Uber has a new chief security officer — the company's first ever: Joe Sullivan, who for the past five years held that same job at Facebook. The hire is a major talent grab for Uber, which is looking to ease concerns about the security of its vast pool of driver and user data following an embarrassing breach of its systems in late 2014.
Sullivan's appointment comes just days after reports of stolen Uber accounts being sold on a dark web marketplace, news that's again made the company's security practices the subject of scrutiny.
With a resume that also includes stints as a prosecutor for the U.S. Department of Justice and as a security officer for eBay, Sullivan would seem to have the chops to grapple with the considerable security challenges Uber faces. And certainly, he's a big, splashy hire who says a lot about how the company views that issue.
Here's a quick bit of background on Sullivan, and just what he brings to the table at Uber.
Sullivan has prosecuted a number of high-profile cybercrime cases.
As a founding member of the Department of Justice's Computer Hacking and IP Unit in 1999, Sullivan was one of the lead prosecutors on a number of high-profile cybercrime cases. In 2002, Sullivan successfully prosecuted Cisco Systems accountants Geoffrey Osowski and Wilson Tang for accessing Cisco computer systems without authorization and issuing themselves almost $8 million in Cisco stocks. Both Osowski and Tang were sentenced to 34 months in prison. In December 2001, Sullivan contributed to the prosecution of a 27-year-old Russian hacker who created software for his employer, Elcomsoft Co., that decrypted Adobe Acrobat e-books and potentially violated the Digital Millennium Copyright Act. (A jury ultimately found that Elcomsoft was not guilty.) A month later, Sullivan had a hand in busting up a pirate software ring.
At eBay, between 2002 and 2006, Sullivan had a track record of "catching the bad guys."
In a March 2005 Q&A with eBay's Senior Manager of Trust & Safety Marketing David Greer, Sullivan — then the company's senior director of law enforcement relations — touted some key eBay victories against the fraud that troubled the auction site at the time. "Recently, we participated in three separate New York cases in which sellers artificially inflated the selling prices of their eBay items, an illegal practice known as 'shill bidding,'" he said. "Working with eBay, New York State Attorney General Elliot Spitzer caught the fraudsters and ordered restitution to the more than 120 people who had been affected by the inflated prices."
In that same interview, he detailed his views on security in the rapidly evolving world of tech. "To me, the greatest challenge we face in terms of online crime is the rate of change in technology, and not any particular crime," Sullivan said. "We need the good guys to understand new technology and best practices for staying safe, as quickly as the bad guys learn to exploit it. It is a challenge to keep consumers and law enforcement adequately educated about risks and bad behavior in the face of the significant rate of change we are seeing on the internet."
Under Sullivan, Facebook's security team had a more aggressive, "confrontational approach."
In a 2012 Forbes profile, Sullivan described his role as CSO as one that fills in the gaps that law enforcement leaves behind. Of particular note, his proactive, take-it-to-the-bad-guys approach to keeping Facebook and its users secure. "A lot of companies stop at playing defense, like credit card companies — they invest a lot in fraud detection and prevention, but they're not bringing civil actions," Sullivan said at the time. "We spend a lot of time trying to figure out who's sitting on the other side of cybercrime."
And judging by its dealings with local regulators, the existing taxi industry, and competitors, Uber is not one to shy away from confrontation either. Sullivan's hiring is a talent grab, and one that meshes fairly well with Uber's winner-take-all attitude at that.