DOJ's Monaco addresses 'misperception' of Joe Sullivan case

In an RSA Conference keynote Monday, U.S. Deputy Attorney General Lisa Monaco spoke about one of the most controversial cases in the infosec community: the prosecution and conviction of former Uber CSO Joe Sullivan.

During her keynote discussion with former CISA Director Chris Krebs at RSA Conference 2023, Monaco discussed the importance of strong relationships with the private sector for the Department of Justice's (DOJ's) strategy to tackle cyberthreats. In recent years, she said, the DOJ has pivoted toward disrupting threat groups and focusing on assisting victims.

Monaco cited notable cases such as the 2021 ransomware attack on Colonial Pipeline Co. and the Hive ransomware disruption operation earlier this year, which saw the FBI recover approximately 300 decryptors for recent Hive victims. In the Colonial Pipeline Co. case, Monaco emphasized that the FBI was able to recover most of the ransom payment because the company came forward and worked with authorities.

"Time and time again, we're able to take that disruptive action and take that preventative action because the victims work with us," she said. "We're not measuring our success only with courtroom action or courtroom victories -- this is about preventing and disrupting, and putting the victims at the center."

Monaco also discussed the importance of public-private partnerships with the technology and cybersecurity industries in combating cyberthreats, and how the DOJ must continue to move beyond "passive outreach entities" with companies to produce better results.

"We've got to be willing to really put our tools on the table, to let folks into the tent and help them see what we're seeing, and then work together to take that action," she said during the keynote. "What you've seen us do is really try and walk the walk."

Toward the end of the keynote, Krebs cited Sullivan's case, which was a controversial subject in infosec circles. Sullivan was convicted in October of obstruction of proceedings of the Federal Trade Commission (FTC) and misprision of felony for attempting to conceal a 2016 data breach at Uber and pay off the hackers through a bug bounty award. Sullivan authorized a $100,000 payment to the hackers, who used stolen Uber credentials to access an Amazon S3 bucket and download private records for approximately 57 million Uber users, including 600,000 driver's license numbers.

The 2016 breach occurred as the FTC was investigating a separate breach in 2014, where threat actors used an AWS access key that was exposed in a public GitHub repository and obtained data for approximately 100,000 Uber drivers, including driver's license numbers, physical addresses and email addresses.

Krebs asked Monaco if the DOJ's prosecution of Sullivan -- who himself was a former federal prosecutor -- damaged relationships with the private sector.

"There's a lot of agitation, I think, and there's a lot of concern in the cybersecurity community that perhaps you've broken the trust," Krebs said. "Are you worried that something's been lost here, and that the next time a bug bounty payment comes in, they're not going to call you?"

Monaco responded by saying there's been a "misperception" that Sullivan was a well-meaning security executive who made a good faith error by treating the breach as a bug bounty situation. That was not the case, she said.

Sullivan's actions were "not a mistake made by a CISO or a compliance officer in the heat of a stressful time," but intentional acts to mislead the FTC about the breach, she said.

"I really want to stress that this was intentional conduct, as was found by the jury," Monaco said. "Our message is we are working in partnerships with the CISOs and the compliance officers, and we need that partnership, and we need to make sure that the trust is not broken, so thanks for letting me address that."

Sullivan's sentencing is scheduled for May 4.

Rob Wright is a longtime technology reporter who lives in the Boston area.