SEC Charges SolarWinds and CISO With Fraud Related to 2020 Cyberattack
SolarWinds CISO Timothy G. Brown is specifically named for allegedly failing to inform investors or act on known security vulnerabilities.
The Securities and Exchange Commission brought charges against both Austin, TX-based information security software company SolarWinds and its CISO Timothy G. Brown on October 30. The SEC alleges Brown committed fraud and failed to address known internal security issues, eventually leading to the massive Sunburst cybersecurity attack against the U.S. federal government in December 2020.
For CISOs, this case may be a wakeup call if they work with government agencies or infrastructure clients.
Jump to:
SolarWinds’ alleged misleading information about its cybersecurity practices
The SEC alleges that between SolarWinds’ October 2018 initial public offering and the December 2020 announcement of the large-scale cyberattack, SolarWinds and Brown specifically ” … defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.”
SolarWinds personnel, including Brown, made internal assessments that were at odds with the company’s promises to its customers, the SEC said. A presentation in 2018 made by a company engineer found SolarWinds’ remote access setup to be “not very secure,” which could lead to exploitation in which an attacker “can basically do whatever without us detecting it until it’s too late,” the SEC found.
“The volume of security issues being identified over the last month have (sic) outstripped the capacity of Engineering teams to resolve,” a September 2020 internal document presented to Brown stated, according to the SEC.
Those issues included basic security best practices such as not using default passwords.
On some products, default passwords such as “password” remained in place. The password “solarwinds123” was also in use, the SEC filing said.
SEE: Australian CISOs and CIOs face an uphill battle to engage CEOs in tech topics, a study found. (TechRepublic)
The SEC alleges that SolarWinds didn’t disclose the full extent of the Sunburst cybersecurity incident on Dec. 14, 2020. SolarWinds had filed a Form 8-K on that date; that is the form the SEC requires organizations to fill out in order to formally notify investors in the event of a significant event. After SolarWinds filed the Form 8-K on December 14, SolarWinds’ stock dropped 25% in two days and 35% by the end of December.
What was the Sunburst attack?
In the January 2019 to December 2020 attack known as Sunburst, attackers suspected of having Russian state backing used SolarWinds’ Orion software, as well as exploits in Microsoft and VMware products, to breach U.S. government agencies’ systems. The state actors injected code into Orion and used that as a backdoor into government agencies; nearly 18,000 SolarWinds customers were affected. The attackers then used the backdoor ” … for the primary purpose of espionage,” according to the U.S. Government Accountability Office.
Charges filed against CISO Timothy Brown
The SEC alleges that Brown failed to solve SolarWinds’ cybersecurity weaknesses or to impress the importance of those weaknesses upon the rest of the executive team. “As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected” despite SolarWinds continuing to reassure its customers that their data was safe, the SEC said.
Response from SolarWinds about the SEC’s claims
SolarWinds denies the SEC’s claims. “We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk,” SolarWinds said in a public statement emailed to TechRepublic. “The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”
This SEC charge’s possible impact on CISOs
“Whether or not they realize it, CISOs now have a different personal and professional risk landscape to navigate,” said Paul Caron, head of cybersecurity in the Americas at S-RM, a corporate intelligence and cybersecurity consultancy, in an email to TechRepublic. “CISOs are under significant pressure to align with the business view that spend and control maturity are in line with those of their peers … The conditions are set to have every CISO in the field pause and realize that they too can be finally held liable for misleading statements on the security of the programs they manage.”
Caron noted that CISOs should be aware of the SEC’s rule announced in July 2023 establishing that companies should disclose any material cybersecurity incident within four days of determining the incident is material.
“With the new SEC disclosure rules and this fraud charge, there will inherently be greater scrutiny on cybersecurity reporting across the board,” Caron said.
“The SolarWinds case is a potent reminder of the critical intersection between security and compliance,” said Igor Volovich, vice president of compliance strategy at compliance company Qmulos, in an email to TechRepublic. “Security is what you do to protect your organization’s assets, data, and reputation, while compliance is how you prove you’re doing it. However, when there’s a delta between your actual control posture and what you report, the stage is set for a narrative no executive wants to be part of.”