SolarWinds Requests Court Dismiss Regulator’s Fraud Case

Network monitoring software vendor SolarWinds moved to dismiss a federal lawsuit accusing the company and its CISO of securities fraud after they allegedly misstated the efficacy of its cybersecurity controls.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

Austin, Texas-based SolarWinds in a Friday court filing called charges filed last October by the Securities and Exchange Commission “as unfounded as they are unprecedented” and moved for the “fundamentally flawed” case to be dismissed lest it “revictimize the victim” of a Russian intelligence hacking campaign.

“The SEC is trying to unfairly move the goalposts for what companies must disclose about their cybersecurity programs and, with the controls charges, claim a mandate for regulating those programs that the agency does not have,” SolarWinds said in a court filing.

Federal regulators in October sued SolarWinds and CISO Tim Brown over fraud and internal control failures, alleging they misled investors about the company’s “serious cybersecurity deficiencies” and resulting risks facing the business, which counts about 300,000 customers. Hackers from the Russian Foreign Intelligence Service, in an incident disclosed in December 2020, penetrated updates for the SolarWinds Orion network monitoring product, allowing them to spy on high-value customers, including nine federal agencies.

The government accused the company and Brown of disclosing only generic and hypothetical risks even though they knew about specific security issues. The SEC seeks to permanently ban Brown from serving as an officer or director of a publicly traded company and to impose civil monetary penalties and the return of any ill-gotten gains (see: SEC Alleges SolarWinds, CISO Tim Brown Defrauded Investors).

This SEC case is being closely watched on multiple fronts, including because it’s the first time the regulator has charged an individual over alleged cybersecurity shortcomings (see: Why CISOs Should Pay Attention to SolarWinds SEC Allegations).

In support of its motion to dismiss, SolarWinds’ defense counsel on Friday petitioned U.S. District Judge Paul A. Engelmayer to be able to file the company’s cybersecurity incident response plan as evidence, but under seal.

“Given the sensitive nature of SolarWinds’ incident response plan – which could be exploited by a future threat actor – sealing is warranted,” defense counsel Serrin Turner, an attorney at Latham & Watkins LLP, said in a court filing.

The government will have a chance to respond.

Brown served as SolarWinds’ vice president of security and architecture and head of the information security group from July 2017 to December 2020, leading the company’s overall cybersecurity program as well as overseeing the security architecture of its products. In 2021, he became the company’s CISO.

The alleged period of misconduct began with the company’s October 2018 initial public offering and lasted until at least December 2020, when the company warned that Orion had been targeted as part of a serious supply chain hack – dubbed Sunburst – attributed to Russia’s Foreign Intelligence Service, the SVR.

In its complaint, filed in the Southern District of New York, the SEC alleges that “SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the company’s cybersecurity policy violations, vulnerabilities and cyberattacks.”

Evidence cited by the SEC in support of its allegation that SolarWinds executives knowingly misstated “the true state of SolarWinds’ cybersecurity practices, controls and risks” included discussions involving engineering teams, security teams and others detailing concerning shortcomings in the company’s secure development life cycle – or lack thereof. The SEC also cited internal company discussions focusing on vulnerability management and network security concerns and a preponderance of poorly protected legacy accounts, many of which were protected using login credentials “stored in plaintext in configuration files,” among other locations.

The SEC also alleged that SolarWinds had seen similarities between an attack targeting vulnerabilities in one of its products that affected a U.S. government agency in May 2020 and a cybersecurity firm in October 2020, but it denied seeing any similarities when asked specifically about this by the cybersecurity firm.

The Sunburst campaign came to light thanks to another customer, cybersecurity firm FireEye – now part of Trellix – publicly announcing that it had been compromised via SolarWinds’ Orion platform.

In a Friday court filing, SolarWinds contested the SEC’s allegations that it had issued overly generic warnings, saying its statements to investors included specific warnings “that its systems ‘are vulnerable’ to ‘sophisticated nation-state’ actors – the very risk that materialized.” The company also said that the SEC’s claims that it should have also disclosed “detailed vulnerability information” in its SEC filings “is not the law, and for good reason: disclosing such details would be unhelpful to investors, impractical for companies and harmful to both, by providing roadmaps for attackers.”

While attackers exploited gaps in the company’s implementation of its security policies, the company said this was one of the risks it detailed. “No reasonable investor would have understood SolarWinds’ statements to imply a standard of perfection, especially when its risk factors warned that it was vulnerable to attack despite its security measures,” the company said in a court filing.

SolarWinds said that when the Sunburst campaign came to light, the company quickly “disclosed the key facts it knew about the attack and its severity, including that as many as 18,000 customers were at risk of compromise,” and assisted with investigations launched by the FBI and U.S. intelligence community.