Cybersecurity industry responds to SEC charges against SolarWinds and former CISO

The cybersecurity industry is reeling after the shocking news that the SEC has charged SolarWinds and its former CISO with fraud around the notorious SUNBURST attack. 

A 68-page-long complaint filed Oct. 30 alleges that from at least October 2018 through Jan. 12, 2021, SolarWinds and its then security head Timothy G. Brown defrauded investors and customers through “misstatements, omissions and schemes that concealed both the company’s poor cybersecurity practices and its heightened — and increasing — cybersecurity risks.”

SUNBURST — with which SolarWinds’ name is now synonymous — was one of the most significant cyberattacks in history because it infiltrated the software supply chain and wrought havoc on enterprises of all sizes, all over the world. The U.S. government was even affected, prompting stricter guidelines and requirements to protect the federal software supply chain. 

The full ramifications of the attack are as yet unknown and will likely be felt for the foreseeable future. 

The fraud charges come as the SEC ramps up cybersecurity accountability — most notably its new four-day disclosure requirement for public companies — and it could have dramatic implications far beyond the cybersecurity realm. 

“The charges serve as a reminder to CISOs about the importance of ethical behavior and professional conduct,” said George Gerchow, faculty member at cybersecurity research and advisory firm IANS Research. “It is crucial for CISOs to maintain a high level of integrity, adhere to ethical standards and prioritize the security and privacy of their organization’s data.”

Internal doc says company ‘not very secure’

The Oklahoma-based SolarWinds offers network and infrastructure system management tools to hundreds of thousands of organizations globally. 

Potentially as early as 2018, hackers gained access to the company’s network and deployed malicious code into its Orion IT monitoring system. Orion is considered to be a “crown jewel” asset, according to the SEC, that accounted for 45% of the company’s revenue in 2020. 

The agency says that during the ensuing two-year attack, SolarWinds and Brown made “materially false and misleading statements and omissions” about cybersecurity risks and practices in several public disclosures, including a “security statement” on its website and reports filed with the SEC.

For instance, in Oct. 2018 — the same month SolarWinds conducted its Initial Public Offering (IPO) — Brown wrote in an internal presentation that SolarWinds’ “current state of security leaves us in a very vulnerable state for our critical assets.”

Other presentations during that period referred to SolarWinds’ remote access setup as “not very secure” and that an exploiter could “basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss.” 

Furthermore, a Sept. 2020 internal document shared with Brown and others stated that “the volume of security issues being identified over the last month have [sic] outstripped the capacity of engineering teams to resolve.”

“SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments,” the complaint alleges. 

The SEC also reports that the company made an incomplete disclosure about the attack in a December 14, 2020 Form 8-K filing, after which its stock price dropped roughly 25% over the next two days and 35% by the end of the month. 

In the years since, the company has struggled to rebuild its reputation, with leaders recently working on a rebrand and floating the idea of moving back to a private model. 

In a blog post, CEO Sudhakar Ramakrishna said SolarWinds “vigorously opposes” the SEC action. 

“How we responded to SUNBURST is exactly what the U.S. government seeks to encourage,” he said. 

So, it is “alarming” that the SEC has filed what the company believes is a “misguided and improper enforcement action” that represents “a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages.”

SUNBURST only highlighted rampant security issues

Experts emphasize the SEC isn’t targeting SolarWinds due to SUNBURST: The complaint says that false statements about security would have violated securities laws even if SolarWinds hadn’t been hacked. 

“That they were targeted only served to highlight the issues,” said Williams. 

Michael Isbitski, director of cybersecurity strategy at Sysdig, pointed to the many security gaps called out: remote access for unmanaged devices, threat modeling missteps, inadequate web application testing, inappropriate password management policies and weaker access controls.

While SolarWinds attested to following common security best practices — such as NIST Cybersecurity Framework, NIST Security and Privacy Controls for Information Systems and Organizations and Secure Development Lifecycle (SDL) — evidence seems to show that they had significant gaps in meeting all criteria for all applications and systems, said Isbitski. This created material issues that weren’t appropriately disclosed and misled investors. 

“A key takeaway here is to pick a standard and ensure you’re following it universally,” he said. 

The enduring ramifications of SUNBURST

That’s not to say that SUNBURST didn’t dramatically change the cybersecurity industry. 

“The SUNBURST attack has changed our industry in so many ways,” said Gerchow.

Notably, it has brought attention to the importance of supply chain security. “Organizations are now more aware of the potential risks associated with third-party software and are taking steps to enhance their security practices,” he said. 

The attack also highlighted the need for continuous monitoring and threat detection, prompting organizations to invest in advanced tools and technologies. Finally, and perhaps most notably, it has caught the attention of regulators. 

“This may result in stricter requirements for organizations to ensure the security of their supply chains,” said Gerchow.

SEC setting a new standard

This case underscores the criticality of honesty around the state and maturity of cybersecurity programs, particularly for publicly traded companies, experts point out. 

Relevant expertise, cybersecurity processes and history of security incidents must be disclosed under SEC cybersecurity disclosure rules, Isbitski said. These have existed in different forms for more than a decade, with the latest version becoming fully enforceable in December 2023. 

Furthermore, being open and honest is simply good business practice. “Transparency is crucial in maintaining the trust of customers, partners and stakeholders,” said Gerchow. 

When a breach occurs, it is important to inform those who may be affected so they can take necessary precautions and protect themselves, he emphasized. By being open about a breach, companies show a commitment to their customers’ security and demonstrate accountability. 

Gerchow’s colleague Jake Williams, a former U.S. National Security Agency (NSA) hacker and IANC Research faculty member commented that “the SEC is setting a new standard for security disclosures with this lawsuit.” 

He cautioned: “Don’t be surprised to see that standard used in litigation if you make false, incomplete or misleading statements about security to customers or business partners.”

Furthermore, Wells Notices — intents to charge — are typically issued to CEOs and CFOs, said Sivan Tehila, CEO of cybersecurity platform Onyxia. But in this case, CISO Brown is explicitly included. 

“This could mean new liabilities for cybersecurity executives moving forward,” said Tehila.

Keeping an eye on the SolarWinds case as it unfolds

CISOs should keep a close eye on the case, cybersecurity experts advise. 

For starters, it serves as a reminder of the potential legal and regulatory consequences that can arise from cybersecurity incidents, Gerchow said. Understanding these charges and the eventual outcome of the case can help security leaders assess potential risks they may face in similar situations and take proactive preventative measures. 

“CISOs should analyze the specific allegations made by the SEC and evaluate if their own organization has similar vulnerabilities or shortcomings,” said Gerchow. “This can help them identify areas for improvement and strengthen their cybersecurity posture.”

He advised that CISOs study SolarWinds’ incident response actions to assess their effectiveness. Examining it as a use case can help them enhance their own incident response plans, including communication strategies, containment measures and recovery processes. Just as importantly, security leaders should be reinforcing ethical behavior within their organizations.

Isbitski agreed, saying that companies and their leadership should follow the lawsuit as it plays out, “as this is one of the first battle tests of the final cybersecurity rules.”