Ex-Uber CSO: The Dark Side of Cybercrime and Rehabilitation

Ex-Uber CSO: The Dark Side of Cybercrime and Rehabilitation

Joe Sullivan, the former Uber chief security officer, has been involved in some of the most high-profile cybercrimes in recent history. Convicted of two felonies in 2022 related to covering up a 2016 Uber intrusion, Sullivan is now using his expertise to rehabilitate another convicted felon accused of hacking into corporate networks as a teenager.

Sullivan's experience in the justice system has given him a unique perspective on why young people are getting involved in cybercrime at such an early age. "They didn't wake up and decide to become hackers," he said in an interview with The Register. "A lot of it is that they are coming out of the gaming culture, and it doesn't celebrate winning by the rules. It celebrates winning, period."

Sullivan's own experience with cybercrime began when he was a federal prosecutor specializing in cybercrime at the US Justice Department. He was tasked with covering up a 2016 Uber breach, which led to his conviction and three-year probation.

"The CEO defines the culture of the company, the risk tolerance of the company, and the budget that I get at the end of the day," Sullivan said in an interview. "The judge in my case, when he turned to the prosecutor, he said, 'Where's the CEO? Why aren't you holding the CEO accountable?' And that made a big impression on everyone in the courtroom and on everyone who's heard it in the security world."

Sullivan believes that many CISOs (chief information security officers) are being forced to own accountability for security breaches, but then being ruined by their careers. "And those CISOs in those situations often sign that agreement because they're in a very desperate place," he said.

"One of the major reasons for this is that in 2025 cybersecurity harm is fundamentally different than it was when my case happened," Sullivan explained. "Security risks now include nation-state espionage and prepositioning, deepfakes and other AI-enabled cybercrime, and, perhaps most pressing, ransomware and extortion attacks."

Sullivan spoke with The Register shortly after cops in the US and UK arrested three alleged Scattered Spider teens blamed for the Las Vegas casino and Transport for London hacks. He said that he had "fascinating insight" into why young people are getting involved in cybercrime at such an early age.

"Young people don't have full adult judgment around risk, and so they do stupid things, and then they get deeper and deeper in until they can't get out - it's too late," Sullivan said.

Sullivan is now using his expertise to help companies respond to crises. He started his own consulting firm, Joe Sullivan Security, which also helps companies respond to crises. "I'm incredibly blessed and lucky in that I've been able to land on my feet," he said.

"It's the legal principles that matter for other people more than me at this stage, number one," Sullivan said, when asked why he doesn't give up the legal battle. "Number two: it's principle. I still don't think I did anything wrong, and I don't think that's the right legal standard."

Despite his conviction, Sullivan remains a prominent figure in the security community. He is a regular speaker on the security conference circuit and has helped companies respond to crises.