Joe Sullivan (Internet Security Expert)

Joe Sullivan (born in 1968) is an American Internet security expert. Having served as a federal prosecutor with the United States Department of Justice, he worked as a CSO at Facebook, Uber and Cloudflare. For his role in covering up the 2016 data breaches at Uber, he was convicted in October 2022 on federal felony charges of obstruction and misprision.
In January 2023, he took on the role o
CEO of Ukraine Friends
a nonprofit focused on humanitarian aid to Ukraine.

Early life and education

Joe Sullivan was born in 1968 in Rutland, Vermont. He grew up in Cambridge, Massachusetts. Sullivan graduated from Matignon High School in 1986, earned his Bachelor of Arts degree at Providence College in 1990, and graduated from the University of Miami School of Law in 1993.

Career

US Department of Justice

After law school, Sullivan spent the first eight years of his career in the Department of Justice, having started as an intern at the DOJ Miami office in 1992 and then ultimately working at the San-Francisco office with Robert Mueller. From 1997 to 1999, he served as Assistant United States Attorney at the District of Nevada in Las Vegas.

From 2000 to 2002, Sullivan worked as Assistant US Attorney at the Northern District of California. He was a founding member of the Computer Hacking and Intellectual Property unit at the Northern District of California. In 2001 and 2002, together with Scott Frewing he represented the U.S. government in ''United States v. Elcom Ltd.'' case, the first prosecution in the U.S. under the Digital Millennium Copyright Act. Sullivan also worked on multiple cybercrime cases including digital evidence aspects of the 9/11 investigation, economic espionage and child predator cases.

eBay

In April 2002, Sullivan joined eBay in as Senior Director of Trust and Safety. In a September 2006 United States congressional hearing, he described his duties as "overseeing company relations with law enforcement and regulatory agencies in the United States and Canada, directing the company's Fraud Investigations team and determining policies related to listing of items on eBay". In 2003, he was criticized by Yuval Dror at the ''Haaretz'' newspaper for being willing to share eBay user's personal data with law-enforcement agencies potentially without proper legal framework. From 2006 to 2008 he was an Associate General Counsel at PayPal. One of his top priorities was preventing phishing scams.

Facebook

In 2008, he started at Facebook first as an attorney, and next as its Chief Security Officer (2010-2015). Sullivan assembled a security team to handle requests from law enforcement agencies globally and fight various types of cybercrime within the social network. He introduced a practice of security hackathons and bug bounty programs both internally and externally, encouraging coders to find vulnerabilities. His team was handling complicated and large-scale security issues such as an attempt to hack the accounts of Tunisian Facebook users in the 2011 "Arab Spring" during the Tunisian Revolution.

Sullivan also gained a reputation as an expert at fighting online bullying. He testified on this subject before Congress in 2010, and was invited to the first White House Conference on Bullying Prevention in 2011.

Uber

In Spring 2015, Sullivan joined Uber as its first CSO, at the time when the company was experiencing multiple safety and security issues. His primary focus was on safety of riders and drivers, both in the digital space and in the physical world. As an example, he was involved in investigating the 2016 Kalamazoo shootings.

In November 2017, Sullivan and Craig Clark, a senior lawyer at the company, were fired for allegedly covering up a major data breach in 2016 and paying hackers $100,000. Later in 2018, ''Reuters'' reported that the decision not to disclose the breach was made by the company's legal department.

Cloudflare

In May 2018, Sullivan joined Cloudflare as the company's first Chief Security Officer. In December 2021, he was among the top Internet security experts who were exploring the Log4Shell vulnerability.

Volunteer government roles

Over the years, Sullivan has held several positions at government agencies and national organizations. From 2011 to 2016, he served as a commissioner at National Cyber Security Alliance, a non-profit organization that promotes cybersecurity and privacy education, where he ran a number of cyber security awareness initiatives. In 2012, he became a board member for the National Action Alliance for Suicide Prevention and co-authored the "2012 National Strategy for Suicide Prevention".

In April 2016, President Obama appointed him as a commissioner on the Commission on Enhancing National Cybersecurity, a government body that was dissolved in December 2016 after releasing recommendations to the White House on how to address the nation's cybersecurity issues.

2016 Uber Data Breach, Trial and Conviction

In August 2020, the US Department of Justice announced criminal charges against Sullivan for obstruction of justice for his handling of the 2016 data breaches at Uber. The criminal complaint said Sullivan arranged, with CEO Travis Kalanick's knowledge, to pay a ransom for the breach as a "bug bounty" to conceal its true nature, and to falsify non-disclosure agreements with the hackers to say they had not obtained any data. In December 2021, he faced additional charges of wire fraud.

On October 6th 2022, Sullivan was convicted of one count of obstruction of justice, and one count of misprision of felony. He is currently awaiting sentencing. The trial of Sullivan represents the first United States federal prosecution of a corporate executive for the handling of a data breach.

Bibliography

*

References

{{DEFAULTSORT:Sullivan, Joe
Assistant United States Attorneys
People from Rutland (city), Vermont
American people of Irish descent
Providence College alumni
University of Miami School of Law alumni
EBay employees
PayPal people
Cloudflare people
Facebook employees
Chief security officers
1968 births
Living people