“When everyone believes you, what’s that like?”
In case you are not a Taylor Swift fan, the title of this article comes from the song “The Man.” However, this article borrows the feminist hypothetical and applies it to infosec professionals of both genders.
Approximately two months ago, the SolarWinds breach completely rocked the infosec and cybersecurity world by exposing the virtual presence of Russian spies in major U.S. government and private industry entities for the last 10 months. And, as with most man-made disasters, this event could have been avoided by listening to a few seemingly insignificant voices.
Indeed, India-based bug-bounty hunter Vinoth Kumar notified SolarWinds in 2019 that the password for its updates servers was “solarwinds123” (likely a default password). Thus, the servers were very easily penetrated. Furthermore, Reuters reports that SolarWinds was aware that the infamous Kazakh hacker “fxmsp” was selling SolarWinds access credentials as early as 2017.
Now, multiple law firms are lining up to represent classes of plaintiffs impacted by the breach (should have been a Plaintiffs’ attorney, D’oh!). The first class-action lawsuit was filed in U.S. District Court for the Western District of Texas and the firm of Hagens Berman urges SolarWinds investors to join its securities fraud class action by contacting them at SWI@hbsslaw.com.
Unfortunately, SolarWinds’ choice to ignore Kumar’s warning is not an unfamiliar event. Documents revealed in the lawsuit following Facebook’s massive September 2018 data breach show that the company received repeated warnings from its employees that went ignored. As early as December 2017, Facebooks’ engineers advised that access tokens, which are used to verify user identities, were easily exploitable. No one listened. Today, Facebook still awaits the final approval hearing of its class action settlement on April 8, 2021. But in addition to an undisclosed monetary settlement, Facebook will undergo 5 years of third-party audits, increased integrity checks, SOC2 Type II security assessments, and other precautions.
How does this stuff happen? Why didn’t more people report these types of security flaws to the government? The answer is that speaking out is risky.
Unlike employees or contractors of the Federal government who may receive Whistleblower protections for reporting their immediate supervisors/employers to the U.S. Government for engaging in fraudulent or criminal behavior and be protected from retaliation, cybersecurity professionals do not always enjoy the same rights.
Most whistleblower protections fall into one of three categories: 1) Fraud involving the government or government resources; 2) Banking or securities fraud; or 3) threats to public safety (including violations of the Atomic Energy Act). Absent those categories, reporting negligent cyber hygiene (despite catastrophic consequences) does not protect those brave enough to speak out.
According to the United States Third Circuit Court of Appeals in Reilly v. GlaxoSmithKline, an employee termination during an internal investigation into that employee’s complaints about deficiencies with the employer’s information technology and cybersecurity infrastructure “fails to identify a prohibition within the scope of SOX.” (pg. 8) Specifically, the terminated employee failed to demonstrate that he reasonably believed that he was engaging in a “protected activity” by reporting some kind of “fraud, illegal activity, or anything that could reasonably be perceived to be a violation of the six enumerated categories in SOX.” The Third Circuit’s decision against finding a SOX violation further rested on the fact that the employer disclosed the “risk to its business posed by ‘[f]ailure to adequately protect critical and sensitive systems and information . . . which could materially and adversely affect financial results’” on its Form 20-F, which serves as part of its annual report to the SEC.
While some legal blogs are calling for sweeping federal legislation to provide whistleblower protections for cybersecurity professionals, there is a missing step: comprehensive federal data protection legislation to invoke a uniform standard.