.webp)
In the closing months of 2020, a devastating and far-reaching cyber-attack came to light. SolarWinds, an observability platform used by thousands of private organizations and many departments in federal, state, and local governments had been compromised in a cyberattack known as Sunburst. The attack, which was active for nearly two years before being discovered, used the Orion software platform to target SolarWinds customers including agencies and departments in the U.S. Government. Among those whose data was compromised were the Departments of Commerce, Energy, Homeland Security, State, and Treasury.
Because SolarWinds' Orion platform requires extraordinary access to infrastructure and applications to function, the access provided to the malicious actors was also extraordinary. The attack played a significant role in highlighting the importance of supply chain security and the amplifying effect an attack on a popular supplier can have across broad swathes of industry and government.
Given that virtually every company in the Fortune 500 and most of the Federal government felt the SolarWinds impact, it came as no surprise that court action followed the cybersecurity activity. In October 2023, the Securities and Exchange Commission (SEC) filed suit against the company and its CISO, Timothy Brown, alleging that they misled the company’s investors and customers by overstating the effectiveness of the company’s cybersecurity practices. The suit also alleged that SolarWinds concealed an increasing threat level between October 2016 and January 2021.
It's important to note that the SEC lawsuit is not about the damage done to SolarWinds customers, but about the impact that damage had on SolarWinds status as an investment. As amended in February 2024, the suit alleged that SolarWinds and Brown misled investors and customers by overstating the company’s cybersecurity practices, concealing mounting cybersecurity risk before the Orion breach, and failing to tell the whole truth after the Orion breach. None of these are, by themselves, the subject of action by the SEC, but the commission claimed that, in withholding information in these instances, SolarWinds violated their own internal accounting controls.
The SEC, in this first-of-a-kind lawsuit, pointed to SolarWinds' use of the NIST Framework and claimed that the company's poor communications were not in compliance with that framework. The CISO ended up party to the suit because he had signed a certification that the company had complied with the NIST Framework––something he could certainly do since NIST is a self-evaluation framework.
SolarWinds asked the judge presiding over the case to dismiss the charges and on July 18 2024, the judge issued a ruling. While neither party won complete victory in the ruling, SolarWinds was successful in having much of the suit dismissed.
In a published analysis of the ruling, attorneys from Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates explained that the court dismissed claims in three broad areas:
All of these were claims that were being brought by the SEC for the first time in a case regarding a cybersecurity company. According to Stephen Kowski, Field CTO at SlashNext, "The court's dismissal of most SEC claims against SolarWinds highlights the challenges in regulating cybersecurity through securities law, particularly regarding internal controls and disclosure requirements."
As noted earlier, some claims in the case were allowed to continue. Specifically, the court allowed claims concerning SolarWinds’ “Security Statement” to proceed. The Security Statement refers to a statement that SolarWinds placed in its web site's Trust Center in 2017. While Trust Centers are common tools companies use to answer potential customers' questions about their state of their security, the court noted that, "An employee described the Security Statement as "aspirational"––capturing what SolarWinds hoped to achieve in the future." Internally, managers were complaining that the company was not doing everything noted in the Security Statement.
The court emphasized the importance of accurate cybersecurity disclosures, given their relevance to the company’s business model. The portion of the SEC's claims allowed to continue alleges that SolarWinds’ statements about access controls and password protections were materially misleading to investors.
Looking at the impact this early ruling might have on other companies, Kowski says, "While the ruling limits the SEC's authority in some areas like bringing charges under 'internal accounting controls' provisions, it upholds the importance of accurate public-facing security statements, emphasizing the need for companies to carefully vet and verify their cybersecurity claims."
Still, many in the industry seem to be relieved that some of the claims have been dismissed. Leo Scott, Chief Innovation Officer at DataTribe says, "I think most in the cybersecurity industry will be relieved. While it’s valid to consider cybersecurity incidents as material to the overall risk profile of a company, the aggressiveness of the charges, particularly specifically calling out the CISO in the case, likely would have negative impacts on the industry and on companies running efficient cyber defense activities if the charges were upheld."
The SEC filing indicates a shift in how the commission views a company's organization, and the consequences of executives not working together can be profound. Many companies have not trained their CISOs to be part of those conversations, leading to CISOs that can be unprepared for the public scrutiny. "CISOs as executives seldom have the control and influence on the actions of the company at the same level as the CEO or CFO, who typically drive formal public communications and SEC disclosures," says Scott. "If the CISO was held liable, many companies could find it more difficult to employ quality CISOs, who would not want to take on liability in a particularly complex, highly technical job where they did not have full control on how things were communicated. "
The security and communications decisions should include the basics of protecting the business, argues Kowski. "Companies should prioritize robust security measures and accurate disclosures, including implementing advanced threat detection and response capabilities to protect against sophisticated attacks and maintain investor confidence," he says.
Finally, the SEC's investigation and action make it clear that internal communications should be governed by policies and procedures as rigorous as any that apply to external communications. "From a legal perspective, an evidence chain so to speak, you have to consider this like insurance, right? It does make good sense to have and store and secure any Teams or Slack conversations and have them documented for a certain reasonable period of time." He notes that the preservation can be critical from an operational standpoint. "Because the conversations happen so quickly, so readily, so frequently within cyber security and cyber operations, it's important to have that at least documented and saved for a certain period of time." As with everything in cybersecurity, there is resilience in backups.
On this episode of the CyberWatch podcast, there are updates to software across the application and OS spectrum. New malicious campaigns are threatening victims of all sizes, and researchers have performed dissections on malware to give defenders new clues about just what it is they're fighting. All this today, in CyberWatch.
As we conclude our 'ransomware readiness week' of this Cybersecurity Awareness Month, it's time to take a critical look at your organization's defenses. Ransomware attacks are becoming more sophisticated, and no business is immune. In our latest article, we explore essential strategies to bolster your ransomware preparedness. Don't miss this vital information to help protect your business from emerging threats.
Ethical hacking has become an essential response to an IT industry kept on its toes by a spectrum of bad actors with malicious intent. This article introduces two prominent methodologies that help the good guys fight back: penetration testing (pen-testing) and red teaming. Learn more here.
Host Geoff Hancock was joined by guests Mike Rush, Director of Threat Intelligence at Access Point Consulting; and Evie Manning, Senior Director of Threat Hunting and Intelligence at Access Point Consulting. Together, they talked about cyber threat intelligence and the applications that can make it work for small and medium-sized businesses.
