A Texas-based technology company SolarWinds was sued by U.S. SEC, as its software was breached in a massive 2020 Russian cyber espionage campaign. SEC cyberattack announcement was for fraud of failing to disclose security deficiencies ahead of the remarkable breach.
SolarWinds top security executive was also named in the breach complaint filed by the Securities and Exchange Commission (SEC) seeking unspecified civil penalties, reimbursement of “ill-gotten gains” and the executive’s removal.
SEC sues SolarWinds for Cyberfraud
SEC detected SolarWinds breach in December 2020. The SolarWinds breach penetrated U.S. government agencies including the Justice and Homeland Security departments, and more than 100 private companies and think tanks. It was a rude wake-up call that raised awareness in Washington about the urgency of stepping up efforts to better guard against intrusions.
In the 68-page complaint filed in New York federal court, the SEC says SolarWinds and its then vice president of security, Tim Brown, defrauded investors and customers. This was done “through misstatements, omissions and schemes” that concealed both the company’s “poor cybersecurity practices and its heightened and increasing cybersecurity risks.”
SolarWinds on suing by SEC
In a statement, SolarWinds called the SEC charges of a breach unfounded and said it is “deeply concerned this action will put our national security at risk.”
Brown performed his responsibilities “with diligence, integrity, and distinction,” his lawyer, Alec Koch, said in a statement. Koch added that “we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint.” Brown’s current title at SolarWinds is chief information security officer.
SolarWinds called the SEC action an “example of the agency’s overreach (that) should alarm all public companies and committed cybersecurity professionals across the country.”
SolarWinds did not explain how the SEC’s action could put national security at risk. Though some in the cybersecurity community have argued that holding corporate information security officers personally responsible for identified vulnerabilities could make them less diligent about uncovering and/or disclosing them and discourage qualified people from aspiring to such positions.
SolarWinds’s blind eye to red flags
The SEC’s enforcement division director, Gurbir S. Grewal, said on the SolarWinds Cyberfraud that Brown ignored “repeated red flags” for years, painting “a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
The very month that SolarWinds registered for an initial public offering, October 2018, Brown wrote in an internal presentation that the company’s “current state of security leaves us in a very vulnerable state,” the complaint says.
Among the SEC’s cyberattack announcement: An internal SolarWinds presentation shared that year said the company’s network was “not very secure,” meaning it was vulnerable to hacking that could lead to “major reputation and financial loss.” Throughout 2019 and 2020, the SEC alleged, multiple communications among SolarWinds employees. This includes Brown, “questioned the company’s ability to protect its critical assets from cyberattacks.”
SolarWinds network
SolarWinds, which is based in Austin, Texas, provides network-monitoring and other technical services to hundreds of thousands of organizations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East.
SEC on SolarWinds breach
The nearly two-year Russian espionage campaign involved the breach of thousands of customers by seeding malware in the update channel of the company’s network management software. Capitalizing on the supply-chain hack, Russia’s cyber operators then stealthily penetrated select targets including at least nine U.S. government agencies and prominent software and telecommunications providers.
The SEC has been aggressive about holding publicly traded companies to account for cybersecurity lapses and failures to disclose vulnerabilities. In July, SEC adopted rules requiring them to disclose within four days all cybersecurity breaches that could affect their bottom lines. Delays would be permitted if immediate disclosure poses serious national-security or public-safety risks.
SolarWinds breach affected whom
Victims of the SolarWinds breach whose Microsoft email accounts were violated included the New York federal prosecutors’ office, then-acting Homeland Security Secretary Chad Wolf and members of the department’s cybersecurity staff, whose jobs included hunting threats from foreign countries.