SolarWinds fires back at SEC over fraud charges
The U.S. Securities and Exchange Commission (SEC) recently announced that it would be suing SolarWinds and its CISO, Timothy Brown, over the 2020 SUNBURST hack. Well, the IT software company has come out to defend itself and it’s not holding anything back.
In a lengthy blog post published last week, SolarWinds says the lawsuit is “fundamentally flawed” and lacks any legal or factual ground. It also claimed that the SEC "lacks the authority or competence to regulate public companies' cybersecurity."
The company went on to break down some of the allegations made by the regulator which it believes to be inaccurate.
To begin with, SEC claimed that SolarWinds lacked adequate security controls before the attack took place. "We categorically deny those allegations. The company had appropriate cybersecurity controls in place before SUNBURST. The SEC misleadingly quotes snippets of documents and conversations out of context to patch together a false narrative about our security posture," wrote SolarWinds.
SEC also claims that SolarWinds didn't follow the NIST Cybersecurity Framework (CSF) at the time of the attack. However, according to SolarWinds, the evidence provided was a preliminary report regarding the adherence to NIST Special Publication (SP) 800-53 and FedRAMP which are “entirely different” from CSF.
The IT company also debunked SEC’s claim that the hackers exploited a VPN vulnerability to gain access to SolarWinds system saying that the allegation was false and there was no VPN vulnerability.
Still, there are other notable claims made by SEC that SolarWinds does not address in its post. For instance, the company had earlier said that it implements least-privilege access controls for sensitive data stores which was proved to be false.
SEC even points out to a 2019 internal report that warned that these controls were “inappropriate.” Subsequent reports in March and October 2020 warned of “significant deficiencies” in those controls.
Brown is also quoted as having told senior managers that the company was not entirely honest about its adherence to the secure software development life cycle (SDL). "I've gotten feedback that we don't do some of the things that are indicated in the [Security Statement's SDL section]," Brown said in 2018.
The CISO acknowledged that improvements needed to be made if the company was to meet the expectations of an SDL. This was two and a half years before the attack and yet there were portions of the affected Orion platform that weren't developed under the SDL process.
These are just a few snippets from the case between SEC and SolarWinds. There’s also the issue of how the company disclosed its risk assessment to stakeholders and how the SUNBURST attack was handled before it became public knowledge.
“SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds' cybersecurity practices as well as the increasingly elevated risks the company faced at the same time,” SEC wrote in its complaint.