 October 2022.