SEC Charges Solarwinds CISO Over 2020 Cyberattack

The CISO of Solarwinds is getting a lesson in cybersecurity from the SEC as Timothy G. Brown has been charged by the SEC in relation to that epic hack that Solarwinds had in 2020 that had long lasting repercussions:

The Securities and Exchange Commission brought charges against both Austin, TX-based information security software company SolarWinds and its CISO Timothy G. Brown on October 30. The SEC alleges Brown committed fraud and failed to address known internal security issues, eventually leading to the massive Sunburst cybersecurity attack against the U.S. federal government in December 2020.


The SEC alleges that between SolarWinds’ October 2018 initial public offering and the December 2020 announcement of the large-scale cyberattack, SolarWinds and Brown specifically ” … defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.”

SolarWinds personnel, including Brown, made internal assessments that were at odds with the company’s promises to its customers, the SEC said. A presentation in 2018 made by a company engineer found SolarWinds’ remote access setup to be “not very secure,” which could lead to exploitation in which an attacker “can basically do whatever without us detecting it until it’s too late,” the SEC found.

“The volume of security issues being identified over the last month have (sic) outstripped the capacity of Engineering teams to resolve,” a September 2020 internal document presented to Brown stated, according to the SEC.

Those issues included basic security best practices such as not using default passwords.

On some products, default passwords such as “password” remained in place. The password “solarwinds123” was also in use, the SEC filing said.

The SEC alleges that SolarWinds didn’t disclose the full extent of the Sunburst cybersecurity incident on Dec. 14, 2020. SolarWinds had filed a Form 8-K on that date; that is the form the SEC requires organizations to fill out in order to formally notify investors in the event of a significant event. After SolarWinds filed the Form 8-K on December 14, SolarWinds’ stock dropped 25% in two days and 35% by the end of December.

With the usual disclaimer of none of this has been proven in court, this is pretty bad if it does get proven in court. Chris Clymer, CISO, Inversion6 had this comment:

This latest SEC charge against SolarWinds CISO comes on the heels of two other highly related pieces of news. The first is the SEC’s recent guidance requiring strong board oversight of security and rapid disclosure of breaches. The second is the at-the-time unprecedented charging of Uber’s CISO over their own breach.

The security community has fixated on the breach disclosure element of the SEC guidance, but I find the governance piece more interesting. Especially because of what the SEC did NOT do: Namely, define exactly what would be “material” enough to require disclosure, or provide any guidance whatsoever into appropriate controls.  Similarly, with this SolarWinds news the security community is scratching its collective head trying to understand just what degree of disclosure is needed over everyday vulnerabilities that every company has. In the case of the Uber breach, the CISO actively participated in a cover-up of identified risks, even altering reports of findings to better fit the narrative the company wished to portray to the public. With SolarWinds, it appears from the outside to be very similar to the situation most CISOs face with known vulnerabilities, and only so many resources to address them. Is there a risk rating the SEC wants us to target? A particular CVSS score? I think these details all miss the bigger picture.

I would argue that the consternation among CISOs and other executives and confusion about where the line lies is exactly what the SEC hoped to see. The message they are sending here has nothing to do with the day-to-day operations of a security program. To me, the message is simple: Don’t let a breach like SolarWinds experienced happen on your watch. If it does, the executive team will be scrutinized and held accountable…and most likely, there will be deficiencies to find. If you want to avoid a debate about what is truly “material” then avoid having a breach…”simple”.

While this feels grim and unrealistic to CISOs who all agree that it’s a matter of “when” not “if” a breach happens, it’s not unprecedented. Companies who take credit cards have long had to meet the bar of PCI compliance, and undergo regular audits to prove this. And yet, if credit cards are believed to have been breached they undergo a MUCH more aggressive “PCI Forensic Investigation” that proves virtually 100% of the time that the company was actually NOT fully PCI compliant at the time of the breach. This unfair standard has pushed these companies to invest greatly in new technologies like tokenization to greatly diminish the opportunities for credit card exposure…and credit card breaches have dropped dramatically as a result.

This should be a wake up call to anyone who is in a position of responsibility when it comes to cybersecurity. Get your act together and make sure that your organization’s security is on point. Or else bad things will happen to you. Just like it has happened to this guy.

Leave a Reply

%d bloggers like this: