Uber Executive’s Conviction Puts Spotlight on Secrecy About Hacking

Article

The conviction of Uber Technologies Inc.’s former security chief on Oct. 5 has raised the specter that a high-profile criminal charge and newly expanded federal rules may force companies to be more transparent when it comes to reporting cybersecurity breaches. But that new path forward runs up against a stubborn history of secrecy, according to industry data and interviews with security experts.

A lack of corporate transparency around hacking manifests in several ways, from companies issuing minimal, often vague, public statements to hiring cybersecurity investigators through law firms, which can attach attorney-client privilege. Companies may also not want to disclose breaches because it could damage their reputation.

Uber’s Former Security Chief Convicted of Data Hack Coverup

That opacity comes as the private sector continues to face an onslaught of intrusions — especially from ransomware hackers — that can paralyze hospitals, shutter colleges and shut down major gas pipelines.

“The verdict has not solved the larger problem of a patchwork of notification laws, which are not always totally clear around ransomware cases about what needs to be reported and by whom,” said Josephine Wolff, an associate professor of cybersecurity policy at Tufts University. “It will probably make companies a little more cautious and over report. But there’s enough ambiguity in these laws that companies feel like they have space to maneuver.”

Former Uber security head Joe Sullivan was found guilty in San Francisco federal court that stemmed from a 2016 hack — details of which he tried to keep hidden. But experts told Bloomberg the case may an exception, not the rule, when it comes to the government pushing for more disclosure. In fact, the Justice Department didn’t charge Sullivan with violating disclosure regulations, but obstruction of justice and concealing a felonyamid a probe by the Federal Trade Commission.

Still, the conviction comes at a time when lawmakers and regulators are pushing for more accountability on hacks. In March, President Joe Biden signed sweeping cybersecurity legislation that mandates certain sectors report breaches to the U.S. Department of Homeland Security within 72 hours of discovery of the incident, and 24 hours if they make a ransomware payment. Many states now require companies to report breaches, and the US Securities and Exchange Commission has proposed new cyber-reporting laws.

For years, companies have turned to outside lawyers to handle such incidents, a practice that’s grown. In 2018, more than 4,000 companies retained legal counsel to help with their cyber responses; by 2021, that number doubled, according to data from firms that were surveyed by insurance firm Advisen Ltd. and analyzed by Bloomberg News. The cybersecurity firm Crowdstrike Holdings Inc. told Bloomberg that 42% of its engagements last year were under privilege with outside counsel.

Even when companies do decide to disclose, it can be so generic that it isn’t useful to investors or the public. “I worry that these judgments have too often erred on the side of nondisclosure, leaving investors in the dark — and putting companies at risk,” said former SEC Commissioner Robert J. Jackson Jr. in 2018.

After a company is breached, outside law firms often bring in a cybersecurity company for what’s known as incident response, or IR. But now, with ransomware actors — who will likely never see the inside of a US courtroom — the attorney-client privilege may be overused and misplaced, according to experts who study cybersecurity policy.

“External counsel go beyond merely providing legal advice,” wrote Daniel Woods, a researcher who’s also published on this topic with Wolff. The lawyers control who gets hired to respond to the breach and “prioritize protecting client-attorney privilege above other concerns.”

Michael Risch, the vice dean at Villanova University’s law school, said having lawyers involved is meant to protect a firm and can actually guide companies to follow regulations more closely than had they not consulted an attorney. The antidote to secrecy, he said, “is to make laws that require companies to disclose more. And then the attorneys would say, ‘You have to disclose.'”

Beyond legal machinations, companies are often tight-lipped when breaches do happen. The phrases “cybersecurity incident” and “IT incident” — a common shorthand phrase often accompanied by few details — appeared in more than 1,000 newspaper and wire stories during the last five years, according to clippings archived by LexisNexis.

That secrecy can be particularly prevalent in critical parts of the private sector following major breaches, including hospitals. Some companies ultimately provide details, but others not until months later, leaving patients worried whether IT issues may affect their medical care.

Tenet Healthcare Corp., for example, published a brief, four-paragraph press release about a “cybersecurity incident” in April. A spokesperson declined to elaborate to a Bloomberg reporter at the time, saying, “We don’t have any comments beyond the release.” Three months later, the company offered more details in an SEC filing, admitting the breach cost Tenet $100 million before taxes.

A spokesperson for Tenet didn’t respond to a recent request for comment.

FBI officials last year estimated that the bureau has visibility into only a quarter of cyber incidents, resulting in a government-wide lack of information about the nature of many data breaches, the tactics of cybercriminals and the U.S. industries that are most vulnerable.

Michael Hamilton, co-founder and chief information security officer of Critical Insight, said the idea of “executive negligence” — where companies can be held personally liable for damages — will come into sharper focus. CISOs, Hamilton said, “take an ethical oath, and it’s pretty clear that you don’t lie about stuff like this.”

Photo: The Uber Technologies headquarters in San Francisco. (David Paul Morris/Bloomberg)