Ex-Uber CSO is gellin' like a felon with teen cyber crims, explains why they do it

interview Two convicted felons walk into a room at the request of a federal judge who wanted one of them - Joe Sullivan, the former Uber chief security officer found guilty of attempting to cover up a 2016 breach at the rideshare company - to help rehabilitate the other, whom the feds accused of hacking into corporate networks as a teen and participating in a "significant" digital heist.

Sullivan, who in his previous life served as a federal prosecutor specializing in cybercrime at the US Justice Department, won't say which high-profile firm the young man allegedly hacked. Considering that, over the last few years, teens have stolen secrets and source code from some of the biggest names in tech, brought Las Vegas casinos to a grinding halt via network breaches, and pilfered hundreds of millions of Ticketmaster and AT&T customers' details, it's hardly worth guessing.

"As part of my probation, I have to fill out of a form once a month, and one of the questions asks if I interacted with any other people convicted of a crime," Sullivan told The Register. "A couple months ago I had to say, 'Yes, I did interact with someone who committed a crime because the judge asked me to.'"

The Register sat down (virtually) with Sullivan shortly after cops in the US and UK arrested three alleged Scattered Spider teens blamed for the Las Vegas casino and Transport for London hacks.

The conversation with the teen gave Sullivan "fascinating insight" into why young people are getting involved in cybercrime at such an early age, he said. 

"They didn't wake up and decide to become hackers," Sullivan said. "A lot of it is that they are coming out of the gaming culture, and it doesn't celebrate winning by the rules. It celebrates winning, period."

These kids and teens are motivated to game the system to get the highest score, and they feel pressure from their fellow gamers to make more aggressive moves whether they are allowed or not. Plus, cybercrime networks groom young gamers, using gaming platforms to identify and recruit bright, young future criminals.

"Young people don't have full adult judgment around risk, and so they do stupid things, and then they get deeper and deeper in until they can't get out - it's too late," Sullivan said.

The Uber breach, and what happened next

Sullivan himself is serving a three-year sentence - probation, plus 200 community service hours - after a jury found him guilty of two felonies in 2022 related to covering up a 2016 Uber intrusion, and trying to disguise an extortion payment as a bug-bounty reward. It's believed to be the first time a high-profile CSO has been charged, convicted, and punished in America over a data-breach response.

Sullivan and Craig Clark, Uber's then legal director of security and law enforcement, were fired as a result of the 2016 digital intrusion.

Travis Kalanick, who was Uber's CEO at the time of the theft, was not charged, although he allegedly discussed how to handle the breach with Sullivan. At Sullivan's sentencing, the judge reportedly said he believed Kalanick was "just as culpable" as Sullivan.

"The judge in my case, when he turned to the prosecutor, he said, 'Where's the CEO? Why aren't you holding the CEO accountable?' And that made a big impression on everyone in the courtroom and on everyone who's heard it in the security world," Sullivan said. "The CEO defines the culture of the company, the risk tolerance of the company, and the budget that I get at the end of the day."

CSO: chief scapegoat officer

Nearly a decade after the Uber fiasco, company boards and CEOs are investing more in their chief security execs - although the majority of infosec leaders experience burnout and lament other executives' unrealistic expectations. Many CISOs and CSOs joke that the acronym stands for "chief scapegoat officer," with Sullivan and SolarWinds CISO Tim Brown being the poster children for this idea.

After he was sentenced, "so many CISOs reached out to me and asked for advice," Sullivan said. "And it hasn't stopped. What I've realized is we talk about the cases like mine and Tim's because the government took action."

What he's seen and heard from talking to security leaders "is worse," he added.

"There are too many situations where a security leader, in the middle of, or after an incident, is asked to leave and asked to sign an agreement saying that they won't talk about the situation in order for them to get a little bit of severance pay," Sullivan said.

That quiet undercurrent of CISOs being forced to own accountability, but then ruining their careers, bothers me even more.

"And those CISOs in those situations often sign that agreement because they're in a very desperate place. To me, that quiet undercurrent of CISOs being forced to own accountability, but then ruining their careers, bothers me even more. I'm happy that there haven't been any regulatory actions against CSOs since the SEC charges against Tim - at least not publicly."

The attention, and overall responsibility, have moved away from the sole security exec and toward the rest of the leadership team, according to Sullivan. One of the major reasons for this is that "in 2025 cybersecurity harm is fundamentally different than it was when my case happened," he explained. 

Security risks now include nation-state espionage and prepositioning, deepfakes and other AI-enabled cybercrime, and, perhaps most pressing, ransomware and extortion attacks. Sullivan spoke with me weeks after the Jaguar Land Rover cyber-meltdown shuttered operations across the globe, and not just those at JLR factories, but also its suppliers.

'Bleeding millions of dollars a day'

"What Jaguar Land Rover is going through right now is insane. The company is bleeding millions of dollars a day," Sullivan said. "People who own Jaguars can't even get their cars repaired because the systems are down and we're several weeks into an incident."

"It's not like when we talked about data breaches and stood up in front of boards five years ago and warned that some data was going to leave the building," he continued. "Now, boards and CEOs understand that companies are going out of business because operations shut down."

Sullivan said that the era of real shared security responsibility is nigh because business leaders now realize that operational resiliency is foundational to keeping the business up and running. Meanwhile, a ransomware infection can stop operations in an instant.

"I can't drive revenue if my sales people can't get into the tools they need," he said. "I can't drive revenue if our factories can't produce product. And so I spend a lot more time talking to different parts of organizations."

This includes talking with a "very large German corporation that has factories across the planet." The unnamed enterprise requested Sullivan talk security to the people who run its factories. "I'm not talking to the security team about security, I'm talking to the operational leaders because the risk to that company is their factories will get compromised," he said.

• Uber ex-CSO Joe Sullivan: We need security leaders running to work, not giving up
• Ex-Uber CSO gets probation for covering up theft of data on millions of people
• Former Uber CSO convicted for covering up massive 2016 data theft
• 70% of CISOs worry their org is at risk of a material cyber attack

Meanwhile, Sullivan's own legal case slogs on through the courts, and will likely last longer than his three-year probation, of which he's already finished two and a half years.

Last month, he filed a reply in support of a motion for a US appeals court to hold a full-panel rehearing on his conviction. "This unprecedented conviction - and the panel decision upholding it - tests the bounds of the law," the court documents [PDF] say. "The government's opposition only proves it."

Sullivan said that his kids ask him why he continues appealing the case instead of moving on with his life - and these are valid questions, especially when the felony conviction hasn't hurt Sullivan's career opportunities. He started his own consulting firm, Joe Sullivan Security, that also helps companies respond to crises, and he's a regular speaker on the security conference circuit. By his own admission, "I'm incredibly blessed and lucky in that I've been able to land on my feet."

"It's the legal principles that matter for other people more than me at this stage, number one," he said, when asked why he doesn't give up the legal battle. "Number two: it's principle. I still don't think I did anything wrong, and I don't think that that's the right legal standard. And, you know, it would be nice to not have a felony conviction at the end of the day." ®