SolarWinds Calls SEC's Fraud Allegations 'Unfounded,' an 'Overreach'
SolarWinds is “disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company," and it's "deeply concerned this action will put our national security at risk,” emailed a spokesperson Tuesday. The SEC's 10-count lawsuit alleged SolarWinds and Timothy Brown, its chief information security officer, were guilty of Securities and Exchange Act violations.
SolarWinds' statement also said "the SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments."
CISO Brown “defrauded investors through misstatements, omissions, and schemes that concealed” the company’s “poor cybersecurity practices and its heightened -- and increasing -- cybersecurity risks,” alleged the complaint Monday (docket 1:23-cv-09518) in U.S. District Court for Southern New York in Manhattan.
From October 2018 through January 2021, Brown, then-vice president-security and architecture, made public statements about SolarWinds cybersecurity practices and risks that “painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks,” said the complaint. In October 2018, the month SolarWinds conducted its initial public offering with a registration statement alluding to “generic and hypothetical security risk disclosures,” Brown wrote in an internal presentation that the company’s “current state of security leaves us in a very vulnerable state for our critical assets," the complaint said.
The “true state of SolarWinds’ cybersecurity practices, controls, and risks ultimately came to light only following a massive cyberattack -- which exploited some of SolarWinds’ poor cybersecurity practices -- and which impacted thousands of SolarWinds’ customers,” the SEC said. Dubbed Sunburst, the attack compromised SolarWinds’ flagship Orion software platform, considered the “crown jewel” by the company with 45% of revenue in 2020, the complaint said.
SolarWinds and Brown made “materially false and misleading statements and omissions related to SolarWinds’ cybersecurity risks and practices in at least three types of public disclosures,” the complaint said, citing the security statement on the company’s website, Form S-1 and S-8 registration statements and periodic reports filed with the SEC, and an 8-K form filed with the SEC in December 2020 regarding the Sunburst cyberattack on Orion.
The security statement was misleading because it touted SolarWinds’ “supposedly strong cybersecurity practices,” said the complaint. The statement said SolarWinds created its software products in a “secure development lifecycle [that] follows standard security practices including vulnerability testing, regression testing, penetration testing, and product security assessments,” the SEC said.
The company claimed that its password policy covered all applicable information systems, applications and databases and that it enforces the use of “complex passwords,” the complaint said. Its statement said SolarWinds had access controls to sensitive data in its databases, systems and environments set on a “need-to know / least privilege necessary basis,” statements that were “materially false and misleading,” the SEC said.
The security statement concealed from the public SolarWind's “known poor cybersecurity practices” during the relevant period, the complaint said. Those practices included the company’s failure to consistently maintain a secure development lifecycle for software it developed and provided to thousands of customers, enforce the use of strong passwords on all systems and remedy access control problems “that persisted for years,” the complaint said.
Risk disclosures in SEC filings “similarly concealed” the company’s “poor cybersecurity practices” by referencing general high-level risk disclosures that “lumped cyberattacks" in a list of risks alongside “natural disasters, fire, power loss, telecommunication failures…[and] employee theft or misuse,” the complaint said. The cybersecurity risk disclosure was “generic and hypothetical,” using the word “if” related to cyberattacks rather than addressing “known risks,” it said. The disclosure warned of an “inability to defend against ‘unanticipate[d]… techniques’ but failed to disclose that SolarWinds had already determined that it was not taking adequate steps to protect against anticipated and known risks, including failing to follow the steps outlined in the Security Statement,” said the complaint.
The general warnings were repeated “verbatim” in subsequent filings “despite both the ongoing problems and the increasing red flags in 2020 that SolarWinds was not only being specifically targeted for a cyberattack, but that the attackers had already gotten in,” the complaint said. Around the time SolarWinds was making misleading statements, Brown and other company employees “knew that SolarWinds had serious cybersecurity deficiencies,” it said, citing internal emails, messages, and documents describing “numerous known material cybersecurity risks, control issues, and vulnerabilities” that “dramatically contradict” public disclosures.
A January 2018 email to senior managers admitted that the security statement's secure development lifecycle (SDL) section was false. Rather than amend the statement to make it accurate, the company came up with a “scheme" by which it would "conceal the present falsity of the representations and work toward making them true eventually,” the complaint said.
In June 2018, a network engineer identified a “security gap” related to SolarWinds’ remote access virtual private network, which allowed access from devices not managed by SolarWinds, the complaint said. The engineer “warned that this setup was ‘not very secure’ and later explained that someone exploiting the vulnerability ‘can basically do whatever without us detecting it until it’s too late’ which could lead to a ‘major reputation and financial loss’ for SolarWinds,” it said. Company presentations in 2019 and 2020 noted “inappropriate” access to “critical systems” and “significant deficiencies in SolarWinds’ access controls."
An engineering team member said he was “spooked” by activity at a SolarWinds customer in July 2020, to which Brown allegedly replied that he, too, was concerned, saying, “As you guys know our backends are not that resilient and we should definitely make them better.” A September 2020 risk acceptance form for Brown and others warned of “the risk of legacy issues in the Orion platform” and that the “volume of security issues being identified over the last month have outstripped the capacity of Engineering teams to resolve,” the SEC said.
In November 2020, an information security manager sent an instant message expressing his “disgust” with SolarWinds’ security posture, saying, “[W]e’re so far from being a security minded company. [E]very time I hear about our head geeks talking about security I want to throw up.” An information security employee sent the manager a link to a list of vulnerabilities in Orion, saying the products were “riddled and obviously have been for many years.” A network engineer complained that month about temporary fixes, saying the problem “is still there and it’s huge. I have no idea what we can do about it. Even if we started to hire like crazy, which we will most likely not, it will still take years. Can’t really figure out how to unf**k this situation. Not good,” the SEC said.
Though Brown and other SolarWinds employees and executives knew about the risks, vulnerabilities and attacks against SolarWinds’ products, the company’s risk disclosures “did not disclose them in any way, either individually or by disclosing the increased risk they collectively posed to SolarWinds,” said the complaint. The violations “became painfully clear” when SolarWinds suffered a “major, targeted cybersecurity attack,” it said.
On Dec. 14, 2020, the day that SolarWinds filed its first 8-K report with the SEC about the Sunburst attack, its stock dropped over 16%, said the complaint. It dropped 8% the next day and continued to drop, losing 35% of its value by the end of 2020 as the company disclosed more details of the attack “and as news outlets reported that internal sources had warned SolarWinds for several years about the Company’s cybersecurity risks and vulnerabilities,” it said.
The SEC seeks orders permanently restraining and enjoining SolarWinds and Brown from violating, directly or indirectly, portions of the Securities and Exchange acts; requiring SolarWinds and Brown to disgorge all ill-gotten gains they received directly or indirectly as a result of the alleged violations, with pre-judgment interest; requiring it to pay civil monetary penalties; and prohibiting Brown from acting as an officer or director of any issuer that has a class of securities registered under Section 12 of the Exchange Act or that is required to file reports under Section 15(d) of the Exchange Act.
Brown’s attorney, Alec Koch of Kingsley Smith, emailed Tuesday that Brown “has performed his responsibilities at SolarWinds as Vice President of Information Security and later as Chief Information Security Officer with diligence, integrity, and distinction.” Brown has “worked tirelessly and responsibly to continuously improve the Company’s cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint.”
SolarWinds' stock closed at $23 on Friday, Dec. 11, prior to Reuters' Dec. 13 report that hackers potentially linked to Russia had gained access to email systems at the Commerce and Treasury departments, and that the attackers got in by way of SolarWinds software updates, CNBC reported then. It closed Tuesday at $9.21.