The Securities and Exchange Commission is suing SolarWinds and its chief information security officer for failing to disclose poor cybersecurity defenses in the years leading up to one of the most high-profile espionage campaigns in recent memory.
The SEC is alleging that the Austin-based software company and former CISO Timothy Brown defrauded investors from “at least” October 2018 to Jan 12, 2021 by not disclosing gaps in their security practices, the agency’s latest attempt to force publicly traded companies to improve their security practices.
The 2020 breach of SolarWinds by Russian hackers, which used their access to the company to breach a slew of the publicly traded company’s clients, represented a turning point regarding public awareness of the risk posed by lax security practices in the federal and private sector. The breach generated momentum for major policy reforms aimed at forcing big technology firms to shoulder greater responsibility for securing software.
By naming Brown in Monday’s suit, the SEC is also signaling to publicly traded corporations that it plans to hold executives personally liable for security failures. Taken together with the SEC’s move to require publicly traded firms to report breaches that have a material impact on their business, Monday’s action positions the agency as a key enforcer of the Biden administration’s push to get companies to take security more seriously.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir S. Grewal, director of the SEC’s Division of Enforcement in a statement.
Grewal continued to say that both SolarWinds and Brown knowingly “engaged in a campaign to paint a false picture” of their “cyber controls environment, thereby depriving investors of accurate material information.” Grewal said the suit sends a message to issuers to “implement strong controls calibrated to your risk environments and level with investors about known concerns.”
The complaint points out that even if the Russian espionage campaign never happened, Solarwinds “would have violated the federal securities laws” either way, “but those violations became painfully clear when SolarWinds experienced precisely such an attack.”
Asked about the action, a SolarWinds spokesperson said that the company is “disappointed by the SEC’s unfounded charges.”
“The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments,” the spokesperson said.
“When security personnel have to constantly worry about their words and actions being painted in a false light and used as fodder for government charges, the result will be to drive good people from the industry and to inhibit candid communication and sound decision-making,” the spokesperson added.
Alec Koch, an attorney at King & Spalding representing Brown, said in a statement that his client performed his responsibilities at SolarWinds with “diligence, integrity, and distinction” and that he had worked “tirelessly and responsibly” to improve his former employer’s cybersecurity posture. “We look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint,” Koch wrote in an email.
Jake Williams, a former NSA hacker and a current faculty member at IANS Research, said Monday’s suit should serve as a wake up call to executives responsible for security.
“CISOs, especially those at publicly traded companies, should take stock of their security programs and ensure that what’s being communicated to the public is rooted in reality rather than spin and wishful thinking,” Williams said in a statement. “For those in privately held organizations, the SEC is setting a new standard for security disclosures with this lawsuit. Don’t be surprised to see that standard used in litigation if you make false, incomplete, or misleading statements about security to customers or business partners.”
In the complaint, the SEC alleges that SolarWinds failed to address known risks stemming from known internal security concerns and signs that they were being targeted in 2020. “In and around the same time that SolarWinds was making these materially misleading public statements, Brown and other SolarWinds employees knew that SolarWinds had serious cybersecurity deficiencies,” the complaint says.
The complaint points to multiple statements in emails, instant messages, and presentations by Brown and other SolarWinds employees lamenting the firm’s inadequate security protections.
In one instance on November 2020, “Senior InforSec Manager E” complained that the Orion platform that was later infiltrated by Russian hackers was “riddled” with security flaws “obviously have been for many years.”
Another network engineer when discussing vulnerabilities said, “Even if we start to hire like crazy, which we will most likely not, it will still take years. Can’t really figure out how to unf**ck this situation. Not good.”
Updated Oct. 31, 2023: This article has been updated with additional comment from a SolarWinds spokesperson.