CISO Accountability Gets Scarier
Recent events unrelated to actual cyber-crime give CISOs and CIOs more reason to worry. Just 5 years ago, the thought of a CISO being criminally charged for poor work performance was foreign. Today, it’s a reality. The Securities and Exchange Commission (SEC) and other federal agencies are recognizing the vitality of the CIO/CISO roles and holding them proportionally responsible for failure to effectively and truthfully perform their duties.
In May 2023, the former Chief Security Officer for Uber was sentenced to 3 years probation and 200 hours of community service for covering up a 2016 cyber attack against the ride-share company. Although evading time in a prison cell, Joe Sullivan was found guilty of obstructing a Federal Trade Commission investigation after concealing a massive data breach of Uber’s customer base and paying the hacker $100,000.00 in hush money.
On October 30, 2023, the Securities and Exchange Commission filed criminal charges against SolarWinds and Tim Brown, SolarWinds’ Chief Information Security Officer (CISO). Unexpectedly, the charges do not stem from the massive December 2020 infiltration of SolarWinds’ Orion platform. Rather, the charges are for false statements made by SolarWinds and Brown in SEC filings regarding the company’s cyber hygiene, collectively amounting to securities fraud.
Using the vulnerabilities identified through the 2020 infiltration of SolarWinds’ Orion platform, which gave bad actors administrative privileges in networks using the software product (which included the Department of Defense, Department of Commerce, and several Fortune 500 Companies), the SEC reviewed the company’s SEC filings and investor materials for potential misleading information. Unfortunately for SolarWinds and its CISO, these efforts revealed multiple evidentiary items about the true cybersecurity status of the company and its products, which directly contradict former public statements.
The SEC found that prior to its Initial Public Offering in October 2018, SolarWinds failed to disclose any of its cybersecurity vulnerabilities, which is a critical valuation aspect for a software company. Behind closed doors in October 2018, Brown stated that the company’s “current state of security leaves us in a very vulnerable state for our critical assets.”
Despite this internal admission, Brown “made materially false and misleading statements and omissions related to SolarWinds’ cybersecurity risks and practices” by omitting the true cybersecurity posture in the company’s Form S-1, S-8, and 8-K statements/forms filed with the SEC, instead “touting the Company’s supposedly strong cybersecurity practices.”
But in 2020, internal emails discovered during the SEC’s investigation found that SolarWinds engineers were consistently reporting long-term vulnerabilities, one such email stating “Can’t really figure out how to unf**k this situation. Not good.” In a July 2020 internal presentation, Brown warned that known threat actors were aware of SolarWinds’ product vulnerabilities and how to “shut off backups, etc.” Despite this knowledge, the Company continued to deliver known corrupted products with on-going security gaps to more than 18,000 customers.
SolarWinds failed to implement many NIST security practices, in direct contravention to their U.S. Government customer requirements; even failing to adhere to its own self-imposed password practices. Between November 2018 and November 2020, SolarWinds filed 13 statements with the SEC, none of which acknowledged their known cybersecurity deficiencies or the inherent risks.
The SEC’s complaint states that "SolarWinds stock price was inflated by the misstatements, omissions, and schemes discussed in this Complaint," and further accused Brown of selling inflated SolarWinds stocks before full impact of the 2020 compromise became public. Indeed, between February 2020 and the end of August 2020, Brown sold 9,000 shares of SolarWinds at a profit of $170,000, according to New York Stock Exchange Records provided by the SEC. By the end of December 2020, SolarWinds' stock price dropped by 35%.
Alongside Joe Sullivan, Brown’s actions and criminal charges serve as a warning to all CISOs and CIOs to not allow prophylactic statements regarding cybersecurity in investor and SEC materials, and to seriously address known vulnerabilities. The only surprise from the SEC’s complaint was the absence of other C-suite executives from the list of defendants.