The U.S. Securities and Exchange Commission (SEC) has charged SolarWinds Corporation and its Chief Information Security Officer (CISO), Timothy Brown, with fraud related to security failings that ultimately led to the Sunburst supply chain attack. This attack, which occurred in 2020, compromised several SolarWinds customers, including various U.S. federal agencies, by means of a malicious code called Sunburst that was implanted into an Orion software update.
The SolarWinds breach was initially discovered by FireEye, a cybersecurity company that was also affected by the attack, along with other technology vendors such as Microsoft. Microsoft attributed the supply chain attack to a Russian nation-state group known as Nobelium or APT29. It was determined that the attackers had been present in SolarWinds’ network for at least two years before being detected.
Now, both SolarWinds and Timothy Brown are facing charges from the SEC for fraud and internal control failures. The SEC alleges that SolarWinds and Brown misled investors regarding the company’s cybersecurity practices, known risks, and vulnerabilities. The investigation into the SolarWinds hack revealed that the company’s network had been compromised for an extended period of time before any action was taken.
The charges against SolarWinds revolve around violations of reporting and internal controls provisions of the Exchange Act, with Brown being accused of aiding and abetting these violations. The SEC’s four-day reporting rule, implemented recently, shed light on a lack of transparency in cybersecurity incident reporting.
The SEC is seeking various forms of relief, including permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Timothy Brown. The SEC claims that SolarWinds’ public statements concerning its cybersecurity practices were inconsistent with internal assessments. Furthermore, a 2018 presentation prepared by a SolarWinds engineer revealed that the company’s remote access setup was not secure and that exploitation of this vulnerability could lead to substantial reputational and financial loss.
The issue of securing remote access has been an ongoing struggle for many companies, especially since the COVID-19 pandemic led to a rapid shift to remote work. A report by Sophos, a cybersecurity vendor, showed that remote desktop protocol played a role in 95% of attacks during the first half of 2023. Additionally, attackers have increasingly targeted virtual private networks (VPNs) to gain remote access, further highlighting the difficulty in defending against such attacks.
In the case of SolarWinds, the SEC complaint suggests that the initial access by threat actors may have been facilitated through a VPN vulnerability. The complaint also asserts that SolarWinds would have faced charges related to its security practices even without the Sunburst breach. Brown is specifically blamed for disregarding repeated red flags and failing to address or disclose known vulnerabilities.
The complaint goes on to claim that Brown was aware of SolarWinds’ inadequate backends and even suggested improvements. However, CISOs often face challenges and resistance when attempting to implement new protocols, especially in relation to cyber insurance requirements.
Both SolarWinds and Timothy Brown have responded to the charges. SolarWinds referred to the charges as “unfounded” and expressed concerns about potential risks to national security. Brown’s legal representation stated that he had diligently worked to improve the company’s cybersecurity posture. Nick DeLena, a cybersecurity and privacy advisory partner, commented that these charges would likely make other CISOs more cautious in their roles.
CISOs often find themselves in difficult positions as they defend against increasing cyber threats with limited resources. They are frequently scrutinized and held responsible for breaches and attacks. DeLena advises CISOs to prioritize honesty and transparency, keep detailed records and reports, and ensure that their organizations act in a manner consistent with their understanding of the cybersecurity environment.
The charges against SolarWinds and Timothy Brown highlight the importance of maintaining strong cybersecurity practices and being transparent with investors and the public about known risks and vulnerabilities. Companies must remain vigilant in their efforts to secure their systems and networks to prevent supply chain attacks and other cybersecurity incidents.