In this blog, we'll take a look at the well-known Sunburst attack of 2018 and how the specific charges stemming from this attack will impact Chief Information Security Officers (CISOs) moving forward.
As a CISO, it’s my job to ensure that KnowBe4's information systems and data, including our customer’s data, remain protected from any and all cyber attacks. The state of any organization’s cybersecurity rests with the CISO (if they have one). That means a CISO must be able to both understand the current state of their organization’s security risks and be able to communicate those risks to company leadership such as the board of directors and shareholders (if applicable).
In 2018, Solarwinds experienced a cyber attack that, according to Microsoft, took more than 1000 engineers to create. Dubbed “Sunburst," this cyber attack injected a malicious update into Solarwinds’ customer’s installations of the Orion product. We now know it took Solarwinds some time to identify the scope of the attack, develop a plan to remediate the threat, push the updates out to customers, and ensure that every customer was updated and secure.
In addition to the responsibilities listed above, the CISO needs to keep everyone, internal and external stakeholders, updated on the state of the attack and its cleanup. Also, keep in mind that if you work for a publicly-traded company, it’s critical that the organization be transparent about being kept up-to-date, as those updates could (and likely would) affect stock prices. Now, the SEC has required notification timeframes for disclosure of cybersecurity events similar to GDPR and most master services agreements signed between a customer and provider.
Fast forward to last month, and we find the SEC charging both Solarwinds and specifically their CISO, Tim Brown, for “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.”
According to the SEC press release, Solarwinds and Brown committed fraud by both being “aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company” and “misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
While Solarwinds has vowed to fight the charges in court, what remains is the question of accountability for CISOs when they attempt to balance managing risk. While it's imperative to the organization’s success that there is a balance between risk tolerance and risk appetite regarding the state of cybersecurity, regardless of the situation, the CISO must communicate promptly, accurately, and completely to the executive management team and the board, any incidents that might impact shareholders.
The SEC charges allege some pretty damning examples where internal communications make it appear like the platform was far more insecure than what was disclosed to shareholders – which is the crux of the allegation. Putting aside who’s in the right here, this complaint by the SEC makes it clear that the role of a CISO may be changing that will include far more scrutiny on the work they do and the way they communicate plans and outcomes.
Note that this is an SEC lawsuit regarding information (or lack of information) to shareholders and not a lawsuit by Solarwinds customer’s citing the same complaint. In most cases a contract between a services or software provider and a customer has language regarding commitments to secure coding practices, external audits, penetration testing, and even the right for the customer to audit the security practices of the provider. There is no such right between a public company and its shareholders. Something to consider… Should public companies be required to publicly report on details of vulnerabilities, security audit results, and even aspects of their awareness training programs in the same way they disclose financial information?
In the end, the SEC simply wants publicly-traded organizations to be truthful and transparent about cybersecurity-related issues. And with CISOs potentially being held personally responsible, overly optimistic language that obfuscates the true state of an organization’s remediation post cyber attack is no longer going to cut it.
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.