The US Securities and Exchange Commission (SEC) has announced charges against SolarWinds and its CISO, alleging that they deliberately downplayed or failed to disclose cyber-risks while overstating the firm’s security practices.
The complaint refers to several in-house assessments shared between internal stakeholders over the period 2018-2020 which it alleges were at odds with public pronouncements.
Specifically, it cites:
- A 2018 presentation by a company engineer which claimed the company’s remote access capabilities were “not very secure” and that a threat actor could “basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss”
- Presentations by CISO Timothy Brown in 2018 and 2019 where he warned that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate”
- A comment from a subordinate of Brown’s who allegedly said: “we’re so far from being a security minded company”
- A June 2020 comment from Brown that it was “very concerning” that a threat actor targeting a SolarWinds customer may have been looking to leverage the firm’s Orion software in larger attacks because “our backends are not that resilient”
- A September 2020 internal document shared by Brown which claimed “the volume of security issues being identified over the last month have outstripped the capacity of engineering teams to resolve”
The SEC has alleged that Brown failed to resolve or elevate these serious security concerns within the company, meaning it couldn’t provide assurances that its assets – including Orion – were suitably protected.
It also claimed that the IT management software vendor made an “incomplete disclosure” in December 2020 about the catastrophic “Sunburst” supply chain attack on its flagship Orion product by Russian state hackers. That long-running campaign enabled the hackers to compromise of at least nine US government agencies.
Gurbir Grewal, director of the SEC’s Division of Enforcement, alleged that SolarWinds and Brown had for years ignored repeated red flags about cyber-risk inside the company.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber-controls environment, thereby depriving investors of accurate material information,” he added.
“Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
SolarWinds Hits Back at SEC
SolarWinds president and CEO, Sudhakar Ramakrishna, hit back at the SEC, claiming that it responded quickly to remediate what was a highly sophisticated and novel Sunburst threat.
“How we responded to Sunburst is exactly what the US government seeks to encourage. So, it is alarming that the SEC has now filed what we believe is a misguided and improper enforcement action against us, representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages,” he continued in a blog post.
“The truth of the matter is that SolarWinds maintained appropriate cybersecurity controls prior to Sunburst and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats. For these reasons, we will vigorously oppose this action by the SEC.”
Ramakrishna, who joined the company days after it learned of Sunburst, also argued that the SEC’s charges risk imperilling open public-private information sharing following incidents like this, as it will make security professionals and breached companies afraid of the consequences.
A statement from SolarWinds sent to Infosecurity had the following:
“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our secure-by-design commitments.”
Read more on SolarWinds: Russian Hackers Steal Data for Months in Global Supply Chain Attacks
Image credit: University of College / Shutterstock.com