The United States government has filed a lawsuit against SolarWinds, a company based in Texas that was the target of a major cyberattack by Russia in 2020. The lawsuit accuses the company of fraud for not disclosing security weaknesses prior to the attack.
The Securities and Exchange Commission has filed a complaint seeking unspecified civil penalties and the removal of the company’s chief security officer, as well as reimbursement of any wrongfully obtained profits.
In December 2020, the SolarWinds breach breached various U.S. government organizations such as the Justice and Homeland Security departments, as well as over 100 private companies and think tanks. This incident served as a harsh reminder for Washington to prioritize and enhance efforts to protect against similar attacks.
The Securities and Exchange Commission (SEC) has filed a complaint in a New York federal court, consisting of 68 pages, alleging that SolarWinds and its former vice president of security, Tim Brown, engaged in fraudulent activities that deceived investors and customers. These activities include making false statements, withholding information, and implementing deceptive schemes to cover up the company’s subpar cybersecurity practices and the growing risks associated with cybersecurity.
SolarWinds released a statement in response to the SEC charges, dismissing them as baseless. They expressed great worry that this legal action could jeopardize our country’s security.
Brown performed his responsibilities “with diligence, integrity, and distinction,” his lawyer, Alec Koch, said in a statement. Koch added that “we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint.” Brown’s current title at SolarWinds is chief information security officer.
According to the statement made by Gurbir S. Grewal, the director of the SEC’s enforcement division, both SolarWinds and Brown failed to address numerous warning signs over a period of years, presenting an inaccurate portrayal of the company’s cyber security measures and denying investors access to crucial information.
In October of 2018, the same month that SolarWinds applied for an initial public offering, Brown expressed in an internal presentation that the company’s security is currently in a highly susceptible state, according to the complaint.
According to the SEC, an internal presentation from SolarWinds in that year revealed that the company’s network was not secure and could be easily hacked, resulting in significant damage to its reputation and finances. The SEC also claimed that in 2019 and 2020, there were various communications among SolarWinds employees, including Brown, expressing doubts about the company’s ability to safeguard its important assets against cyber threats.
SolarWinds, which is based in Austin, Texas, provides network-monitoring and other technical services to hundreds of thousands of organizations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East.
A cybersecurity attack that lasted for almost two years involved spreading malicious software through the update channel of a company’s network management software, infecting thousands of customers. Taking advantage of this supply-chain hack, Russian hackers were able to gain unauthorized access to several targets, including nine U.S. government agencies and notable software and telecommunications companies.
SolarWinds stated that the SEC’s actions were an illustration of the agency’s excessive reach and should be a cause for concern for all publicly traded companies and dedicated cybersecurity experts nationwide.
The text did not clarify the potential threat to national security caused by the SEC’s actions. However, experts in cybersecurity have asserted that holding individual corporate information security officers accountable for identified weaknesses may decrease their efforts in uncovering and reporting them. This could also discourage qualified individuals from pursuing these roles.
During Biden’s term, the Securities and Exchange Commission (SEC) has taken a strong stance in ensuring that publicly traded companies are held responsible for any cybersecurity breaches or lack of disclosure about vulnerabilities. In July, the SEC implemented regulations mandating that companies report any cybersecurity breaches that may impact their financial status within four days. Exceptions may be made in cases where immediate disclosure would pose significant risks to national security or public safety.
The SolarWinds breach affected several individuals, such as the New York federal prosecutors’ office, the then-acting Homeland Security Secretary Chad Wolf, and members of the department’s cybersecurity team who were responsible for detecting potential threats from other nations.