Executives at SolarWinds are pushing back at the lawsuit filed this week by the Securities and Exchange Commission against the company and its top security official in connection with the high-profile cyberattack, with CEO calling the agency’s action “a misguided and improper enforcement action.”

“How we responded to SUNBURST [supply chain attack] is exactly what the U.S. government seeks to encourage,” Sudhakar Ramakrishna, who took over as SolarWinds CEO two months after the discovery of the attack, wrote in a lengthy blog post, adding that the action represents “a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages.”

“The truth of the matter is that SolarWinds maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats,” Ramakrishna wrote. “For these reasons, we will vigorously oppose this action by the SEC.”

The SEC has been investigating the attack – attributed to Russia’s Foreign Intelligence Service – and the sprawling fallout for the past couple of years, even suggesting in July that charges could be on the horizon. The agency this week filed charges against both the company and CISO Timothy Brown. The agency is accusing SolarWinds and Brown with internal control failures and for allegedly defrauding investors by overstating its cybersecurity practices and not disclosing known risks during the years between its IPO in 2018 and its December 2020 announcement of the SUNBURST attack.

“In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time,” the agency wrote in a statement.

A Focus on the Supply Chain

The supply chain attack on SolarWinds – perpetrated by the Russia-linked threat group Nobelium – put a spotlight on the ongoing cyber-risks to software supply chains. According to the U.S. Government Accountability Office (GAO), attackers breached SolarWind’s networks in September 2019 and began injecting test code into the company’s Orion suite of network management and monitoring products.

After these test runs, the group starting in February 2020 injected malicious code into a file that was included in updates of Orion. The trojanized code gave the Nobelium actors remote access to compromised systems, which they were able to exploit for espionage purposes. The attackers targeted a subset of the compromised systems, which led to thousands of SolarWinds customers being exploited.

The attack was first discovered by cybersecurity firm FireEye and later by Microsoft.

The SolarWinds attack pushed software supply-risks to the forefront, putting an emphasis on such tools as software bills of materials (SBOMs) and prodding government agencies to issue guidelines for protecting against such threats.

Worries of a Chilling Effect

In his statement, SolarWind’s Ramakrishna noted that since the breach of his company, other tech vendors and government agencies have been victims of state-sponsored attacks and that cybersecurity now demands a collaborative approach, rather than the onus being placed on individual organizations.

“No one is immune to the new, advanced threats that have unfortunately become commonplace,” he wrote. “As we practice and advocate, a community vigil is the only way to improve our collective security. It is imperative for victims of cyberattacks to come forward and share their experiences for the benefit of the broader community – and it is imperative these victims not be further victimized.”

SolarWind’s transparency about the details of the Nobelium attack has been aimed at helping other organizations become more secure, and the company has been a vocal advocate for organizations to be more open about security and for public-private partnerships, adding that “fierce business competitors now understand the need to be cooperative partners focused on defending our nation’s cyberinfrastructure against new and constantly changing attacks.”

“The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security,” Ramakrishna wrote. “They also risk disenfranchising earnest cybersecurity professionals across the country, taking these cyber warriors off the front lines.”

The SEC charges could “stunt the growth of public-private partnerships and broader information-sharing, making us all even more vulnerable to security attacks,” he said.

Industry-Wide Fallout

The SEC, in accusing Brown, SolarWinds’ CISO, of fraud, noted that internally during 2018 and 2019, Brown told executives that the company’s remote-access setup was not secure and posed a security risk and questioned its ability to defend its systems. The agency wants to bar him from corporate officer or director positions.

The charges against Brown could have a ripple effect throughout corporate offices, according to Paul Caron, head of cybersecurity, Americas, at corporate intelligence and cybersecurity consultancy S-RM.

In a statement, Gurbir S. Grewal, director of the SEC’s Division of Enforcement, said that the agency’s “enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

Caron told Security Boulevard that the case could set a ton throughout the industry for anyone holding such roles who in the past were subject to the sorts of fines and larger penalties that normally when to those in C-level positions.

“Now, whether CISOs realize it or not, they have a different personal and professional risk landscape to navigate,” he said. “The conditions are set to have every CISO in the field pause and realize that they, too, can be finally held liable for misleading statements on the security of the programs they manage.”

That will change the professional landscape, making it more difficult for organizations not yet ready to take security seriously to attract and keep talent, given that “the damages to the individuals that can come out of the other end of this equation are real,” Caron said.

He also said the SolarWinds could lead to a Sarbanes-Oxley shakeup in the industry, referring to the Congressional act passed in the wake of the Great Recession more than a decade and the wide-ranging fraud and failures that led to it, particularly those involving financial accounting.

“These failures are much like those linked to the SolarWinds event from the lens of cybersecurity and the efficacy of the control landscape that was misrepresented,” Caron said. “With the SEC new disclosure rules and this fraud charge, there will inherently be greater scrutiny on cybersecurity reporting just as there is with financial reporting.”