SEC v. SolarWinds: a tipping point for consolidation?

The SEC lawsuit against SolarWinds Corporation and CISO Tim Brown may upend an industry push for consolidation. It also questions whether large public companies providing security tools and services are any more up to the task than smaller, innovative companies.

Moreover, the argument put forward by SolarWinds against the suit brings into question whether their public statements can be trusted, according to industry sources. Considering how big a presence they have, their positions could damage trust in the industry overall.

The background

The suit is one of a string of securities fraud actions taken against the security giant, SolarWinds, based on a massive breach, data exfiltration, and injection of malware in the company’s core products. Because SolarWinds is so widely entwined in industry, the breach affected multiple major security corporations, including Microsoft, Mandiant (now owned by Google), and Trellix (formerly FireEye.) That affected most of the United States government agencies and military organizations. While the breach was discovered five years ago, there is still no clear understanding of how it happened, who pulled it off, how far it goes, or how to fix it. Most experts agree that the attack was orchestrated by a Russia-sponsored group, but SolarWinds, nor the affected customers, confirm that.

The first lawsuit was brought by a plumbers union fund and tried in Texas. The suit was settled out of court last year for $26 million. The second lawsuit, brought by another trade union in the Delaware Chancery Court about the same time as the Texas suit, was dismissed. As expected, SolarWinds points to the Delaware decision as a better prediction for the new SEC suit. However, there are significant differences between the first two suits and more similarities between the Texas suit and the new SEC action.

In Texas, the plaintiffs named Brown and the corporation as defendants. In Delaware, the principal plaintiffs, the board of directors, were found not liable primarily due to an inability to understand the issues of security in the second suit. However, while not admitting fault in settling the Texas action, the onus remains on Brown and the company. According to sources in the SEC, the result of the Texas settlement motivated who to sue and why in the latest action.

Interestingly enough, SolarWinds categorically rejects the accusations of the SEC and provides, as its primary defense, that the SEC is as incompetent as the Delaware Court found the SolarWinds directors.

Perhaps, unsurprisingly, just prior to the rulings in Texas and Delaware, SolarWinds significantly overhauled its board. Seven of nine of the directors came on in 2020 and 2021. Two private equity firms, Silverlake and Thoma Bravo, hold 68 percent of the company, according to data from Bloomberg. In October, the two firms are considering selling their stakes.

SolarWinds responds

SolarWinds, in a blog post on their corporate site, called the SEC action, “fundamentally flawed—legally and factually… twisting the facts in an attempt to expand its regulatory footprint in the cybersecurity space.” The response further accuses the SEC of lacking “the authority or competence to regulate public companies’ cybersecurity.”

Editor’s note: Cyber Protection Magazine talked with representatives for SolarWinds but could not come to an agreement on what questions they would answer nor whether they would reply in person or through email by the time we published this report.

There is a significant difference of opinion between SolarWinds and the SEC regarding what was done wrong. While SolarWinds focuses on whether they followed the NIST Cybersecurity Framework (CSF) and whether the SEC has found out how the hackers were able to enter the SolarWinds environment. “SUNBURST is widely regarded as one of the most sophisticated cyberattacks of all time, and it’s unfortunate that the SEC is laying blame for the attack at the feet of its victim.”

But the key objection SolarWinds employs is whether it should be publicly forthcoming about vulnerabilities.

“If the SEC has its way, companies would be required to disclose detailed vulnerability information in public filings, which would not be useful to investors but would be useful to hackers looking for vulnerabilities to exploit,” the post continues. “That is the very reason the SEC has previously advised companies that SEC rules do not require such disclosures. This lawsuit undermines that guidance and leaves public companies confused about how much they must disclose.”

It further goes on to claim such disclosures would discourage CISOs and other cybersecurity personnel from improving tools and services. “If security personnel must constantly worry about their well-intentioned words and actions being mischaracterized in a false light and used as fodder for government charges, the result will be to drive good people from the industry and inhibit frank communication and sound decision-making about security issues.”

What the SEC alleges

However, the SEC seems to be more concerned about what SolarWinds has said publicly through its marketing materials and how discussion of the existence of vulnerabilities was done internally, not the specifics. The suit cites a 2018 presentation prepared by a company engineer and shared internally that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds. It also cites 2018 and 2019 presentations by Brown stating that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

The SEC claims that SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company’s ability to protect its critical assets from cyberattacks.

The complaint quotes a report from Brown in June 2020, that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient.” A September 2020 internal document shared with Brown and others stated, “The volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.”Brown has been singled out in the lawsuit that Brown was “aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company, according to an SEC news release. “As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.”

A major objection to the lawsuit from SolarWinds is that providing detailed information about system weaknesses would make it easier for attackers to infiltrate the systems. But around the industry, there is skepticism that is what the SEC is asking for.

Around the industry

Matthew Rosenquist

“This Blog Post is based on management’s beliefs and assumptions,” it reads, and “statements that are not historical facts and may be identified by terms such as aim, anticipate, believe, can, could, seek, should, feel, expect, will, would, plan, intend, estimate, continue, and may,”

Rik Turner, senior cybersecurity analyst for Omdia, was more accommodating but measured. “I see their argument, but it’s a bit like the old conundrum raised by Edward Snowden: one man’s brave whistle-blower is another man’s traitor. So too here: complying with a disclosure law for the greater good may actually cause your organization direct reputational, financial damage.”

An anonymous former employee who was involved in discussions around the vulnerabilities more vehemently argued against the SolarWinds arguments. “The issue is a published fraudulent statement on the website, attesting to the state of security at SW (SolarWinds), which turns out to be far more aspirational than actual. The remedy is to not lie about the state of security. If you’re going to put written things in official or unofficial communications systems your expectations need to be as follows: Those communications could be part of discovery in a criminal, or civil trial, a tribunal, a public inquiry, or an internal investigation including a Data Subject Access Request (DSAR). Once it’s written it can be screen captured forwarded and even made public.”

What’s next

One SolarWinds argument that rings true is that the SEC is expanding its reach into cybersecurity, but that’s because they said so earlier this year. It endorses an industry-wide call to raise CISOs to report directly to the board. So this has become a case of being careful what you wish for. In this case, cybersecurity’s desire to be taken seriously at high levels results in high-level responsibility.

A source in the SEC said the Department of Justice (DOJ) is watching this case for the simple reason that almost the entire US government was exposed by the breach. That means if SolarWinds loses this case criminal proceedings may arise under 18 U.S. Code § 1001. “whoever, in any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States, knowingly and willfully— (1) falsifies, conceals, or covers up by any trick, scheme, or device a material fact; (2) makes any materially false, fictitious, or fraudulent statement or representation; or (3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry; shall be fined under this title, imprisoned not more than 5 years or, if the offense involves international or domestic terrorism (as defined in section 2331), imprisoned not more than 8 years, or both.” If the security statement and trial evidence reveal enough evidence in the mind of the US AG a federal criminal prosecution could result because SolarWinds had sold its software violating the US Code.

Consolidation? Maybe not

The growth of large cybersecurity companies is primarily due to the acquisition of smaller companies rather than the development of new technology and services. SolarWinds alone has acquired more than 30 companies in five years. Okta, which is not quite as acquisitive, has also grown larger through M&A activity. The dance involving Google, Mandiant, and Trellix also created cyber giants. All of which have had their own well-publicized breaches.

The consolidation of cyber technology has been popularized this past year, most notably in the RSAC keynote by Rohit Ghai. Point tool providers have seen dollar signs and fast exits through the process and managed security service providers (MSSP) have modeled what consolidation looks like. However, the cybersecurity services and tools providers lack expertise in how to coordinate a massive amount of technology for securing networks.

“There is zero benefit to end users from any sort of consolidation,” said Richard Steinnon, chief analyst and founder of IT-Harvest. “The idea that buying everything from a handful of vendors as a positive is just wrong. This industry thrives on innovation and only the stand-alone startups are any good at it.  I am not saying it couldn’t be done efficiently and well, just that I don’t ever see it.”

Creating a cybersecurity giant also increases the potential for attacks from private and state-backed hackers. One anonymous CISO put it this way, “The bigger you get, the bigger that target is on your back.” That begs the question of whether a consolidated security provider is more efficient than a curated set of point tools.

One industry that has done well in cyber consolidation is operational technology. Companies like Rockwell and Honeywell built their businesses on cobbling together efficient supply chains and using their own security centers to manage access to those chains. Those centers are so efficient and successful that both companies sell their services to the supply chain partners, turning them into revenue generators.

However the SEC case against SolarWinds plays out should reveal whether a large security provider can offer any better protection than smaller companies, could be revealed depending on how this case plays out,