The Security and Exchange Commission (SEC) has charged SolarWinds Corp., along with its CISO Tim Brown, with fraud and internal control failures related to the 2020 supply chain cyberattack on the company’s Orion Platform; ultimately leading to the compromise of US government departments by Russian intelligence.
The charges are already sending shockwaves throughout the CISO community.
At issue, according to the SEC, is the discrepancy between what Brown and other SolarWinds employees were saying internally versus what they disclosed to investors.
Internal messages revealed employees were well aware they were misleading customers in the wake of the discovery of the Orion vulnerability, the SEC explained in its complaint.
“Well, I Just Lied”
“Shortly after the October 2020 attack against Cybersecurity Firm B, SolarWinds employees including Brown recognized similarities between the attack on U.S. Government Agency A,” the SEC Complaint said. “But when personnel at Cybersecurity Firm B asked SolarWinds employees if they had previously seen similar activity, InfoSec Employee F falsely told Cybersecurity Firm B that they had not. He then messaged a colleague ‘Well, I just lied.'”
But the failure to put appropriate cybersecurity controls in place at SolarWinds started as far back as 2018, according to the regulator. The SEC alleges Brown was aware of, but ignored, warnings about the company’s vulnerabilities, including a 2018 presentation by a SolarWinds engineer that flagged the the company’s remote access setup as “not very secure,” and explained a threat actor could use it to “basically do whatever without us detecting it until it’s too late,” the filing said.
By ignoring these warnings about the cybersecurity posture of the company and failing to raise the issue up the chain of command, the SEC alleges Brown willfully left the company systems unprotected.
Brown Accused of Selling Inflated SolarWinds Stocks
SolarWinds filed an incomplete 8-K disclosure with the SEC in December 2020 and Brown personally profited from the inflated stock price, according to the charges.
“SolarWinds stock price was inflated by the misstatements, omissions, and schemes discussed in this Complaint,” the SEC said.
The SEC further accused Brown of selling inflated SolarWinds stocks before its value plummeted once the full impact of the compromise became public. Between February 2020 and the end of August 2020, Brown sold 9,000 shares of SolarWinds at a profit of $170,000, according to New York Stock Exchange Records provided by the SEC. By the end of December 2020, SolarWinds’ stock price dropped by 35%.
Other charges include SolarWinds making “materially false and misleading statements” about its cybersecurity practices by stating programs like the National Institute of Standards and Technology (NIST) framework were fully in place, when, in fact, they were only partially deployed.
SolarWinds, Brown Vow to Fight in Court
In response, SolarWinds promised a court fight ahead.
“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk,” a SolarWinds spokesperson said, in a statement provided to Dark Reading. “The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”
Brown’s attorney, Alec Koch, similarly pledged a vigorous defense of his client.
“Tim Brown has performed his responsibilities at SolarWinds as vice president of information security and later as chief information security officer with diligence, integrity, and distinction,” Koch said in a statement. “Mr. Brown has worked tirelessly and responsibly to continuously improve the Company’s cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint.”
CISOs Brace for Fallout
CISO accountability is something the cybersecurity community has been watching closely over the past year. The fresh SEC charges against Brown and SolarWinds come on the heels of a judge sentencing Uber CISO Joe Sullivan to three years’ probation for his role in the coverup of a 2016 data breach at Uber and promising harsher penalties in the future.
Amtrak CISO Jesse Whaley isn’t quite sure how the SolarWinds SEC indictment will impact the CISO role more broadly, just yet.
“It’s either really good or really bad,” Whaley says. “This could do more to advance cybersecurity than another decade of breaches.”
On the other hand, Whaley wonders if the SEC is really doing the right thing by charging Brown, adding he has questions about why the company’s chief financial officer or general counsel weren’t also named in the indictment.
Jessica Sica, CISO at Weave, worries the move by the SEC to charge Brown will push more people away from the CISO role.
“It will likely have a chilling effect, which we’re already seeing with CISOs leaving their jobs to become field CISOs for vendors,” Sica says.
The increasingly acute problem for CISOs, she explains, is that almost none have the resources they need to do their jobs.
“I think the main concern is will the SEC and other entities start holding CISOs accountable for breaches that happened from them not getting the resources they need to do the job?” Sica asks.
But, she adds, in terms of disclosures, telling the truth is always the smartest move. “Don’t lie. Don’t cover up, and make sure you are remediating the most critical issues that affect your business,” Sica advises.
CISOs should also be very careful about statements they issue in the future that might contain overly optimistic language, cybersecurity expert Jake Williams advises.
“The CISO often gets roped into signing off on a statement implying the existence of a functioning program,” Williams says. “I’ve even worked with publicly traded companies publicly discussing a program still in the planning stages as if it were fully deployed. In short order, I don’t think you’ll be able to find a CISO to play word games like this.”