Chief information security officers (CISOs) around the world are on notice after US regulators levelled fraud charges against SolarWinds CISO Timothy Brown, alleging that he overstated its security to investors and failed to prevent a catastrophic 2020 cyber attack.
The charges – which were announced by the US Securities and Exchange Commission (SEC) after its investigation into the massive 2020 ‘Sunburst’ compromise of SolarWinds’ Orion software tool – blamed the attacks on Brown, sparing other executives including previously-warned CFO J Barton Laksu.
For years, the 68-page SEC complaint alleges, the CISO “ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company,” SEC Division of Enforcement director Gurbit Grewal said.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
Sunburst saw malicious cyber criminals compromise Orion’s software update mechanism and insert malware into software updates between March and June 2020 – leaving over 18,000 of the company’s 33,000 Orion customers vulnerable to malicious actors.
The US government formally blamed the Russian Foreign Intelligence Service (SVR) for the attack – which spawned a worldwide panic, a spate of corporate finger-pointing, reports that a senior executive had used a password as simple as ‘solarwinds123’, and allegations that Microsoft’s Azure cloud had played a role as CISOs around the world raced to evaluate their exposure.
US government departments were among the victims, with Russia monitoring their networks for months undetected – but the compromise’s repercussions went much further, with one DomainTools survey finding that 21.1 per cent of respondents had discovered they were breached during the attack and 37.5 per cent saying it had “a direct impact” on their jobs.
Despite knowing that SolarWinds had poor security, the SEC found that Brown was aware of “specific deficiencies in SolarWinds’ cyber security practices” and even gave multiple internal presentations in which he said that the company’s security had put it in “a very vulnerable state for our critical assets”, and that a “not very secure” remote access setup would allow cyber criminals to “basically do whatever without us detecting it until it’s too late.”
Another internal document warned that the company’s backend systems “are not that resilient” and that “the volume of security issues being identified over the last month have [sic] outstripped the capacity of engineering teams to resolve.”
For all his internal candour, however, the SEC alleges that Brown not only failed to resolve the issues but actively “misled investors” by describing the security risks as generic and hypothetical to avoid affecting the share price of the company, which had just gone public in October 2018.
Even when the Sunburst attack came to light in late 2020, the SEC says SolarWinds “made an incomplete disclosure” about it – yet even that watered-down filing caused a sell-off amongst investors, driving down the company’s share price by 25 per cent in two days and 35 per cent by month’s end.
A chilling effect for CISOs
The SEC action comes as a reminder of how critical it is for companies to address cyber security risk at the most senior levels, with serious potential consequences for those that fail to do the right thing.
Equally significant is the SEC’s decision to hold the CISO personally responsible for the company’s shortcomings while sparing its other executives – including 11-year CEO Kevin Thompson, who inexplicably resigned just days before the breach was publicised and handed the job of cleaning up his mess to optimistic incoming CEO Sudhakar Ramakrishna.
Brown’s targeting, however, is likely to raise concerns amongst CISOs – many of whom admit they are unprepared to protect their businesses and are struggling to maintain their mental health, with many ready to quit their jobs or the industry altogether – in the face of overwhelming pressure to protect their organisations from tidal waves of cyber crime.
The SEC isn’t the only regulator becoming increasingly aggressive about the need for security and business executives to step up around security – with penalties recently increased and many pushing for personal liability for Australian executives rated as overconfident on security and well behind global standards as they revisit their cyber response strategies.
Last year, ASIC won a $750,000 Federal Court decision against financial services company RI Advice for failing to uphold a “reasonable standard” of cyber security – which is now recognised as a corporate risk requiring similar controls to other financial, operational, supply chain, resourcing, and other business risks.
As insurance provider MLC Life Insurance learned earlier this year, failing to keep critical IT systems current and effective can be an expensive shortfall – and with prudential regulator APRA recently putting executives on notice about their responsibilities to prevent data breaches, the onus on CISOs and business executives is only likely to continue increasing.