SEC Files Civil Suit Against SolarWinds and its CISO
The US Securities and Exchange Commission (SEC) has filed a civil lawsuit against SolarWinds and its former Vice President of Security and Architecture, Timothy Brown, over the way they handled the supply chain attack that came to light in late 2020. The complaint alleges that the company and Brown “defrauded SolarWinds’ investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened – and increasing –cybersecurity risks.”
Read the lawsuit. Next, consider how many of the statements used against SolarWinds could be used against your organization. In my opinion, the lesson here is not "don't put your failings in writing," but rather "don't lie to your customers," and "having a policy isn't enough: You have to audit your systems to ensure compliance."
There will be much hand-wringing about a CISO being directly blamed and legal actions taken against the CISO, but Uber’s CISO was convicted on similar offenses in 2022. Look, we have put a lot of focus on the conflict of interest between business units and security or CIOs and security as decisions were made to maintain profits vs. achieve safety/security. If CISOs don’t fight the good fight to represent customers and stakeholders safety, but instead join in on false filings to regulators about those decisions, criminal prosecution will and should follow.
Honest, transparent and complete communication have to be the tenets of today’s climate of ongoing incidents. Respect trust and support your customers. Assume dirty laundry will be aired, and that is not the side of the SEC or FTC you want to see. Review your policies and response plan to ensure you’re not in danger of heading down a similar path when it hits the proverbial fan.
I’ve heard through the indictment and some of the internal communications that many in our industry would consider harmless, such as being sarcastic, being used in a court case. Internally, security teams in publicly traded sectors on the stock market may start to have their internal cultures changed. If two people are having a casual work conversation over a protected medium like instant messaging where they need to let out steam and talk shop, they won’t. I think this is going to have adverse ripple effects on our industry. It will have positive ones, don’t get me wrong, but some of the unintended consequences may be a cultural poison pill. As someone who uses a bit of levity during highly stressful situations, I can see a scenario where everyone must be very corporate, diminishing the talent pool that these companies can gather significantly. If you are curious about the exchange, go to page 37, number 124. If this is the type of thing we are using as evidence, we will all be guilty of humanity. I am not advocating for the belligerent actions of SolarWinds; I’m advocating for the merits of decency in these manners. The problems we face are intractable. It’s more sometimes like first responder police work than accountant work. These are numbers and Excel spreadsheets. These are attack groups with people behind them, using psychology at times. We must talk freely without worrying about being called into court for sarcasm. This will push out-of-band communications, which isn’t a positive move.
This may be the first time that a CISO has been named in a SEC lawsuit; it certainly has the cybersecurity world buzzing. What will be arguable is the ‘independence’ of the CISO from the rest of the executive team. Should, as the SEC claims, the CISO and not the CEO have responsibility for informing customers and investors? Regardless, the CISO role is about to change for the better.
The issue in this lawsuit is not about the damage but about the coverup. Security professionals should not give unwarranted comfort or unnecessary alarm. Holding suppliers accountable for shipping malicious code is essential to addressing the supply chain problem. That said, while security is the responsibility of line management, staff, including CISOs, may still be accountable for failure to recommend essential, appropriate, and efficient security measures, or for the failure to document rejection of any such recommendations.