SolarWinds and its CISO Timothy Brown are facing serious charges in connection with the catastrophic security breach of 2020, with the SEC alleging that he had knowingly ignored and downplayed serious security risks since at least 2018. The company’s misstatements and omissions in this area have also been connected to artificial inflation of the company’s stock price, which Brown himself profited from.
The charge continues a pattern of personal accountability for CISOs in very high-profile and damaging cases, following the late 2022 conviction of Uber CISO Joe Sullivan for his role in actively covering up the company’s 2016 data breach. While these cases are still few and far between (and involve clear and egregious misconduct) they have left many wondering if there will be a chilling effect on the CISO job market, particularly if other involved parties (such as financial officers) are not also considered to be personally responsible for breach fallout.
Second set of data breach charges for a CISO follows October 2022 Uber conviction
The SolarWinds supply chain attack consisted of a tainted update called “Sunburst” for its Orion IT stack management platform. The attack was widely reported in December 2020, but likely began with updates issued in March of that year. Russia’s “Cozy Bear” state-backed hacking group was thought to be responsible, gaining access to SolarWinds and secretly planting a backdoor in the update that was then disseminated to some 18,000 customers (with about 100 ultimately thought to have been actively breached). Compromised organizations included members of the Fortune 500, government agencies and the FireEye cybersecurity firm.
The SEC charges date back to October 2018, when SolarWinds issued its IPO. Investors were allegedly misled from the beginning about the potential risks to the company and the state of its cybersecurity, with the company and its CISO accused of actively concealing known deficiencies that led to the Cozy Bear breach. Specifically, the SEC points to internal presentations that Brown was privy to in 2018 that stated the remote access setup was “not very secure” and that if attackers exploited known vulnerabilities they would be able to roam free in the system without detection. Brown again viewed presentations in 2019 that indicated the company’s cybersecurity risks continued to be unacceptable, with critical assets classified as “very vulnerable” and “inappropriate” access to critical systems in place.
These presentations projected that the company could take severe financial and reputational damage should it be breached in this way, but this information about the cybersecurity risks never made its way into mandatory filings or public disclosures. Even as SolarWinds painted an overly rosy picture for outsiders, the questions and concerns about security risks from employees continued into 2020. In June 2020, the company was investigating a serious breach of one of its customers but did not yet appear to be aware that Cozy Bear was already dwelling in the system. A September 2020 internal memo issued by the CISO indicated that the company was fielding a volume of security issues that the internal engineering team was incapable of keeping up with.
While the CISO and internal security staff did not appear to yet have a full picture of how badly they had been breached at that point, they are alleged to have known about the Sunburst issue by December 2020. Nevertheless, an incomplete December 14 Form 8-K filing did not fully disclose the damage or the known cybersecurity risks to customers. In an internal email, an employee characterized SolarWinds as being “far from a security minded company.”
SolarWinds is accused of violating reporting and internal controls provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934, and its CISO stands accused of knowingly aiding and abetting these violations. The SEC does not appear to be seeking prison time for Brown, but does want him removed from his position, barred from holding similar CISO positions in the future, and to potentially hold him personally financially responsible for at least some of the losses suffered by investors.
SolarWinds has objected to the charges, issuing a statement calling them “manufactured”: “We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”
Covering up cybersecurity risks could draw federal charges
Brown is the second CISO to face high-level federal charges in connection with a data breach, though the circumstances differ somewhat from the Uber case. SolarWinds is the first company to be sued by the SEC while also being the victim of a data breach. The agency has issued charges to other companies in similar situations, but has also immediately reached a settlement with them. The special conditions are likely due to the damage done to national security by the breach; the Departments of State, Treasury, Homeland Security, Commerce and Energy all acknowledged compromise.
Brown is also in a higher level of personal trouble due to trading in company stock while the cybersecurity risks were being discovered internally. From February 2020 to August 2020, months before there was any public awareness of the breach, the CISO sold 9,000 shares of company stock for a total profit of $170,000. After the late 2020 breach disclosure, the company’s stock dropped by 35%.
SolarWinds has since issued defiant statements and blog posts, accusing the SEC of overreach and painting a picture of doom for CISOs across the country. The two cases of this nature are hardly everyday circumstances, however. The Uber breach of 2016 involved a well-documented scheme to secretly pay off hackers and then hide information from company lawyers, and ultimately ended with just three years probation for its CISO. If the SEC’s charges are accurate, this case involves a years-long campaign to mislead investors and a chronic refusal to address known cybersecurity risks that ended with federal agencies involved in national security being compromised.
The SEC has also said that the company would have been in violation of disclosure rules had the Sunburst breach not happened. The cybersecurity risks were endemic from the moment the company went public, and likely would have persisted past 2020 had they not been exploited by the Russian threat actors.
Jake Williams, former US National Security Agency (NSA) hacker and Faculty member at IANS Research, notes that this part is particularly relevant to CISOs: “The headline here is in paragraph 10 of the legal complaint: the commissions and false statements about security would have violated securities laws even if SolarWinds hadn’t been targeted. That they were targeted only served to highlight the issues. CISOs, especially those at publicly traded companies, should take stock of their security programs and ensure that what’s being communicated to the public is rooted in reality rather than spin and wishful thinking. For those in privately held organizations, the SEC is setting a new standard for security disclosures with this lawsuit. Don’t be surprised to see that standard used in litigation if you make false, incomplete, or misleading statements about security to customers or business partners.”
On the surface, it might appear these charges would only dissuade the sort of CISOs that should not be in their jobs in the first place. However, given the general state of resource depletion at organizations, some prospective candidates might be leery about being made a fall guy in the event of a similarly damaging breach. Particularly if companies pressure them to sign off on statements painting an overly positive picture of the state of its defenses, something that is not entirely unheard of.
Timothy Morris (Chief Security Advisor at Tanium) does not see these developments as a reason to bail on positions at publicly traded companies, but it is a prompt to ensure that everything is properly documented: “The charges add another layer of complexity to the already overstressed CISO role, as fully complying with regulatory disclosure requirements while protecting investigation and response efforts is not easy, even on a good day. Given today’s threat landscape, it’s crucial that CISOs know what their organizations are doing and document what they know. This is key as the complaint here is that what was documented was misleading (or fraudulent) … While most security leaders aren’t fond of regulations, they should still be taken extremely seriously. All regulations have consequences if not adhered to, and it is often in the regulator’s eye as to how and when those are enforced. The current regulatory climate is proving the old adage which says, ‘You can delegate or outsource the work but not the responsibility.’ CISOs should work closely with the entire C-suite and Board to raise security awareness and visibility, while ensuring compliance with evolving federal mandates.”
George Jones, Chief Information Security Officer at Critical Start, takes a less optimistic view of how this will impact the hiring market but agrees that it stresses the importance of thorough documentation: “This could have a chilling effect on other CISOs, causing them to be more cautious about providing inaccurate information or incomplete information to investors or the public. It could also lead to an increase in transparency and accuracy in reporting cybersecurity practices. I believe this will heighten the shortage of qualified CISOs that already exists. The demand for skilled cybersecurity workers is high due to the increased importance in today’s digital world, but such legal actions can deter some individuals from taking on CISO roles or make them more risk averse … In situations where there is a significant risk for an organization, it is the responsibility of the CISO to raise that risk to the CEO and Board of Directors for awareness. If the group accepts the risk, it should be recorded on the company risk register as a known item that was presented and accepted in its operational state. Having a Risk Governance Steering Committee allows an organization to socialize these issues and take a group approach to discussing potential risks and solutions, prioritizing risks, and achieving organizational buy-in on risk acceptance. The outcome of this committee is presented to the BoD for their review and consideration, allowing the CISO to provide highest level awareness and understanding of the landscape.”