The SolarWinds data breach of 2020 was one of the most widespread and sophisticated hacking campaigns to be conducted against the federal government and private sector.
As early as January 2019, the Russian Foreign Intelligence Service breached the computing networks at SolarWinds — a Texas-based network management software company. Since the company’s software, SolarWinds Orion, was widely used in the federal government to monitor network activity and manage network devices on federal systems, the incident allowed the threat actor to breach several federal agencies’ networks.
After the SolarWinds attack became public in late 2020, the value of SolarWinds stock on the public market decreased in one week, from almost $25 per share to less than $15 per share, a decline of approximately 40%.
In the aftermath of the loss in share value, a class of SolarWinds shareholders sued the company, its executives and its investors for violations of the Exchange Act, which prohibits public corporations and their leaders from knowingly making misrepresentations or omissions that cause financial harm.
In late March, a Texas judge dismissed claims that former SolarWinds Chief Executive Officer (CEO) Kevin Thompson was personally liable for deceiving investors about the state of the company’s cybersecurity and allowed the class-action lawsuit to proceed.
The lawsuit names Thompson, Chief Financial Officer J. Barton Kalsu, Chief Information Security Officer (CISO) Tim Brown and private equity firms Thomas Bravo and Siler Lake Technology Management as defendants. The suit alleges the company lied and materially misled investors about security practices leading up to the breach. Furthermore, the complaint claims each defendant was directly involved in the day-to-day operations at the highest levels and therefore privy to confidential information about business operations and oversight of internal controls. By omitting what they knew about the breach and employing poor security practices, the suit alleges SolarWinds executives were reckless and participated in a “fraudulent scheme.”
The lawsuit is a stark reminder of the damaging consequences that a data breach can have on the organization — from financial loss, to reputational damage, operational downtime, loss of customer trust, and legal action.
Security talked to security experts to gauge their feelings on how this lawsuit will have ramifications for both security leaders and organizations going forward.
Security: What are the implications of the lawsuit for SolarWinds?
Casey Ellis (Ellis), Founder and CTO, Bugcrowd: For SolarWinds, it sounds like the case will force them to lay out their cybersecurity and operational security controls as a matter of public court record for the purpose of having them judged as being sufficient or deficient. [They’ll also need to] deal with the court of public opinion.
Phil Neray, Vice President of Cyber Defense Strategy, CardinalOps: The key questions about the merit of the lawsuit revolve around (1) When did SolarWinds management learn their build environment had been compromised? If it was after they issued their standard 10K and 10Q boilerplate statements about cybersecurity risks, then it seems they should not be at fault for issuing false or misleading statements; (2) Did the company exhibit standards of due care in their day-to-day cybersecurity practices? For example, if we learn they did not properly segment their networks, or used weak password policies, or did not implement sufficient monitoring to detect suspicious or unauthorized activities in their security operations center (SOC), then the lawsuit may reveal additional grounds for shareholder lawsuits.
Casey Bisson, Head of Product and Developer Relations, BluBracket: The wake of the SolarWinds incident is playing out like a low-key version of Unsafe at Any Speed: The Designed-In Dangers of the American Automobile, the 1960s book that raised public understanding of highway safety issues and upended the automobile industry.
The lawsuit is hastening the ultimate shift left: incorporation of security into business goals. Executives that had treated security as a barrier to minimize in the pursuit of business goals have realized it’s a real factor to contend with, and everybody is now taking lessons from those that had made security a business requirement.
Archie Agarwal, Founder and CEO, ThreatModeler: This lawsuit will test the boundaries of liability for executives and majority shareholders.
John Bambenek, Principal Threat Hunter, Netenrich: The biggest item is that the judge did not dismiss the part of the lawsuit on the CISO’s **personal** liability for the breach. Often in breaches, there are lawsuits; however, when executives are held personally responsible by the court, it will have an enormous impact on the psyches of other CISOs. Ultimately, it will depend on how this case is resolved in the end. But, any time an executive might be held personally reliable gets executives everywhere to pay attention.
John Hellickson, Field CISO and Executive Advisor, Coalfire: I believe it’s too early to tell what the implications will be, but many security leaders in the industry will be watching how this suit progresses.
Security: How will this lawsuit impact other organizations and cybersecurity?
Ellis: The Texan ruling coincides with last month’s updated release of Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies rules by the SEC, in which a recommendation is made which would require public companies to report the level of cybersecurity expertise on their board. To me, the emerging pattern is one that pushes cybersecurity risk management into overall corporate risk management and governance, as opposed to its traditional place within a technology silo. Ultimately this is good news for the user as it adds urgency to doing cybersecurity well - and minimizing user risk in the process.
Neray: The implications, in that case, would be quite broad for other organizations, because it would put management teams on notice that they need to be providing CISOs with sufficient budget and resources — as well as management level authority and prioritization — to implement best practice controls for their organizations.
Bisson: Liability for software security has been evolving slowly relative to the rapid growth in the importance of software and technology to business, but companies should look to the evolution of automobile and product safety liability to see where cybersecurity liability might go next. Just as Unsafe at Any Speed led to consumer advocacy organizations, industry groups, and government regulation to establish and raise standards for automotive safety, the same is happening in cybersecurity. The Whitehouse’s 2021 landmark executive order on cybersecurity is just one example.
Agarwal: There’s an uncomfortable point at which investment in a company’s growth phase occurs: sales and marketing take off with 100+% growth goals. Software delivery gets pulled into the same rapid pace with new and exciting prospect demands. Security investment will always lag sales or delivery goals in this scenario. Lawsuits such as this make the cost of sale[s growth] explicit, bringing to light this often-invisible externality. As organizations race to meet customer demands for a new feature or product line, it’s wise for them to threat model how these changes will affect the motivation, opportunity, and impact of adversaries targeting them or their customers.
At its core, this breach comes down to the complexity of today’s developer pipelines. With the continued move to more aggressive DevOps that include many different components such as source code, open-source packages, and APIs, it is very rare that one person or team understands the threat landscape of the entire application, system, or appliance. Organizations need to better understand how their systems work and what type of threats the architecture may be prone to. One way to better understand this is through a formal process that asks that hard question of “What if?”
Bambenek: Hopefully, this will make CISOs get serious about ensuring basic security hygiene is in place…such as not using silly default passwords.
Hellickson: I believe this will result in legal teams reviewing their own public statements and balancing those statements with security assessments performed by third parties to reduce the liability of overpromising statements on the robustness of their security posture to both the public and their clients. Additionally, I would expect organizations to expand their internal public media training beyond the typical senior executives who get trained on making public statements, to those in security positions of authority, especially considering cybersecurity is often a top three risk at any given organization.
My hope is that we’ll also see CEOs take note by moving the CISO to a direct report, enabling the CISO to have a true seat in the C-Suite, which is often covered by the CIO today.
Security: What are the lessons learned for organizations and security leaders?
Ellis: The lesson for security leaders and organizations is that we’re entering a season of accountability for doing the basics well, and that it’s as good a catalyst as any to revisit the kinds of issues that contributed to the SolarWinds breach, remediate or mitigate when necessary, and introduce controls to avoid them in the future.
Bisson: Companies of all sizes learned about the risk of supply chain attacks as attackers used SolarWinds to gain entry into the most sensitive networks in government and industry. But we’ve also learned about the importance of strong passwords, the risks of secrets in code, and the reality that small security mistakes can have huge implications.
Forward-leaning companies recognize that security is a process, not a product — but some of those processes can be automated. [For example], automated scanning and enforcement of access permissions and activity might have identified the long-running remote access of the software workflow by external threat actors.
Companies that automate the basics demonstrate to their teams the priority of security, giving them structure and space to see and address more significant issues.
Agarwal: It’s long been understood that the CISO’s head could roll when a breach showed the firm negligent. Security maturity models, such as the BSIMM, show the [steps] organizations are expected to take to avoid this situation. In laying out a minimum standard, those models predicted that there would be personal liability for executives that failed to meet minimum standards. An interest in cyber insurance and what kind of underwriting might support that insurance has emerged in a variety of spaces — CSPs seeking “shared outcome,” highly regulated industries seeking to add “security” to “compliance,” and others.
We see all the forces motivating personal liability (and insurance) converging: customers beginning to understand the impact and prevalence of attacks on their digital life and assets, the measurability of a firm’s security initiative maturity and posture, and a distinct focus by attackers on those whose security investments dramatically lag their software and company’s growth.
There are claims that investors “aimed to keep costs low to eventually sell the company at a profit.” These claims, along with the suspect timing of executive stock sales ahead of disclosing the breach, will be adjudicated in the courts, but leaders should take note of how these stories affect perceptions of the cybersecurity industry generally.
Hellickson: There are several lessons from the breach and associated lawsuit that come to mind, particularly around speaking openly about one’s security program. CISOs often joke that their title is more akin to the ‘Chief Scapegoat Officer’ of the organization if the worst-case scenario does occur while on their watch. This lawsuit specifically naming the VP of Security Architecture as a defendant and considering he did not have the CISO at the time of the breach, likely has many security professionals in leadership roles recollecting previous statements they may have recently made about their company’s own security posture, even if they don’t have the CISO title. When security leaders speak publicly about the state of security at their company, they’ve always had to consider their role as spokespersons for the organization, and usually refrain from ‘touting’ a robust state of their security posture. This lawsuit underscores the need to choose one’s words carefully, particularly if they are in a leadership position where people external to the organization can treat them as statements of fact.
Additionally, when organizations undergo cost-cutting efforts, the security organization often gets similar requests to cut costs and do more with less. It is up to the security executive to be as open and honest about the current threat landscape and known risks with the executive team and their Board of Directors and leverage their own expertise to advise on the impacts of making such cuts. When such requests to security leaders are made, depending on how deep the impact to the budget may be, I often encourage leaders to perform a zero-based budget exercise and classify all current security operating costs and future needs into three buckets:
- Critical operations / keep the lights on.
- Discretionary but necessary (a gray area).
- Discretionary items the security leader has already cut as part of the initiative.
For items in the second category, I recommend the CISO engage the executive team and/or risk committee to discuss and justify why those items were not chosen to be cut and defer any further cuts to be decided by those groups. What they will generally find is that if the respected security leader does not support the cuts, no one else will want to be on record for making the decision to cut further. Now, this may limit the longevity of that security leader’s employment at the given organization for not cutting as deep, but one could argue it’s what’s best for the organization while limiting personal liability when done appropriately.
A spokesperson for SolarWinds provided the following statement to Security:
“We disagree strongly with the claims made by the plaintiff and look forward to having the opportunity to present the true facts as this process continues beyond its current very early stage.”