back to article SolarWinds charged after SEC says biz knew IT was leaky ahead of SUNBURST attack

SolarWinds and its chief infosec officer have been charged with fraud by America's financial watchdog, which alleges the software maker knew its security was in a poor state ahead of the SUNBURST supply chain attack. In a Monday announcement the SEC alleged SolarWinds and CISO Timothy G. Brown “defrauded investors by …

  1. TReko Silver badge

    Shaky winds?

    Solarwinds may also have a bit of a nepotism problem:

    The HR head of is the cousin of the CEO, Sudhakar Ramakrishna. Same was true at their previous company (Pulse Secure).

  2. Anonymous Coward
    Terminator

    SolarWinds: “Secure by Design commitments.”

    Security is only as good as the underlying system, which is .. :o

  3. Dr Who

    Brace yourselves for impact ...

    The only difference between SolarWinds and the others is that they got compromised and then got caught. We can be certain that there are many, many more supply chain vulnerabilities out there, which the developer has buried their head in the sand about, just waiting to be found and exploited by the bad guys. MOVEit alone was pretty bad.

  4. tiggity Silver badge

    Awareness of problems

    What happens if a company has issues but are unaware of them?

    e.g. let us imagine SolarWinds had not discovered the remote access issues ...

    Would they have been in a better situation (as could argue they were totally ignorant of the problems), even though ignorance of the issues would imply major problems with their vulnerability finding / pen test methodology.

    1. Michael Wojcik Silver badge

      Re: Awareness of problems

      I've discussed this with corporate lawyers in the past. In the US, "knew or should have known" is a pretty well-established legal principal. All a plaintiff has to do is get the court to agree that the defendant had a duty to know of a problem, and it doesn't matter whether there's evidence that they did in fact know of it.

  5. mmccul

    What really is clear from reading the actual SEC release on their charges is that the charges rely heavily on supposed warnings by a single individual. That creates the question, was the individual who issued the warnings a known worrywort, with a reputation for overstating risks and demanding disproportionate security for the analyzed risk? Just because they were right this time doesn't mean that a reasonable person, at the time, would have viewed the warnings by that person as realistic or appropriate.

    I raise this point because I've been at shops where someone tried to demand completely disproportionate security to the threat profile, which would have exceeded the entire IT budget to address. I've also seen cases where risks were claimed in order to justify "security" tools that actually created more risk for the organization (I'm sure you know the kind I mean).

    I expect we'll see a lot of expert witnesses arguing that not only were the warnings commensurate to the known threat profile at the time, but that they were willfully ignored rather than postponed due to other legitimate priorities.

    1. Frank Bitterlich

      Just because they were right this time doesn't mean that a reasonable person, at the time, would have viewed the warnings by that person as realistic or appropriate.

      I agree somewhat, but in hindsight, there clearly was a security problem, which they didn't recognize, understand, or detect; so the warnings of that individual were accurate. If the C-suite declares the company and products "secure", and they are not, they will take the heat for it. If you don't trust your employees (justifyably or not) when they're warning about risks, it's your responsibilty as CISO to make sure there is no wolf - regardless how many times anybody has cried wolf.

  6. Frank Bitterlich
    WTF?

    National security

    "We are disappointed [...] and are deeply concerned this action will put our national security at risk."

    So, holding execs responsible creates a national security risk? That type of rhetoric sounds strangely familiar. "TOTALLY UNFAIR!"

  7. Marty McFly Silver badge
    FAIL

    Note to future CISOs

    Do not, ever, be honest in reporting security issues. Security takes time & money to implement. Let's review...

    The Solarwinds CISO being held accountable delivered presentations in 2018 & 2019 acknowledging their security issues. These presentations are the basis under which the SEC is filing the fraud charges.

    Analysis of the Sunburst attack uncovered the earliest code modification happened in October 2019. That means the threat actors were ALREADY inside the organization during the time the CISO delivered the presentations. I am assuming those presentations were made by the CISO as part of a 'plea for money' from the BoD/CFO/CEO.

    Even if the money people opened the bank and said 'take as much as you want', there still wasn't enough time to mitigate this supply chain attack. The CISO gets burned at the stake for something they only could have avoided by lying in their presentations back in 2018 & 2019.

    Current CISOs are watching and quietly deleting old presentations as a precautionary measure, and white washing future presentations. Much better to be successfully attacked and subsequently fired for being incompetent, than being fired and held criminally liable for being honest.

    Filing fraud charges against this CISO is absolutely the wrong thing to do. Epic fail on the government's part if they want to avoid repeat situations. It will drive a behavior of concealment & secrecy, rather than transparency & openness.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like