The U.S Securities and Exchange Commission (SEC) has sued SolarWinds and its Chief Information Security Officer, Timothy Brown, for allegedly deceiving investors and the public over risk disclosures.
The SEC has alleged that the organisation and its CISO exaggerated the company's cybersecurity measures and minimised or neglected to mention acknowledged threats amid one of the most high-profile attacks that SolarWinds suffered.
The SEC filed its lawsuit in Manhattan federal court. The formal accusation made by the SEC highlights how SolarWinds breached the Securities Act of 1933 and the Securities Exchange Act of 1934's anti-fraud regulations. The SEC aims to impose a permanent injunction and monetary fines on SolarWinds, and a prohibition against Brown from holding executive or directorial roles.
The APT29 threat group from Russia successfully infiltrated SolarWinds' internal mechanisms and compromised the SolarWinds Orion IT management platform, affecting builds released from March 2020 to June 2020.
These compromised builds were utilised to introduce the Sunburst backdoor into the systems of "less than 18,000" entities. Notably, from this extensive pool, the attackers selectively chose a significantly smaller group for further exploitation.
With this attack, criminals were able to breach several prominent organisations in Corporate America, including numerous U.S. government departments such as Defence, Justice, Commerce, Treasury, Homeland Security, State, and Energy.
Find out all about what exactly happened in one of the most massive supply chain attacks ever in our exhaustive SolarWinds Cyber Attack Timeline.
According to the SEC, from its public introduction in October 2018 to the revelation of the cyber breach in December 2020, SolarWinds, alongside Brown, presented only general and speculative risks to their investors. They disregarded the specific and well-known shortcomings in the company's cybersecurity posture and the mounting challenges they were simultaneously encountering.
An internal presentation by SolarWinds in 2018, apparently, acknowledged the vulnerabilities in its remote access infrastructure, highlighting potential significant reputational and financial implications.
By June 2020, Brown voiced apprehensions regarding the cyber attack on a SolarWinds client. He suggested the possibility of the Orion software being exploited for broader malicious activities. Yet, with knowledge of these vulnerabilities, Brown did not take sufficient measures to rectify them internally. The SEC has alleged that even with Brown's awareness of distinct shortcomings in SolarWinds' cybersecurity measures, the company reported only generalised risks in its documentation throughout that time frame.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir Grewal, director of the SEC’s Division of Enforcement.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
A SolarWinds spokesperson responded with this statement: “We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”
The SEC’s suing of Timothy Brown is sure to raise concerns with CISOs around the world. Questions regarding the personal liabilities of the CISO’s position, which made for a hot debate topic when Uber’s CISO Joe Sullivan was convicted last year, are sure to set alight again. CISOs across the world are probably rethinking their cybersecurity response strategies at this point and wondering how to balance business goals with strategic security actions.
This brings us back to the most fundamental aspect of cybersecurity readiness and leadership that we at Cyber Management Alliance always harp upon - Incident Response & Preparation.
In the current threat landscape, there is no way to escape attacks. And if you’re unfortunate, an attack the size of SolarWinds may throw you off at some point in your career.
The obvious upshot of the SEC’s action will be heavily increased engagement between boards and CISOs everywhere. It is almost certain that executive teams of large organisations will prioritise a review of their cybersecurity posture and risks.
However, the need of the hour is to establish robust enterprise risk frameworks that can actually help evaluate cyber threats and risks effectively and as objectively as possible. And then act upon the knowledge of these risks which sufficient preparation and training.
Here’s the opinion of our cybersecurity experts on what concerned businesses, CISOs and management teams should do immediately to address the concerns that the SEC’s actions have raised: