SolarWinds says SEC sucks: Watchdog 'lacks competence' to regulate cybersecurity

SolarWinds has come out guns blazing to defend itself following the US Securities and Exchange Commission's announcement that it will be suing both the IT software maker and its CISO over the 2020 SUNBURST cyberattack.

The vendor said the SEC's lawsuit is "fundamentally flawed," both from a legal and factual perspective, and that it will be defending the charges "vigorously."

A lengthy blog post, published on Wednesday, dissected some of the SEC's allegations, which it evidently believes to be false. The first of which was that SolarWinds lacked adequate security controls before the SUNBURST attack took place.

"We categorically deny those allegations," asserted SolarWinds. "The company had appropriate cybersecurity controls in place before SUNBURST. The SEC misleadingly quotes snippets of documents and conversations out of context to patch together a false narrative about our security posture."

It later went on to accuse the regulator of overreaching and "twisting the facts" in a bid to expand its regulatory footprint, as well as claiming the body "lacks the authority or competence to regulate public companies' cybersecurity."

The SEC's cybersecurity-related capabilities were again questioned when SolarWinds addressed the allegations that it didn't follow the NIST Cybersecurity Framework (CSF) at the time of the attack. 

It said the evidence provided was a preliminary report regarding the adherence to different standards – NIST Special Publication (SP) 800-53 and FedRAMP – and these are "entirely different" to CSF.

Most of the attention SolarWinds gave to debunking the SEC's claims was related to technical matters, such as its response to a claim that a VPN vulnerability allowed the SUNBURST attackers to access SolarWinds' systems – the company said the allegation was false, and that there was no VPN vulnerability.

However, the thrust of the SEC's lawsuit concerns how the communication from and actions taken by the company and its CISO, Timothy G Brown, allegedly misled investors about its security practices and known risks, and there are claims SolarWinds did not directly address in its riposte.

For example, the allegations that SolarWinds and Brown said in a security statement posted to its website that the company had least-privilege access controls enabled for sensitive data stores were described as "materially false and misleading" by the SEC.

Further, the SEC alleged that a 2019 internal report warned that those access controls were "inappropriate" and that reports in March and October 2020 warned of "significant deficiencies" in those controls. 

Brown is also alleged in the SEC's suit [PDF] to have told senior managers "bluntly" that claims made by the company in its security statement about its secure development lifecycle (SDL) were false.

"I've gotten feedback that we don't do some of the things that are indicated in the [Security Statement's SDL section]," Brown is alleged to have said in January 2018, nearly three years prior to SUNBURST being announced.

"I want to make sure that you all have an answer to this. The simple response is: There is improvement needed to be able to meet the security expectations of a Secure Development Lifecycle. We will be working with teams throughout 2018 to begin incorporating the SDL into their development lifecycle."

Elsewhere, the SEC claims that two-and-a-half years later, in June 2020, there were still portions of the affected Orion platform that weren't developed under the SDL process.

Other allegations made against SolarWinds, based on the thoughts expressed by security employees, related to the concerns repeatedly expressed by SolarWinds staff.

Some were disgusted by the company's security posture, while one network engineer complained that the company was filing more vulnerabilities than they could feasibly fix.

"Even though Brown and/or other SolarWinds employees and executives knew about these risks, vulnerabilities, and attacks against SolarWinds' products, SolarWinds' cybersecurity risk disclosures did not disclose them in any way, either individually or by disclosing the increased risk they collectively posed to SolarWinds," the lawsuit read.

As for matters related to the communication of its alleged security issues prior to SUNBURST becoming public knowledge, SolarWinds said its disclosures were "accurate both before and after the attack."

The points the company raised after will likely form the basis of significant industry change in cybersecurity, when all is said and done. They present an interesting dichotomy when choosing how publicly transparent to be about issues such as SolarWinds.

SolarWinds said that to disclose at depth the major security issues it is alleged to have been experiencing before SUNBURST would be "illogical and dangerous," and could have provided a roadmap for attackers to exploit weaknesses in systems.

• SolarWinds charged after SEC says biz knew IT was leaky ahead of SUNBURST attack
• Warning on SolarWinds-like supply-chain attacks: 'They're just getting bigger'
• We're just shouting into the void, says US watchdog offering cybersecurity advice
• SolarWinds reaches $26m settlement with shareholders, expects SEC action

It said this type of information shouldn't be included in disclosures to investors in order to prevent any cybersecurity incidents from following as a result.

And it makes a fair point – just look at the case of F5's BIG-IP vulnerability being exploited in under five days following disclosure. The same danger was exemplified in October's Atlassian zero-day, which was exploited eight days after disclosure.

A July 2022 report also claimed that attackers start scanning for vulnerabilities within 15 minutes of disclosure.

However, there is certainly a valid argument to say investors deserve to understand issues with a company before they decide to funnel their money into it. And if all the alleged issues within the company are proven true, it could be argued that it's only right that they are known at least to their clients, if not the rest of the world.

A tricky impasse indeed.

CISOs need to be held accountable for their actions too, and the threat to their personal livelihoods highlighted by the SolarWinds case will both keep them accountable for proper conduct, as well as empower them to reject any attempts to cut corners.

During their day-to-day, they may be told to do certain things by the CEO against their will, or conversely they may keep other things from their boss too. But, as cybersecurity expert and Faculty member at IANS Research Jake Williams said, the SolarWinds case is likely to provide more power to CISOs in the future, regardless of the result.

"The SEC litigation against SolarWinds is going to do more to advance security than another decade of breaches would," he said.

"CISOs are often beaten into submission under threat of losing their jobs. The SEC gave them the holy hand grenade to fight back against any pressure to mislead."

Responding to Williams, Microsoft's director of threat intelligence strategy, Sherrod DeGrippo, highlighted the fact that CISOs and their security controls aren't regulated in the same way as their counterparts in the finance space.

When cybersecurity controls are responsible for securing the highly regulated financial controls and the CFOs responsible for them, it makes sense to ensure CISOs are held to equally high regulatory standards.

Speaking on The Cyber Ranch podcast, cybersecurity lawyer Evan Wolff said that one of the key takeaways from this case for CISOs going forward will be to make sure everything that's said publicly is defensible and that they're extra careful in not exaggerating any truths.

Rounding off its response, SolarWinds said the SEC's lawsuit "threatens to harm security by pressuring companies to disclose sensitive security information in public filings."

"The SEC's complaint also threatens to discourage CISOs and other cybersecurity personnel from candidly evaluating and discussing risks internally as is necessary for continuous improvement through identifying areas where security can be strengthened.

"If security personnel must constantly worry about their well-intentioned words and actions being mischaracterized in a false light and used as fodder for government charges, the result will be to drive good people from the industry and inhibit frank communication and sound decision-making about security issues." ®