CSO Perspectives (public) 6.3.24
Ep 89 | 6.3.24

SolarWinds and the SEC.


Rick Howard: Hey, everybody, we're back. [ Music ] Welcome to Season 14 of the CSO Perspectives podcast. I know it's been a while since you've heard from me. Long story short, N2K took on an InfoSec program project that not only consumed me and my role as the CSO for the past year, but the entire executive staff. Well, that project is finally over. At some point, I'm going to dedicate an entire episode to what we did, but if you find me in a bar at one of the upcoming cybersecurity conferences and ply me with beer, I'll tell you the entire sordid story. In the meantime though, it's been nine months since the last CSO Perspectives podcast and we need to change that. [ Music ] Rest assured that the interns have not been idle. They've scrubbed down the sanctum sanctorum so that it is so spick and span that they can see themselves in the Chrome paneling. Hey, hey, hey. We're not done yet. Have you finished the sub-subbasement? Get back down there. No celebrations until we are completely done. For this first show in Season 14, we're going to talk about SolarWinds and the SEC fraud charges against their CISO, Tim Brown, because I have a burr up my saddle about what the SEC did there, and I need to get it off my chest. So before I mix any more metaphors, hold onto your butts. This is going to be fun. [ Music ] My name is Rick Howard and I'm broadcasting from the N2K CyberWire's secret Sanctum Sanctorum Studios located underwater, somewhere along the Patsco River near Baltimore Harbor, Maryland in The Good Ol' US of A, and you're listening to CSO Perspectives. My podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. [ Music ] When the United States Securities and Exchange Commission, the SEC charged the SolarWinds CISO, Tim Brown with fraud in October, 2023 in the aftermath of the SolarWinds, very public breach in 2021, I was outraged. How could they reach into the SolarWinds organization past the board, past the executive staff, the CEO and the CFO specifically and charge a guy who wasn't even the CISO at the time of the breach? SolarWinds gave Tim the CISO title after they disclosed the compromise. I've been a CISO three times now, and I know the game. The CISO title is nothing more than that. A title. You might as well call me the Grand Puba of Cybersecurity and it would have the same power. It's something you put on your business cards or your LinkedIn profile to show that you're important. If you have it, it doesn't mean you're a company officer or a board director or even on the executive staff. Some of us have those things, but most of us don't. Typically, the title is a vanity plate that companies give security leaders to keep them happy and to show the world they're serious about cybersecurity. If they're lucky, public company CISOs might get asked for their input into the quarterly financial statement, the Form 10-Q in regards to potential material cyber risk. Most times though CISOs are not even in the same zip code when company leaders discuss the subject. Don't get me wrong, I love the CSO job, but I'm just realistic about what it really means. That's why I was so angry about the SEC charges. They took the least powerful leader in the company. A guy who in no way makes official public statements, a guy who doesn't have enough resources to do all the things that should be done and is constantly told to do more with less. Make that guy the example of what not to do and ignore all the company leaders that do have the power. The mind boggles, and I've been fuming about it ever since. But I will say the community is divided about this. I've talked to a lot of CISOs on this topic, and I would say half think that the SEC was completely right. Tim was in charge of security after all they say whether he had the CISO title or not. The positive things he was saying on the company blog, and when he spoke at conferences about how good the SolarWinds InfoSec program was, didn't match what he and his people were saying internally. Internally, things sounded bad. So when the Russian SVR hacking crew came knocking and found the SolarWinds InfoSec program wanting, the SolarWinds stock price took a major nosedive, investors became angry, and somebody has to protect the investors. Enter the SEC. Let's charge the CISO who wasn't the CISO at the time with fraud. That makes sense. But I'm willing to entertain the idea that I might be wrong about how crazy this sounds. This show is me trying to determine if my outrage is justified. So let me set the stage. [ Music ] In December, 2020, SolarWinds, a network management company publicly disclosed that they had been the victim of a breach. Today, four years later, we know that SolarWinds was the victim of one of the most technically complex cyber espionage campaigns conducted by the Russian SVR, also known as APT29, also known as Cozy Bear and also known as the Dukes. It was an innovative supply chain attack that allowed the Russians to compromise some very important customers who use the SolarWinds services like the US Department of Defense, the Department of Homeland Security, the Treasury Department, the Intel Corporation, CISCO Palo Alto Networks, Microsoft, and Mandiant, just to name some of the more well-known of the 100 total targets. The SVR basically compromised the SolarWinds network, penetrated their software build system, inserted malicious code into the SolarWinds flagship network monitoring product called Orion, and let SolarWinds deliver their malicious code for them via their automatic software update mechanism. Two years later, October, 2022, the SEC delivered wells notices to the SolarWinds company, the CISO and the CA4. A Wells notice is a letter informing recipients that the agency has completed an investigation and is planning to bring enforcement actions against them. In this case, the SEC alleges that SolarWinds the company and these two employees misled investors in 2021 and before, through multiple public statements about the strength of the SolarWinds InfoSec program. When in fact internal communications showed that leadership and practitioners both knew that they had significant weaknesses. The next year, October, 2023, the SEC filed a civil action against Brown saying that he violated the anti-fraud provisions of the Securities Exchange Act of 1934. Essentially, he air quotes here, schemed on his own to hide the true state of the SolarWinds InfoSec program from investors. Wow, a schemer. I'm reminded of the movie scene with the late great Heath Ledger playing the Joker in The Dark Knight.

Unidentified Person: The mob has plans. The cops have plans. Gordon's got plans, you know, they're schemers. Schemers trying to control their little worlds. I'm not a schemer. I try to show the schemers how pathetic their attempts to control things really are.

Rick Howard: Now, try to picture Tim Brown as a schemer. That's ludicrous really. Note, they didn't charge the CAFO or the CEO, even though they named the CAFO in the world's notice earlier. Apparently those two weren't doing any scheming. Just Tim was. From the amended complaint that the SEC filed in February, 2024. Here's a summary of the basic facts of the case. In 2017, Tim Brown takes a position with SolarWinds as the VP of security. Again, let me emphasize that he's not the CISO yet. The SEC claims that between 2018 and 2020, a SolarWinds security statement remained publicly posted on its website saying that the internal InfoSec program is overall compliant with the NIST Cybersecurity Framework uses a secure development lifecycle when creating software for customers. Employees network monitoring has strong password protection and maintains good access controls, and they also claim that internal discussions throughout the same period demonstrates that Tim, his staff and company senior leadership, knew that there were problems with the deployment of all those tactics. In 2018, SolarWinds leadership successfully negotiated the company through an initial public offering, an IPO. They went public, but in official documents describing the company before the IPO leadership only listed a generic and hypothetical cybersecurity risk disclosure. A year before the IPO though Brown had been telling leadership that the "Current state of security leaves us in a very vulnerable state for our critical assets." Fast Forward to 2020, the SEC cites evidence that multiple employees, including Brown and other employees not participating in the fraud, exercised their options and sold SolarWind Stock. Brown received more than $170,000 in gross proceeds. The SEC alleges that the SolarWind stock price was inflated by the misstatements omissions and schemes. There's that word again, of Tim Brown's public statements on the webpage and in public speaking engagements. Weirdly, the SolarWind CEO for the past decade, the man who shepherded the company through the IPO, Kevin Thompson resigned from his position on seventh December and announced his replacement Sudhakar Ramakrishna who didn't officially take over until January. It's weird because five days later, 12 December, the security firm Mandiant had discovered that the SolarWinds network had been compromised and their CEO Kevin Mandia called Thompson to tell him that his company had been hacked. Two days later, 14 December, SolarWinds filed an SEC form 8-K report stating in part that the company "Had been made aware of a cyber attack that inserted a vulnerability within its Orion monitoring products." In January, 2021, one of the first decisions made by the new CEO Sudhakar Ramakrishna, was to promote Tim Brown to CISO, which by the way is a typical go-to move by organizations and CEOs after experiencing a major breach and discovering that they didn't have a CISO to blame things on. Fast Forward another two years, October, 2022, the SEC delivered the Wells notices. After another year, 26th, July, 2023. In a move that may seem unrelated to the SolarWinds breach, the SEC published their reporting rule, mandating disclosure of material cyber events within five days of discovery. That rule will go into effect at the end of the year. By October, 2023, though, the SEC charged Tim Brown with fraud, six months later, February, 2024, the SEC amended their initial complaint and expanded the charges. [ Music ] Before we go too much further, it might help to provide a description of how the Russian SVR navigated the SolarWinds intrusion kill chain. Kim Zetter, the famed cybersecurity journalist and cybersecurity Canon Hall of Fame author for her 2014 book about Stuxnet called Countdown to Zero Day, wrote an excellent blow by blow description in wired last spring about how the Russian SVR generally equivalent to the American CIA ran their attack campaign. Victim Zero was a SolarWinds VPN account that the SVR compromised on or around 30 January, 2019, a full year before they installed the back door to the Orion software. Somehow the attackers moved laterally undetected to compromise over 100 different software code repositories for various products, steal customer data about who used those products and the product code itself. And then they disappeared for three months, presumably to study what they found. When they returned on 12 March, 2019, they recon to find the SolarWinds build environment and then disappeared again for another six months. And just a note here, the SolarWinds build environment was complex. It takes newbie developers months to understand how to legitimately navigate it, but when the SVR returned in September, 2019, they knew exactly what they were doing. They dropped benign test code into the system to see if they would get discovered and monitored leadership email traffic to determine if anybody had suspicions. Five months later, February, 2020, they dropped the back door into the Orion software package. The impact, according to the Vice chair of the House Committee on Homeland Security at the time, Congressman Ritchie Torres.

Ritchie Torres: A cyber attack on a software supply chain is like an infectious disease outbreak spreading widely and rapidly and causing untold damage far and wide. The SolarWinds espionage campaign against the United States, which spread surreptitiously through a software product represents the greatest intrusion into the federal government in the history of the United States.

Rick Howard: And that's saying a lot if you consider the Chinese compromise of the Office of Personnel Management OPM back in 2014. [ Music ] First, let me just say that I understand what the SEC is trying to do. They want public company investors to have better information about the state of material cyber risk. According to the amended complaint, the SolarWind stock price dropped 35% during the disclosure month, December, 2020, causing investors pecuniary harm. The SEC wants investors to have better information about material cyber risk so that this kind of thing doesn't happen in the future. I get it, and I like the notion of it, it's why they passed their new disclosure rule back in 2023, mandating that public companies disclose material cyber events within five days of discovery. But in my humble opinion, to make sure the business world takes them seriously with this new disclosure rule, the SEC wanted to set an example. SolarWinds was just a target of opportunity. That in itself doesn't invalidate their claims against SolarWinds, but it helps to keep everything in context. Second, in the amended complaint, the SEC demonstrates their complete lack of understanding of how cybersecurity works in the real world. They don't understand that material cyber risk is a probability, a measure of uncertainty about the state of the InfoSec program, not an on-off switch, where if you were just compliant with the NIST Cybersecurity framework or had strong password protection, no adversary campaign would penetrate your network. That's a ludicrous idea. I've read the same bullets that the SEC called out on the SolarWinds website to many bosses of mine in the past. Yes, we follow the niche framework -- [ Music ] And that's our show. Well kind of, there's actually a whole lot more, and it's all pretty great if I do say so myself. So here's the deal. We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in the rapidly changing world of cybersecurity. If you want the full show, head over to the cyberwire.com/pro and sign up for an account. That's the CyberWire, all one word.com/pro. For less than a dollar a day, you can help us keep the lights on, the mic's rolling and the insights flowing. Plus you get a whole bunch of other great stuff like ad free podcasts, exclusive content, newsletters, and personal level up resources like practice Tests. With N2K Pro, you get to help me and our team put food on the table for our families, and you also get to be smarter and more informed than any of your friends. I'd say that's a win-win. So head on over to the cyber wire.com/pro and sign up today for less than a dollar a day. Now, if that's more than you can muster, that's totally fine. Shoot an email to pro@n2k.com and we'll figure something out so you can join. I'd love to see you on N2K Pro.

Liz Stokes: I'm Liz Stokes. I'm N2K's CyberWire's Associate Producer.

Tré Hester: I'm Tré Hester, audio editor and sound engineer.

Elliott Peltzman: I'm Elliott Peltzman, executive Director of Sound and Vision.

Jennifer Eiben: I'm Jennifer Eiben, executive producer.

Brandon Koff: I'm Brandon Koff, executive editor.

Simone Petrella: I'm Simone Petrella, the president of N2K.

Peter Kilpe: I'm Peter Kilpe, the CEO and publisher at N2K.

Rick Howard: And I'm Rick Howard. Thanks for your support, everybody.

[Unison]: Thanks for listening. [ Music ]