SolarWinds slams SEC lawsuit against it as 'unprecedented' victim blaming
18,000 customers, including the Pentagon and Microsoft, may have other thoughts
SolarWinds – whose network monitoring software was backdoored by Russian spies so that the biz's customers could be spied upon – has accused America's financial watchdog of seeking to "revictimise the victim" after the agency sued it over the 2020 attack.
In a motion to dismiss [PDF] the SEC's lawsuit, the embattled developer described the fraud charges leveled against it, and its CISO Tim Brown, "as unfounded as they are unprecedented."
In a statement to The Register, Serrin Turner, an attorney at Latham and Watkins, which is representing SolarWinds, railed against the SEC's charges.
"SolarWinds made proper, accurate disclosures both before and after the unprecedented SUNBURST cyberattack, which is why this case should be dismissed," Turner said. "The SEC is trying to move the goalposts and force companies to disclose internal details about their cybersecurity programs, which would be both impractical and dangerous."
In late October, the SEC filed the legal complaint against SolarWinds alleging that the company and its CISO misled investors about its security practices as far back as October 2018. This all culminated in the firm's December 2020 disclosure that its Orion networking tool had been backdoored and public and private customers had been compromised as a result of deploying the malicious code. It was later determined by the US government that the culprits were Russian state-sponsored spies.
- SolarWinds says SEC sucks: Watchdog 'lacks competence' to regulate cybersecurity
- SolarWinds charged after SEC says biz knew IT was leaky ahead of SUNBURST attack
- What Microsoft's latest email breach says about this IT security heavyweight
- Microsoft sheds some light on Russian email heist – and how to learn from Redmond's mistakes
Around 18,000 organizations downloaded the poisoned software, although the number that were hacked by Russia's Cozy Bear was about 100. These include Microsoft, Intel, FireEye and Cisco, as well as US government agencies including Treasury, Justice and Energy departments, and the Pentagon.
In a very lengthy document [PDF] filed on Friday, SolarWinds' attorneys argue that the SEC's claims fail across the board and that management did not make any materially misleading statements:
First, SolarWinds' risk factors specifically warned that its systems "are vulnerable" to "sophisticated nation-state" actors—the very risk that materialized. The SEC complains these disclosures were insufficient, asserting that companies must disclose detailed vulnerability information in their SEC filings. But that is not the law, and for good reason: disclosing such details would be unhelpful to investors, impractical for companies, and harmful to both, by providing roadmaps for attackers.
It also calls the commission's case against Brown "not only unwarranted but inexplicable." Brown didn't play a role in SolarWind's risk disclosures, and he didn't do anything to deceive investors, the court documents claim.
"Mr Brown is an experienced and well-respected professional who simply did his job during the events in question (and did it well)," they say. "The SEC's gratuitous charges against him should be rejected."
The SEC did not respond to The Register's request for comment. ®