Updated with comment from SolarWinds

Cybersecurity practitioners are expressing concern after the U.S. Securities and Exchange Commission sued both SolarWinds Corp. and its Chief Information Security Officer Timothy Brown for fraud relating to the hack of the company first disclosed in December 2020.

The hack, which was attributed to Russian government-linked hackers, saw the insertion of malicious code into the company’s information technology monitoring and management tool Orion. The hack was originally estimated to have affected more than 18,000 organizations worldwide, including the U.S. Department of State, Homeland Security and Commerce, the National Security Agency and Microsoft Corp. However, SolarWinds later put the figure of affected customers at under 100.

The SEC’s lawsuit charges SolarWinds and Brown for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. The complaint alleges that, from at least October 2018, when SolarWinds went public, through December 2020, when it disclosed it had been hacked, SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.

It’s alleged by the SEC that through this period, SolarWinds misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.

The fraud allegation comes about as the SEC claimed that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments. It’s alleged that in a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was “not very secure.” Someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds, the suit claims.

In short, SolarWinds was internally concerned about its security posture but was telling the public that everything was basically fine when it was not.

Where it takes an arguably strange twist, at least in terms of Brown being specifically targeted, is that the SEC alleges that employees, including Brown, were internally questioning the company’s ability to protect critical assets from cyberattacks throughout 2019 and 2020.

Despite seemingly attempting to highlight and rectify the issues, Brown stands accused by the SEC of failing to resolve the issues or, at times, not raising them further within the company. “As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected,” the SEC writes.

George Jones, chief information security officer at cybersecurity company Critical Start Inc., told SiliconANGLE that the decision to go after Brown “could have a chilling effect on other CISOs, causing them to be more cautious about providing inaccurate information or incomplete information to investors or the public.”

“If he was knowingly misleading investors, he should have been charged,” Jones said. “There is some question as to how much he knew about the security gaps and there could be plausible deniability, but I would expect to be acutely aware of cybersecurity gaps that exist in my purview and either accept them as a known risk or have a plan on the roadmap to remediate them.”

Dave Stapleton, CISO at third-party risk management firm ProcessUnity Inc., also believes the action by the SEC “may deter some would-be CISOs, which is disappointing.”

“No one demands perfection. No one is saying that risk must be reduced to zero,” Stapleton said. “They simply require transparency and good faith efforts to secure sensitive systems and data. CISOs who are adequately supported by their executives and are empowered to speak the truth, even when there may be consequences to the business, have little to fear. The question is, how many CISOs truly feel that kind of support?”

Timothy Morris, chief security adviser at systems management company Tanium Inc. warned that “the charges add another layer of complexity to the already overstressed CISO role, as fully complying with regulatory disclosure requirements while protecting investigation and response efforts is not easy, even on a good day.”

“With SolarWinds’ CISO now under the microscope and Uber’s former CISO making similar shock waves last year, we can expect turnover in this role,” Morris added. “In fact, Gartner predicts that almost half of cyber leaders will change jobs by 2025 and a full quarter will change career paths entirely due to the mental and emotional toll associated with their job.”

In response to the SEC action, SolarWinds said in a statement that it was “disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk.”

“The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country,” the statement added. “We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”

Image: SolarWinds