CyberWire Daily - SolarWinds and the SEC.
Episode Date: June 3, 2024Rick Howard, N2K’s CSO and The CyberWire’s Chief Analyst and Senior Fellow, presents the argument for why the SEC was misguided when it charged the SolarWinds CISO, Tim Brown, with fraud the after... the Russian SVR compromised the SolarWinds flagship product, Orion. Our guests are, Steve Winterfeld, Akamai’s Advisory CISO, and Ted Wagner, SAP National Security Services CISO. References: Andrew Goldstein, Josef Ansorge, Matt Nguyen, Robert Deniston, 2024. Fatal Flaws in SEC’s Amended Complaint Against SolarWinds [Analysis]. Crime & Corruption. Anna-Louise Jackson, 2023. Earnings Reports: What Do Quarterly Earnings Tell You? [Explainer]. Forbes. Brian Koppelman, David Levien, Andrew Ross Sorkin, 2016 - 2023. Billions [TV Show]. IMDb. Dan Goodin, 2024. Financial institutions have 30 days to disclose breaches under new rules [News]. Ars Technica. David Katz, 021. Corporate Governance Update: “Materiality” in America and Abroad [Essay]. The Harvard Law School Forum on Corporate Governance. Jessica Corso, 2024. SEC Zeroes In On SolarWinds Exec In Revised Complaint [Analysis]. Law360. Johnathan Rudy, 2024. SEC files Amended complaint against SolarWinds and CISO [Civil Action]. LinkedIn. Joseph Menn, 2023. Former Uber security chief Sullivan avoids prison in data breach case [WWW DocumentNews]. The Washington Post. Kim Zetter, 2014. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon [Book]. Goodreads. Kim Zetter, 2023. SEC Targets SolarWinds’ CISO for Rare Legal Action Over Russian Hack [WWW Document]. ZERO DAY. Kim Zetter, 2023. SolarWinds: The Untold Story of the Boldest Supply-Chain Hack [Essay]. WIRED. Rick Howard, 2022. Cyber sand table series: OPM [Podcast]. The CyberWire - CSO Perspectives Podcast. Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Goodreads. Pam Baker, 2021. The SolarWinds hack timeline: Who knew what, and when? [Timeline]. CSO Online. Staff, 2009. Generally Accepted Accounting Principles (Topic 105) [Standard]. PWC. Staff. 30 October 2023. SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures [Website]. The U.S. Securities and Exchange Commision. Staff, 31 October 2023. Securities and Exchange Commission v. SolarWinds Corporation and Timothy G. Brown, No. 23-civ-9518 (SDNY) [Case]. The Securities and Exchange Commission. Staff, 29 March 2024. Cooley, Cybersecurity Leaders File Brief Opposing SEC’s SolarWinds Cyberattack Case [Press Release]. Cooley. Stephanie Pell, Jennifer Lee , Shoba Pillay, Jen Patja Howell, 2024. The SEC SolarWinds Enforcement Action [Podcast]. The Lawfare Podcast. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hey, everybody. We're back.
We're back.
We're back.
In our own backyard.
Welcome to Season 14 of the CSO Perspectives podcast.
I know, it's been a while since you've heard from me.
Long story short, N2K took on an InfoSec project
that not only consumed me and my role as the CSO for the past year,
but the entire executive staff.
Well, that project is finally over.
At some point, I'm going to dedicate an entire episode to what we did.
But if you find me in a bar at one of the upcoming cybersecurity conferences and ply me with beer, I'll tell you the entire sordid story.
In the meantime, though, it's been nine months since the last CSO Perspectives podcast, and we need to change that.
Baby, I'm back. Baby, we're back.
to change that.
Rest assured that the interns have not been idle.
They've scrubbed down the Sanctum Sanctorum so that it is so spic and span that they can see themselves in the chrome paneling.
Hey, hey, hey, we're not done yet.
Have you finished the sub sub-basement?
Get back down there. No celebrations until we're not done yet. Have you finished the sub sub-basement? Get back down there.
No celebrations until we are completely done.
Aww.
For this first show in Season 14,
we're going to talk about SolarWinds
and the SEC fraud charges against their CISO, Tim Brown,
because I have a burr up my saddle about what the SEC did there,
and I need to get it off my chest.
So, before I mix any more metaphors, hold on to your butts. Hold on to your butts. This is going to be fun.
My name is Rick Howard, and I'm broadcasting from the N2K CyberWire's secret Sanctum Sanctorum studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old U.S. of A.
And you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis.
and Exchange Commission, the SEC, charged the SolarWinds CISO, Tim Brown, with fraud in October 2023 in the aftermath of the SolarWinds' very public breach in 2021, I was outraged. How could
they reach into the SolarWinds organization, pass the board, pass the executive staff, the CEO and
the CFO specifically, and charge a guy who wasn't even the CISO at the
time of the breach. SolarWinds gave Tim the CISO title after they disclosed the compromise.
I've been a CISO three times now, and I know the game. The CISO title is nothing more than that,
a title. You might as well call me the Grand Poobah of cybersecurity, and it would have the
same power. It's something
you put on your business cards or your LinkedIn profile to show that you're important. If you
have it, it doesn't mean you're a company officer or board director or even on the executive staff.
I mean, some of us have those things, but most of us don't. Typically, the title is a vanity plate
that companies give security leaders to keep them happy and to show the world they're serious about cybersecurity. If they're lucky, public company
CISOs might get asked for their input into the quarterly financial statement, the Form 10-Q,
in regards to potential material cyber risk. Most times, though, CISOs are not even in the
same zip code when company leaders discuss
the subject. Don't get me wrong, I love the CISO job, but I'm just realistic about what it really
means. That's why I was so angry about the SEC charges. They took the least powerful leader in
the company, a guy who in no way makes official public statements, a guy who doesn't have enough
resources to do all the
things that should be done and is constantly told to do more with less, make that guy the example
of what not to do and ignore all the company leaders that do have the power. The mind boggles,
and I've been fuming about it ever since. But I will say the community is divided about this.
I've talked to a lot of CISOs on this topic, and I would say half think that the SEC was
completely right.
Tim was in charge of security after all, they say, whether he had the CISO title or not.
The positive things he was saying on the company blog and when he spoke at conferences about
how good the SolarWinds InfoSec program was didn't match what he and his people were saying
internally.
Internally, things sounded bad. So when the Russian SVR hacking crew came knocking and found
the SolarWinds InfoSec program wanting, the SolarWinds stock price took a major nosedive.
Investors became angry, and somebody has to protect the investors, right? Enter the SEC.
Somebody has to protect the investors, right?
Enter the SEC.
Let's charge the CISO, who wasn't the CISO at the time, with fraud.
Yep, that makes sense.
Oh, no!
But I'm willing to entertain the idea that I might be wrong about how crazy this sounds.
This show is me trying to determine if my outrage is justified.
So, let me set the stage. In December 2020, SolarWinds, a network management company, publicly disclosed that they had been the victim of a breach. Today, four years later,
we know that SolarWinds was the victim of one of the most
technically complex cyber espionage campaigns conducted by the Russian SVR, also known as APT-29,
also known as Cozy Bear, and also known as the Dukes. It was an innovative supply chain attack
that allowed the Russians to compromise some very important customers who use the SolarWinds services,
like the U.S. Department of Defense, the Department of Homeland Security, the Treasury Department,
the Intel Corporation, Cisco, Palo Alto Networks, Microsoft, and Mandiant,
just to name some of the more well-known of the 100 total targets.
The SVR basically compromised the SolarWinds network,
penetrated their software build system,
inserted malicious code into the SolarWinds flagship
network monitoring product called Orion,
and let SolarWinds deliver their malicious code for them,
being their automatic software update mechanism.
Two years later, October 2022, the SEC delivered Wells
notices to the SolarWinds company, the CISO, and the CFO. A Wells notice is a letter informing
recipients that the agency has completed an investigation and is planning to bring enforcement
actions against them. In this case, the SEC alleges that SolarWinds, the company, and these two employees
misled investors in 2021 and before through multiple public statements about the strength
of the SolarWinds InfoSec program, when in fact internal communications showed that leadership
and practitioners both knew that they had significant weaknesses. The next year, October 2023, the SEC filed a civil
action against Brown saying that he violated the anti-fraud provisions of the Securities Exchange
Act of 1934. Essentially, he, air quotes here, schemed on his own to hide the true state of the
SolarWinds InfoSec program from investors. Wow, a schemer. I'm
reminded of the movie scene with the late, great Heath Ledger playing the Joker in The Dark Knight.
The mob has plans. The cops have plans. Gordon's got plans. You know, they're schemers.
Schemers trying to control their little worlds. I'm not a schemer. I try to show the schemers trying to control their little worlds. I'm not a schemer.
I try to show the schemers how pathetic
their attempts to control things really are.
Now, try to picture Tim Brown as a schemer.
That's ludicrous, really.
Note, they didn't charge the CFO or the CEO,
even though they named the CFO in the Wells notice earlier.
Apparently, those two weren't doing any scheming, just Tim was.
From the amended complaint that the SEC filed in February 2024,
here's a summary of the basic facts of the case. In 2017, Tim Brown takes a position with SolarWinds as the VP of Security.
Again, let me emphasize that he's not the CECIL yet.
The SEC claims that between 2018 and 2020, a SolarWinds security statement remained publicly posted on its website,
saying that the internal InfoSec program is overall compliant with the NIST cybersecurity framework,
uses a secure development lifecycle when creating software for customers,
employs network monitoring, has strong password protection,
and maintains good access controls.
And they also claim that internal discussions throughout the same period
demonstrates that Tim, his staff, and company senior leadership
knew that there were problems with the deployment
of all those tactics. In 2018, SolarWinds leadership successfully negotiated the company
through an initial public offering, an IPO. They went public, but in official documents describing
the company before the IPO, leadership only listed a generic and hypothetical cybersecurity risk disclosure.
A year before the IPO, though, Brown had been telling leadership that the, quote,
current state of security leaves us in a very vulnerable state for our critical assets, end quote.
Fast forward to 2020, the SEC cites evidence that multiple employees, including Brown and other employees not participating in the fraud,
exercised their options and sold SolarWinds stock. Brown received more than $170,000 in gross
proceeds. The SEC alleges that the SolarWinds stock price was inflated by the misstatements,
omissions, and schemes, there's that word again, of Tim Brown's public statements on the webpage
and in public speaking
engagements. Weirdly, the SolarWinds CEO for the past decade, the man who shepherded the company
through the IPO, Kevin Thompson, resigned from his position on 7 December and announced his
replacement, Sudhakar Ramakrishna, who didn't officially take over until January. It's weird
because five days later, 12 December,
the security firm Mandiant had discovered that the SolarWinds network had been compromised
and their CEO, Kevin Mandia, called Thompson to tell him that his company had been hacked.
Two days later, 14 December, SolarWinds filed an SC Form 8K report
stating in part that the company, quote,
had been made aware of a cyber attack that inserted a vulnerability within its Orion monitoring products.
In January 2021, one of the first decisions made by the new CEO, Sudhakar Ramakrishna,
was to promote Tim Brown to CISO, which, by the way, is a typical go-to move by organizations and CEOs after experiencing a
major breach and discovering that they didn't have a CISO to blame things on. Fast forward another
two years, October 2022, the SEC delivered the Wells Notices. After another year, 26 July 2023,
in a move that may seem unrelated to the SolarWinds breach, the SEC published their
reporting rule mandating disclosure of material cyber events within five days of discovery.
That rule would go into effect at the end of the year. By October 2023, though, the SEC charged
Tim Brown with fraud. Six months later, February 2024, the SEC amended their initial complaint and expanded
the charges. Before we go too much further, it might help to provide a description of how the Russian SVR navigated the Solar
Wind's intrusion kill chain.
Kim Zetter, the famed cybersecurity journalist and Cybersecurity Canon Hall of Fame author,
for her 2014 book about Stuxnet called Countdown to Zero Day, wrote an excellent blow-by-blow
description in Wired last spring about how the Russian SVR,
generally equivalent to the American CIA, ran their attack campaign. Victim Zero was a Solar
Wind's VPN account that the SVR compromised on or around 30 January 2019, a full year before
they installed the backdoor to the Orion software. Somehow, the attackers moved
laterally undetected to compromise over a hundred different software code repositories for various
products, steal customer data about who used those products and the product code itself. And then,
they disappeared for three months, presumably to study what they found. When they returned on 12 March 2019, they reconned to find the SolarWinds build environment
and then disappeared again for another six months.
And just a note here, the SolarWinds build environment was complex.
It takes newbie developers months to understand how to legitimately navigate it.
But when the SVR returned in September 2019,
they knew exactly what they were doing. They dropped benign test code into the system to
see if they would get discovered and monitored leadership email traffic to determine if anybody
had suspicions. Five months later, February 2020, they dropped the backdoor into the Orion software package.
The impact, according to the vice chair of the House Committee on Homeland Security at the time, Congressman Richie Torres.
A cyber attack on a software supply chain is like an infectious disease outbreak spreading widely and rapidly and causing untold damage far and wide.
and causing untold damage far and wide.
The SolarWinds espionage campaign against the United States,
which spreads surreptitiously through a software product,
represents the greatest intrusion into the federal government in the history of the United States.
And that's saying a lot if you consider the Chinese compromise
of the Office of Personnel Management, OPM, back in 2014. First, let me just say that I understand what the SEC is trying to
do. They want public company investors to have better information about the state of material
cyber risk. According to the amended complaint, the SolarWinds stock price dropped 35% during the disclosure month, December 2020, causing investors pecuniary harm.
The SEC wants investors to have better information about material cyber risk so that this kind of thing doesn't happen in the future.
I get it, and I like the notion of it.
I get it, and I like the notion of it.
It's why they passed their new disclosure rule back in 2023, mandating that public companies disclose material cyber events within five days of discovery.
But in my humble opinion, to make sure the business world takes them seriously with this new disclosure rule, the SEC wanted to set an example.
SolarWinds was just a target of opportunity. That in itself doesn't
invalidate their claims against SolarWinds, but it helps to keep everything in context.
Second, in the amended complaint, the SEC demonstrates their complete lack of understanding
of how cybersecurity works in the real world. They don't understand that material cyber risk
is a probability, a measure of
uncertainty about the state of the InfoSec program, not an on-off switch where if you were just
compliant with the NIST cybersecurity framework or had strong password protection, no adversary
campaign would penetrate your network. That's a ludicrous idea. I've wreathed the same bullets
that the SEC called out on the SolarWinds website
to many bosses of mine in the past.
Yes, we follow the NIST framework.
Yes, we have a solar wind.
And that's our show.
Well, kind of.
There's actually a whole lot more, and it's all pretty great if I do say so myself.
So here's the deal.
We need your help so we can keep producing
the insights that make you smarter
and keep you a step ahead
in the rapidly changing world of cybersecurity.
If you want the full show,
head over to thecyberwire.com slash pro
and sign up for an account.
That's thecyberwire, all one word, dot com slash pro.
For less than a dollar a day,
you can help us keep the lights on,
the mics rolling, and the insights flowing.
Plus, you get a whole bunch of other great stuff
like ad-free podcasts, exclusive content, newsletters,
and personal level-up resources like practice tests.
With N2K Pro, you get to help me and our team
put food on the table for our families,
and you also get to be smarter and more team put food on the table for our families, and you also get to be
smarter and more informed than any of your friends. I'd say that's a win-win. So head on over to
thecyberwire.com slash pro and sign up today for less than a dollar a day. Now, if that's more than
you can muster, that's totally fine. Shoot an email to pro at n2k.com and we'll figure something out so you can join.
I'd love to see you on N2K Pro. I'm Liz Stokes. I'm N2K's CyberWire's Associate Producer.
I'm Trey Hester, Audio Editor and Sound Engineer. I'm Elliot Peltzman, Executive Director of Sound
and Vision. I'm Jennifer Iben, Executive producer. I'm Brandon Karf, executive editor.
I'm Simone Petrella, the president of N2K. I'm Peter Kilby, the CEO and publisher at N2K.
And I'm Rick Howard. Thanks for your support, everybody. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.