back to article SolarWinds says SEC sucks: Watchdog 'lacks competence' to regulate cybersecurity

SolarWinds has come out guns blazing to defend itself following the US Securities and Exchange Commission's announcement that it will be suing both the IT software maker and its CISO over the 2020 SUNBURST cyberattack. The vendor said the SEC's lawsuit is "fundamentally flawed," both from a legal and factual perspective, and …

  1. chuckufarley Silver badge

    In my opinion...

    ...The chain of events that leads to large scale attacks like these are often long, tangled, and punctuated by Board Level employees cutting corners to supply bigger dividends. The failures often go beyond the company and it's culture to include politicians pushing for hands-off government regulations. The fact that Solarwinds is still in business seems like a another symptom of the run away capitalist societies we live in, at least to me.

    I do not think Solarwinds in free of fault. But then again neither is the SEC, the FTC, or the FCC. Without a unified government body with strong enforcement powers to regulate IT standards and practices in the business world we are destined to watch this story play out again and again were only the names have been changed to protect the innocent...and the guilty.

    1. Cliffwilliams44 Silver badge

      Re: In my opinion...

      Sorry, it is not the SEC, DTC or FCC's fault, it is Solarwinds!

      Just because someone sets a standard does not mean that is all you need do so. Government standards are notoriously poor!

      This nonsense that "I don't have to do anything more than the government requires is just that, nonsense."

      The only requirement should be "We don't care how you do it just protect yours and your customers data, or you will go to jail."

      1. Jon 37 Silver badge

        Re: In my opinion...

        There needs to be a balance.

        Even the best security can be breached. Putting people in prison for not being perfect, leads to covering up breaches, which is counterproductive.

        But in this case, their security failures were so severe that prosecuting the company seems reasonable.

        1. Strahd Ivarius Silver badge

          Re: In my opinion...

          Don't forget that SolarWinds made a huge mistake: it lied to stockholders...

          In USA, this is a cardinal sin.

  2. karlp

    I understand they must vigorously defend themselves. To do otherwise would likely be a dereliction of their duties.

    But let’s be real. solarwinds123

  3. anothercynic Silver badge

    Nuff sed

    Pot. Kettle. Black.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nuff sed

      Black pot, fairly shiny kettle!

  4. Anonymous Coward
    Terminator

    SolarWinds lacked adequate security controls

    > [SolarWinds] dissected some of the SEC's allegations, which it evidently believes to be false. The first of which was that SolarWinds lacked adequate security controls before the SUNBURST attack took place.

    Well obviously they were inadequate, SolarWinds got hacked.

    > Most of the attention SolarWinds gave to debunking the SEC's claims was related to technical matters, such as its response to a claim that a VPN vulnerability allowed the SUNBURST attackers to access SolarWinds' systems – the company said the allegation was false, and that there was no VPN vulnerability.

    SolarWinds delivered the backdoor malware as an update to it's Orion software. A plasuable senario would be a techies home desktop got hacked and the hackers accessed SolarWinds through a VPN.

    > SolarWinds says SEC sucks: Watchdog 'lacks competence' to regulate cybersecurity

    You can't regulate cyber security as the people doing the hacking are crooks /s

  5. Cliffwilliams44 Silver badge

    Hardly!

    "The company had appropriate cybersecurity controls in place before SUNBURST."

    Which failed spectacularly! So, they were not appropriate!

    1. Bitsminer Silver badge

      Re: Hardly!

      They had a set of controls that could not defend against all possible attacks.

      It's the old story: the defender has to be right all the time but the attacker only has to be right once.

      If (a big *if*) Solarwinds had a risk-based approach to controls, and had mitigations in place for most of the serious risks, then they were doing all right. In spite of being hacked.

      Perfection is impossible in cyber security. Unless you put your PDP-11 in a closet and turn it off, that is.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hardly!

      They had adequate controls.

      The backdoor they delivered to all their clients was mandated by a secret court order...

  6. Anonymous Coward
    Anonymous Coward

    No mention of the alleged method for delivery of the hack.....

    ....which was that the hackers inserted malware into SolarWinds software development environment.....

    ....and waited for SolarWinds to use the malware components and then ship their product.....

    ....not your standard hack by any stretch of the imagination!!!

    1. mikepren

      Re: No mention of the alleged method for delivery of the hack.....

      But they should still be securing their supply chain. Where was their module signing

  7. big_D
    Headmaster

    Zero day?

    The same danger was exemplified in October's Atlassian zero-day, which was exploited eight days after disclosure.

    If it was first exploited 8 days after disclosure, it wasn't a zero day. Zero day means that it was being actively exploited before the developer was informed... So, it can't be a zero day and only exploited after disclosure...

  8. Marty McFly Silver badge
    FAIL

    The bottom line...

    Re-read the last two paragraphs of the article. The government is creating an adversarial rather than collaborative relationship with CISOs.

    Future CISO job negotiations with the Board will look like this...

    "Since we all accept the paradigm of 'It is not if, it is when', I will protect the C-level and take the hit when it happens. You can eject me with a fat golden parachute. Publicly blame me for incompetence all you want, but protect me from being legally implicated in anything criminal. Deal?"

    Seriously. If we are going to permit the SEC to go on a witch hunt when a bad day happens, this is what the CISO's function will become: Be the public sacrifice to protect the others.

  9. sitta_europea Silver badge

    "...However, there is certainly a valid argument to say investors deserve to understand issues with a company before they decide to funnel their money into it. ..."

    It's more than just a valid argument. It's the law, more or less *everywhere*.

    Once upon a time, when the company I started with a couple of friends was going public, the thieves who were writing the prospectus were talking about sales figures which were twice what I, as the company's Technical Director, knew we could make - even if we had the orders, which was a big if - because that much production exceeded the global capacity of the industry to make one of the components. The component was a particular type of radiation detector, which at the time was made by only two companies in the world. We'd pre-bought their entire output for the next several years.

    At a board meeting I stood up and said, "I won't sign this". Not because it would have been fraud, which it would have been, but because it was just wrong.

    There was a lot of shouting, and some threats, but as a direct result of my refusal to allow the scam a lot of investors didn't get hoodwinked.

    A couple of years later they did another Public Offering, this time without the inconvenience of an honest Technical Director.

    Frankly, some people will say *anything* to make a fast buck.

    Sometimes I wish I could do that too but I'm just not made that way.

    Sometimes I think I'm in the minority.

    1. Anonymous Coward
      Anonymous Coward

      I think it should be mandatory to disclose vulnerabilities to the shareholders - they have a legal right to know about such risks - but not in sufficient detail to exploit them. "We have a vulnerability where a public-facing server will accept a carefully-crafted request that will allow the unauthenticated user to run anything they want on our systems, and we're planning on fixing it in a year or two" is plenty of info for a shareholder to make a very swift decision.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like