So you maybe saw the news that Joe Sullivan is going to Cloudflare?  If the name isn’t familiar to you, this is the person who was fired from Uber as fallout from their breach shenanigans: i.e., systematically covering up the breach, paying off the attackers, botching the response, etc.  Cloudflare has decided that he’s the kind of leader they need, and Mr. Sullivan says he wants to be at Cloudflare so he can “secure the whole Internet”.

Look, I’ve got nothing against Sullivan personally: I’m sure he’s an awesome guy.  I bet he he loves his kids and is nice to dogs… maybe he’s even a scout master or rescues kittens out of trees.   But I’m left wondering what, if any, standard of conduct security practitioners should hold themselves to… and what standard we as a society should enforce.

Here’s what I mean.  Whether or not Sullivan was responsible for specific decision-making, let’s not forget that Uber is being criminally investigated for implementing software to avoid law enforcement, allegedly implemented software to operationalize obstruction of justice, has settled with the FTC about false security claims, and of course the aforementioned breach stuff.  And that’s not even mentioning the fact that the app itself has been called “literally malware” by the research community by virtue of the amount of data it collects and how it operates.

Was Sullivan responsible for all this stuff?  Probably not… Maybe he wasn’t there when these decisions were made.  Maybe these decisions were made by other people. The more salient question though, is did he know about it and continue to work there?  And frankly, it’s problematic either way.  If he did know about it, I’d argue that he was to some degree “on board” (because employees have one way to vote and every day they show up for work is another day they vote “yes”.)  If he didn’t know about it, is that any better?  That speaks to either work ethic (i.e. not caring enough to be in the loop), professional rigor, or competence.

Let’s stop for a moment and posit what would happen were we talking about, say, a surgeon.  For example, what if a patient dies because of failure by their surgeon to adhere to normative and accepted standards of care?  For example, say a surgeon implanted a goat organ in your abdomen while you were getting your appendix removed because that’s how they roll.  Or what if a surgeon overlooked someone else’s ethical issue – say, an anesthesiologist that showed up drunk?  Assuming that surgeon were fired from hospital A as a result of one of those things, it it acceptable for them to continue to practice at hospital B?  Now I get it that there’s a difference here.  But ask yourself if it’s a difference in kind or in degree?

I used to work for a large MSSP and cloud provider.  There was one interview question we always asked. It had to do with a hypothetical scenario where a critical security control (provided by us for a customer) failed and how the candidate would handle it.   As an example, say IDS was disabled during a period of time when we were monitoring a customer — or that we had knowledge of a breach near-miss that we contributed to.   Given that scenario, we’d ask the candidate if they’d tell the client — if so when? If not, how would they address it.   This was a “dealbreaker” question, by the way: anybody who said anything other than “yes, we tell the customer — and we do it immediately” wasn’t a fit.  Because ethics.

There are situations where doing security poorly – or overlooking questionable ethics – can be dangerous to the world at large.  Do we decide to enforce robust ethics and a professional standard of care?  Or do we let the free market decide?