Jun 3, 2024

CSO Perspectives is a weekly column and podcast where Rick Howard discusses the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis.

SolarWinds and the SEC.

Listen to the audio version of this story.

When the United States Securities and Exchange Commission, the SEC, charged the SolarWinds CISO, Tim Brown, with fraud in October 2023, in the aftermath of the SolarWinds very public breach in 2021, I was outraged. How could they reach into the SolarWinds organization, past the board, past the executive staff (the CEO and the CFO specifically), and charge a guy who wasn’t even the CISO at the time of the breach? SolarWinds gave Tim the CISO title after they disclosed the compromise.

I’ve been a CISO three times now and I know the game. The CISO title is nothing more than that, a title. You might as well call me the Grand Poobah of Security and it would have the same power. It’s something you put on your business cards or your Linked-In Profile to show that you’re important. If you have it, it doesn’t mean you're a company officer or a board director or even on the executive staff. I mean, some of us have those things, but most of us don’t. Typically, the title is a vanity plate that companies give security leaders to keep them happy and to show the world they’re serious about cybersecurity. If they’re lucky, public company CISOs might get asked for their input to the quarterly financial statement (Form 10-Q) in regards to potential material cyber risk. Most times though, CISOs are not even in the same zip code when company leaders discuss that subject.

Don’t get me wrong, I love the CISO job. But I'm also realistic about what it really means. That’s why I was so angry about the SEC charges. They took the least powerful leader in the company, a guy who in no way makes official public financial statements, a guy who doesn’t have enough resources to do all the things that should be done and is constantly told to do more with less, make that guy the example of what not to do and ignore all the company leaders that do have the power? The mind boggles. And, I’ve been fuming about it ever since.

But I will say the community is divided about this. I‘ve talked to a lot of CISOs on this topic and I would say half think the SEC was completely right. Tim was in charge of security after all, they say, whether he had the CISO title or not. The positive things he was saying on the company blog and when he spoke at conferences about how good the SolarWinds infosec program was, didn’t match what he and his people were saying internally. Internally, things sounded bad. So, when the Russian SVR hacking crew came knocking and found the SolarWinds infosec program wanting, the SolarWinds stock price took a major nose dive. Investors became angry and somebody has to protect the investors, right? Enter the SEC. Let’s charge the CISO, who wasn’t the CISO at the time, with fraud. Yep, that makes sense.

But, I'm willing to entertain the idea that I might be wrong about how crazy this sounds. This essay is me trying to determine if my outrage is justified. Let me set the stage.

The SEC after the attack.

In December 2020, SolarWinds, a network management company, publicly disclosed that they had been the victim of a breach. Today, four years later, we know that SolarWinds was the victim of one of the most technically complex cyberespionage campaigns conducted by the Russian SVR (AKA APT29, AKA Cozy Bear, AKA the Dukes); an innovative supply chain attack that allowed the compromise of some very important customers who use their services:

The US Department of Defense
The Department of Homeland Security
The Treasury Department
Intel Corporation
Cisco
Palo Alto Networks
Microsoft
Mandiant

The SVR basically compromised the SolarWinds network, penetrated their software build system, inserted malicious code into the SolarWinds flagship network monitoring product (Orion), and let SolarWinds deliver their malicious code for them via their automatic software update mechanism.

Two years later (October of 2022), the SEC delivered Wells Notices to the SolarWinds company, the CISO and the CFO. A Wells notice is a letter informing recipients that the agency has completed an investigation and is planning to bring enforcement actions against them. In this case, the SEC alleges that SolarWinds, the company, and these two employees, misled investors in 2021, and before, through multiple public statements about the strength of the SolarWinds infosec program when in fact, internal communications showed that leadership and practitioners both knew that they had significant weaknesses.

The next year (October 2023), the SEC filed a civil action against Brown saying that he violated the antifraud provisions of the Securities Exchange Act of 1934. Essentially, he “schemed,” on his own, to hide the true state of the SolarWinds infosec program from investors. Note: They didn’t charge the CFO or the CEO. They weren't doing any “scheming,” just Tim.

From the amended complaint that the SEC filed in February 2024, here is a summary of the basic facts of the case:

Timeline:

2017: Brown joins SolarWinds as the VP of Security (Not the CISO)

2018 - 2020: The SolarWinds’ Security Statement remained publicly posted on its website saying that the internal infosec program

Is overall compliant with the NIST Cybersecurity Framework
Uses a secure development lifecycle when creating software for customers
Employs network monitoring,
Has strong password protection
Maintains good access controls.

But internal discussions throughout the period demonstrates that Tim, his staff, and company senior leadership knew that there were problems with the deployment of all of those tactics.

2018: SolarWinds conducted an Initial Public Offering (IPO) with only a generic and hypothetical cybersecurity risk disclosure. A year before the IPO though, Brown had been telling leadership that the

“current state of security leaves us in a very vulnerable state for our critical assets.”

2020: Brown cashed in stock seven times in 2020 in three separate months (February, May, and August) for a total of $170,000 in gross proceeds.

12 December 2020: Kevin Mandia (Mandiant) informs the SolarWinds CEO (Kevin Thompson) that his company has been hacked.

14 December 2020: SolarWinds files an SEC Form 8-K report, stating in part that the company “has been made aware of a cyberattack that inserted a vulnerability within its Orion monitoring products”.

January 2021: Tim Brown promoted to CISO

October 2022: The SEC delivers the Wells notices.

26 July 2023: New SEC disclosure rule mandating disclosure of material cyber events within five days of discovery.

October 2023: The SEC charges Tim Brown with Fraud.

15 December 2023: The new SEC disclosure rule goes into effect.

February 2024: The SEC amends their complaint and expands the charges

The Russian SVR kill chain campaign.

Kim Zetter, the famed cybersecurity journalist and Cybersecurity Canon Hall of Fame author for her 2014 book about Stuxnet, “Countdown to Zero Day,” wrote an excellent blow-by-blow description in Wired last spring about how the Russian SVR (generally equivalent to the American CIA), ran their attack campaign.

Victim zero was a SolarWinds VPN account that the SVR compromised on 30 January 2019, a full year before they installed the backdoor to the Orion software. Somehow the attackers moved laterally undetected to compromise over a hundred different software code repositories for various products, steal customer data about who uses those products, and the product code itself. And then they disappeared for three months presumably to study what they found. When they returned on 12 March 2019, they found the SolarWinds build environment and then disappeared again for another six months.

The SolarWinds build environment was complex. It takes newbie developers months to understand how to legitimately navigate it, but when the SVR returned in September 2019, they knew exactly what they were doing. They dropped benign test code into the system to see if they would get discovered and monitored leadership email traffic to determine if anybody had suspicions. Five months later, February 2020, they dropped the backdoor into the Orion software package.

The impact, according to the vice-chair of the House Committee on Homeland Security at the time, Ritchie Torres, was “the largest intrusion into the federal government in the history of the US.” And that’s saying a lot if you consider the Chinese compromise of the Office of Personnel Management (OPM) back in 2014.

The SEC’s goal.

First, let me just say that I understand what the SEC is trying to do. They want public company investors to have better information about the state of material cyber risk. According to the amended complaint, the SolarWinds stock price dropped 35% during the disclosure month (December 2020) causing investors “pecuniary harm.” The SEC wants investors to have better information about material cyber risk so this kind of thing doesn’t happen in the future. I get it and I like the notion of it. It’s why they passed their new disclosure rule back in 2023 mandating that public companies disclose material cyber events within four days of discovery.

But, in my humble opinion, to make sure the business world takes them seriously with this new disclosure rule, the SEC wanted to set an example. SolarWinds was just a target of opportunity. That, in itself, doesn’t invalidate their claims against SolarWinds, but it helps to keep everything in context.

The SEC’s complete misunderstanding of how cybersecurity works.

Second, in the amended complaint, the SEC demonstrates their complete lack of understanding of how cybersecurity works in the real world. They don’t understand that material cyber risk is a probability, a measure of uncertainty about the state of the infosec program; not an on-off switch where, if you were just compliant with the NIST Cybersecurity Framework or had strong password protection, no adversary campaign would penetrate your network. That’s a ludicrous idea.

I have briefed those same bullets mentioned above to many bosses of mine in the past. Yes, we follow the NIST framework, yes we have a software development lifecycle, yes we monitor the network, yes we have strong access controls, and yes we have strong passwords. But I would never have claimed that because of all that, we solved cybersecurity; that no bad guy would materially impact the organization. We reduced the chances that they would be successful but the probability was never zero. Clearly, the financial world and the security world are speaking different languages.

My best friend, Steve Winterfeld (Seasoned Security Professional, veteran Cyberwire Hashtable member, and editor to my first principles book), told me the other day that of course we are speaking different languages. The finance people have been thinking about accounting principles since the time of the pyramids. Security people have only been around for about 50 years. We still haven’t agreed as a community about what we are all trying to do with our infosec programs. It was the impetus for us publishing our book on cybersecurity first principles last year.

But there’s a reason we haven’t come to a consensus. It’s a really hard problem to get any community to agree on what’s important. The finance world struggled with this too. The American version of consensus failed at least three times since the great depression before it arrived at its Generally Accepted Accounting Principles (GAAP) in 2009; roughly 90 accounting topics. The security world is just beginning to grapple with the problem.

The giant disconnect though is that the SEC is looking for the same kind of rigor they get with GAAP analysis and the security world brings them the NIST framework. That’s an impedance mismatch that causes noise in the communication between the two communities.

Did Tim Brown “scheme” when he sold his stock options?

I have no idea. But this seems to me to be so unlikely as to be laughable. SolarWinds executed the IPO (Initial Public Offering) in 2018, a year after Tim joined the company. Two years later, Tim sold some of his stock to the tune of $170,000. Many other SolarWinds employees sold stock at the same time too so it wasn’t like he was sneaking out the back door with a suitcase full of money. The SEC seems to be implying that Tim knew that the SolarWinds stock price was highly inflated solely because of his “misstatements, omissions, and schemes” on the company website, that he forecasted the stock price drop because of an imminent material cyber event that only he knew about, and sold his stock to take advantage of the anticipated disparity. That sounds like a plot from my favorite TV show, “Billions,” starring Paul Giamatti, Daminan Lewis and Maggie Siff. The Occam's Razor principle tells me that it is much more likely that Tim was simply cashing in some of his stock options to either diversify his portfolio, take advantage of a vesting schedule, or to buy a pony. Any of those are more likely than Tim “scheming” to defraud investors.

Did Tim Brown commit fraud before the IPO?

What I mean by that is that in the SEC’s amended complaint, they said that when SolarWinds prepared for the IPO, leadership only presented a “generic and hypothetical cybersecurity risk disclosure.” But, in internal correspondence, Tim was telling leadership that the “current state of security leaves us in a very vulnerable state for our critical assets.” Discussions within Tim’s security team indicated that they were well aware that the SolarWinds’ remote access set-up was “not very secure and that someone exploiting the vulnerability can basically do whatever, without us detecting it until it’s too late, leading to major reputation and financial loss.” That pretty much nails exactly what the Russian SVR did. So you can see why the SEC blames Tim. He knew about the problem, didn’t fix it, and then the SVR came knocking causing investor “pecuniary harm.”

That’s all well and good, but anybody that’s ever been a CISO of a public company—and I’m one of them—knows that the SolarWinds official risk statement in preparation for the IPO was not crafted or single handedly approved by Tim. That statement is not something that senior leadership delegates to the VP of Security (remember, he wasn’t the CISO until after the breach became public). In fact, for any company going through the IPO process, the IPO risk statement isn’t delegated to the CISO either. That statement is crafted by a raft of IPO lawyers and approved by the CFO and the CEO. Sometimes, they might even ask the CISO for input but that is definitely not the standard practice. The IPO security statement is carefully designed to have just enough detail to get the IPO across the line but not enough where it might impact the process.

From the SEC’s amended complaint, it sounds like Tim did his duty, He told senior leadership about the risks to the business. The CEO and the CFO decided to massage that message as is their charter. Their job is to manage risk to the business and to present risk to their investors. They made that call. That’s why I'm so peeved that the SEC charged the CISO and not the CEO and the CFO.

Impact to the CISO.

For public companies, the new SEC Rule about disclosing material cyber events within four days is significant. It implies that you already have some way to determine which cyber events are material and which ones aren’t. My guess is that most CISOs don’t but because of the SEC fraud charges, we are all scrambling to figure it out. We’ll see a lot more public disclosures because of the rule which, of course, is what the SEC wants.

There is a legal definition of business materiality that we got from Supreme Court Justice Thurgood Marshall back in the 1970s. It says that a material event exists when there“is a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote,” or “a substantial likelihood that the disclosure of the omitted fact [like the SEC claims Tim did] would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

But, I propose that it isn’t the CISOs job to figure out what a material cyber event is to the business. That’s the CEO’s and CFO’s call. Simplified, it's probably some total dollar threshold in terms of revenue lost, stock depreciation, and recovery costs. Once defined, the CISO can model the probability of it happening and then ask the leadership team if the risk is acceptable or do they want to spend resources (people, process, technology) to lower it. I talk about how to do that in the First Principles book.

As an aside, I published the book two months before the SEC announced their new rule about reporting material cyber events. In the book, I make the case that the absolute cybersecurity first principle, the very first rule in our brand new Generally Accepted Infosec Principles (GAIP) that I just made up, is this: reduce the probability of a material cyber event within the next three years. I'm totally taking credit for anticipating the new SEC rule even though I had no idea it was coming. When I tell my mother-in-law about this, I tell her that I'm a genius (I think she’s buying it).

There’s going to be a lot of gray area in the next 5-10 years as we learn about which companies the SEC decides to make an example of. My guess is that it will be some small percentage of the Fortune 500 companies after they experience a major breach. In the meantime, the SEC just dropped a big bucket of cold water on the potential hiring pool of new CISOs.

Since CISOs are not typically company officers, they don’t automatically get Directors and Officers (D&O) insurance; a type of liability insurance that provides coverage for directors and officers against costly litigation claims arising from their management decisions. To SolarWinds credit, they are covering Tim Brown’s legal costs but this practice is not the norm.

Why would you take this job if you think you’re going to get sued even if you do have insurance. As a bare minimum, D&O insurance has to be part of the compensation package for CISOs going forward. And speaking of compensation packages, I believe the price has just gone up. Some sources say that the average compensation package for a large public company CISO (base + bonus) is about $700K. For my CISO peers that I’ve talked to this past year, to even consider the job, that will have to be much bigger.

I will also say that if public company CISOs, going forward after the SEC’s filing of the amended complaint, haven’t stopped talking publicly about their internal infosec program, they really should. There is no upside anymore regardless of how the marketing department wants to use you as an in-house security expert. Those statements can only come back to haunt you later in a future lawsuit.

For private companies, the situation is a bit different.There is no obligation to report on material cyber events; no obligation to follow the SEC rules. Still, if you’re buying into my first principles thesis, you still have to develop your own definition of what materiality means to you. The way I think about materiality at N2K, a start up with 40 people, is to consider the estimated dollar figure (in terms of recovery costs and financial loss during the outage) that would cause the company to fail; a dollar figure that is a company killer; a cost threshold for which the company couldn’t recover. As with the public company, I can model the probability of it happening and then ask the leadership team if the risk is acceptable or do they want to spend resources (people, process, technology) to lower it.

Was the SEC wrong about the fraud charges?

At the top of this essay I said I was outraged that in response to an innovative and well executed Russian SVR cyber attack campaign targeting the SolarWinds company, the SEC decided to make an example of the CISO instead of the CEO and the CFO. The SEC claimed that the CISO knew the infosec program was weak in several places but in public statements, suggested that it was strong, that investors were paying attention to these public statements, and thus lost their investment when the stock price dropped after the attack. I said that I was willing to admit that I might be wrong about that outrage and I was using this essay as a way to decide if I was.

Well, I don’t think I was.

There are several reasons. First, in March of 2024, over 50 former CISOs from companies like

HP
Clorox
Siemens
UnitedHealth Group
City National Bank
Salesforce
NTT
Bank of America

attached their name to an amicus brief sponsored by the law firm Cooley LLP that “supports SolarWinds’ motion to dismiss the SEC’s amended complaint, which contains more than 50 pages of additional allegations against SolarWinds and its chief information security officer.” So, at least I'm not alone in my outrage. It doesn’t make us right about our outrage but at least we are not the only ones in that state

Second, in terms of the IPO risk statement, Tim may have had some input but it’s likely that he didn’t. Even if he did, he wasn’t in charge of the final word. The CEO and the CFO made that call with the advice of several well-paid IPO lawyers. That statement is not Tim’s fault. That clearly lands on the responsibility of the CEO and the CFO.

Third, the distance between what Tim was saying in public about the strength of the SolarWinds infosec program and what he and his team members were saying internally is quite wide. That sounds bad when you say it out loud like that. But, it’s common practice; especially for security vendor officials. I’ve done it myself.

You don’t present to customers a full and complete dirty laundry list of all the things wrong with the internal infosec program. We all have things that we would like to improve there. In public though, you say the positive things you are trying to do. We follow the NIST Cybersecurity framework. We do have a policy of strong passwords. It doesn’t mean that there are places that we can’t improve in both of those projects.

And it’s not lying. It’s choosing to put a positive marketing spin on the situation instead of a “The Sky is Falling and everything is a disaster” negative critique that might scare potential customers and investors away. That’s what marketing is and it’s more of an art than a science. You have to walk right up to the line of complete fabrication and not cross over it. Many of us have done it to some degree or the other. But like I said above, I think that practice is coming to a grinding halt.

Fourth, the SEC charges imply that there can never be a disagreement among the internal infosec team members about potential risks, priorities to fix, and general direction. There can never be arguments between infosec leaders and practitioners about how to apply their limited resources. And whatever discussions happen, they can’t be in email and slack or any other digital medium because the SEC will collect those conversations and use them against the CISO in fraud charges. The SEC seems to be implying that there is really only one well-known way to implement the infosec program when we all know that the true answer is completely the opposite.

Lastly, there is an impedance mismatch between how the SEC and financial world talks about cybersecurity and how the infosec profession does. The SEC world has Generally Accepted Accounting Rulles (90 GAAP principles) for how they present the business. That’s what they understand; a rigorous set of math principles that they have all agreed to. The infosec profession has a bunch of squishy non-math ideas to select from to defend the enterprise, like the NIST Framework, compliance, CIA, and many others, but there is no consensus about which one is more important than the other. We all have our own favorite. Whatever you choose though, none of them are mathematically rigorous enough to build a bridge to the SEC’s definition of materiality. I make the case for how to change that in the First Principles book but the community is a long way from accepting that approach as one of the Generally Accepted Infosec Principles (GAIP - a new infosec term that I just made up). The noise generated by this impedance mismatch between the two groups causes confusion and misunderstanding; causes the SEC to think that if Tim would have just implemented the NIST Framework like he said he as doing on the public website that the Russian SVR would not have been successful and SolarWinds could have protected their investors. That’s simply misguided.

My hope is that SolarWinds, Tim Brown, and the 50 Cooley CISOs have success in getting the SEC charges against Tim thrown out. Time will tell. It doesn’t mean that I think the SEC shouldn’t punish anybody. It means that I think they had the wrong target.