Skip to content
← All lectures

CS 153 · Lecture 3

The Road Ahead: Resilience Required

Joe Sullivan · CEO & security advisor, Ukraine Friends

4 min readGuest lectureFree

Joe Sullivan ran security at PayPal, Facebook, Uber, and Cloudflare, then was criminally charged over the 2016 Uber breach. He walks through what actually happened and what technology leaders should learn from it.

The big idea

Sullivan's core argument is that in a crisis, the choice you make about transparency matters more than the technical response, and that career-ending punches are survivable if you build resilience before you need it. He contrasts Uber's 2016 decision to stay quiet, which fed years of legal and reputational damage, with Cloudflare's reflex to publish a blog post during every incident, which turned a company that took down half the internet into one praised for openness. His second theme is personal: he was fired by text, doxxed, and charged with a crime, yet 200-plus letters of support and a judge who ruled 'it wasn't a cover-up' brought him back. His advice is to run toward stressful situations because the wisdom only comes from surviving them.

At the government-tech seam

Sullivan has spent his career where government and tech companies collide. He started as a DOJ federal prosecutor in 1995, asking Silicon Valley firms about cybercrime that they had every incentive to hide, then crossed to the company side at eBay, where the number-one problem was trust because the original business model was 'mail cash in an envelope and hope the seller ships.' At Facebook he became the face dealing with the NSA after the Snowden leaks.

The Uber breach and trial

In 2016 Uber received an email from researchers who had dumped a database via a misconfigured AWS setup. Sullivan's team treated it as an incident, found the two young hackers, confirmed the data was deleted, and paid them $100,000 through the bug bounty program with legal and the CEO signed off. In 2020 he was charged with obstruction. The trial hinged on 18 USC 1030: whether Uber could grant permission after access. The judge ruled it could not, gutting his defense, and he lost.

Transparency builds trust

Sullivan credits Cloudflare CEO Matthew Prince, whose first question during any incident was 'who's writing the blog post?' When a bad WAF rule took down half the internet, Cloudflare called every large customer and published a detailed report, and a day later the internet was praising it for transparency instead of slamming it. His lesson: bias hard toward disclosure, because staying quiet, as Uber did, produces years of boiling negativity.

Resilience as a job requirement

Sullivan was fired by Uber via a text from a Bloomberg reporter, then had his company-issued phone bricked mid-crisis. He grew a beard, went into hibernation for two months, and rebuilt. His point: nobody writes 'resilience' into a job description, but in high-visibility tech roles in 2026 you will get punched in the face, so plan for it the way a boxer expects to get hit. Run toward hard situations, because the best companies hire him precisely for the wisdom the bad years gave him.

AI-era security shifts

Two shifts reshaped the field. Around 2018 to 2019, ransomware moved security beyond 'did data leave the building' to operational resilience: Jaguar Land Rover's 2025 ransomware attack halted all production for three months, forced a UK bailout over a billion pounds, and bankrupted supply-chain firms. Now AI-generated code is the new front. One bank went from 250,000 to 1.25 million lines of code a month, and a marketing employee merged a vulnerability to production with no idea how to fix it. Sullivan says guardrails alone cannot contain agents, so you need runtime anomaly detection, watching them like a parent chasing a toddler.

Regulation and model release

Sullivan supports smart regulation at scale, having testified before Congress multiple times, but notes government often shows up not knowing how to turn on a computer. On powerful cyber-capable models like Anthropic's, which he calls as strong as advertised and available to more organizations than the public lists suggest, he wants graduated release: pre-vetted orgs, signed agreements, and best practices. He thinks we are 'walking but not running' toward that, and the same closed-first, good-guys-first logic will apply to quantum, which may arrive by 2030.

Key takeaways
  • In a security crisis, the transparency decision outweighs the technical response; disclosure builds trust while silence compounds damage over years.
  • Cloudflare's habit of writing a blog post during every incident turned an internet-breaking outage into a reputation win.
  • The Uber case turned on a legal question: whether a company can authorize access after the fact under 18 USC 1030; the judge said no.
  • Sullivan's team paid the Uber hackers $100,000 with CEO and legal sign-off, treated it as an incident, and confirmed the data was deleted.
  • Ransomware pushed cybersecurity from 'protect the data' to 'keep operations running'; Jaguar Land Rover lost three months of production to it.
  • AI-generated code multiplies volume and lets non-engineers ship vulnerabilities they cannot fix, so security shifts to runtime anomaly detection over static guardrails.
  • Resilience is unwritten but essential: expect to get punched in the face, plan for it, and run toward hard situations to earn the wisdom.
  • A security leader should spend more than half their time with the other executives, not their own team, so trust exists before the crisis hits.

In their words

Who's writing the blog post?
Joe Sullivan
You're going to get punched in the face sometimes and you got to think about how am I going to handle getting punched in the face?
Joe Sullivan
If you try and steer your career to never go through bad things, you'll never get the wisdom and experience you need to really succeed.
Joe Sullivan

Terms to know

Responsible disclosure
A policy promising researchers who report a vulnerability that the company will not sue or report them to law enforcement; Sullivan published the first one at PayPal in 2007.
Bug bounty
Paying outside researchers cash for the vulnerabilities they find; Sullivan launched one of the first at Facebook and Google now offers up to $250,000 per bug.
Operational resilience
A security goal focused on keeping a business running through an attack, not just preventing data from leaking out.
18 USC 1030
The U.S. computer-hacking statute; the Uber trial hinged on whether a company can grant access permission after the intrusion has occurred.
Runtime anomaly detection
Watching an AI agent's behavior live rather than pre-defining what it may do, because you cannot scope its access purpose by purpose.
Watch the full lecture

Joe Sullivan at Stanford CS 153: Frontier Systems

New to this? Come build with us.

Reading is good. Building with people is better. Our drop-ins are free and open to total beginners.