If you are a publicly traded software company, and your customers access your product through a server, and you provide them with a default password to log into the server, and the default password is “password,” is that securities fraud? You know the answer!
Every bad thing that a public company does is also securities fraud.
Using “password” as your password is pretty bad.
Therefore, using “password” as your password is securities fraud.
...
But that is not technically an accurate description of the law, so the SEC, in suing SolarWinds, needs to argue that SolarWinds made false statements about facts that were material to investors. Thus, for example, “password”:
SolarWinds’ Security Statement falsely claimed the Company not only had, but enforced, a strong password policy. Specifically, SolarWinds and Brown stated: “We require that authorized users be provisioned with unique account IDs. Our password policy covers all applicable information systems, applications, and databases. Our password best practices enforce the use of complex passwords that include both alpha and numeric characters, which are deployed to protect against unauthorized use of passwords.” …
Contrary to its Security Statement, SolarWinds did not enforce strong password requirements on all of its information systems, applications, and databases, as Brown and SolarWinds knew or were reckless or negligent in not knowing. …
...
During the Relevant Period, SolarWinds used an Akamai server to distribute software updates to its customers. In November 2019, an outside security researcher notified SolarWinds that the password for the Company’s Akamai server was publicly available, and that a threat actor could use that public password to infect SolarWinds’ software updates: “I have found a public Github repo which is leaking ftp credential belong[ing] to SolarWinds…. Via this any hacker could upload malicious exe [executable code] and update it with release [of] SolarWinds product.” Senior InfoSec Manager E confirmed the security researcher’s description. The password that was publicly available was “solarwinds123,” an astonishingly simple password that did not comply with the Company’s stated password complexity requirements.
...
“Any hacker could upload malicious exe” is pretty much what ultimately happened and crashed the stock. I am not a cybersecurity expert and I have not followed the SolarWinds hack closely, but I suppose it is possible that Russian intelligence agents were able to hack the Orion updates, and thus spy on US federal government computers, by correctly guessing the password “solarwinds123.” What would Dark Helmet say?
...
Is that right? It feels not quite right, in the sense that you rarely see equity research notes about public companies that are like “upgrading this company to a Buy based on its strong password policies.” The claim here is not really, not seriously, that investors read SolarWinds’ password policy, and decided to invest based on that policy, and then lost money when the password policy turned out to be fake. The more likely story is that investors blithely assumed most companies have good practices across a range of domains and figured that, if SolarWinds really was just letting anyone into its software, someone would tell them.
It’s not just passwords, to be clear. The SEC identifies other kinds of poor security information security practices; the “password” stuff is just the most obvious. The basic idea is that SolarWinds did various careless things, while telling customers and investors that it was careful, and eventually the carelessness caught up to it. And the stock dropped.
...
Everything is securities fraud, and using “password” as your password is securities fraud, but using “password” as your password is especially securities fraud if one of your engineers sends an email saying that it is “pretty well amateur hour.” But it is pretty well amateur hour! It is helpful for someone to point that out. But it gets you sued.
I find these arguments kind of fascinating. One the one hand, I think the government's true aim here is to force change in organizations that won't do it on their own. What I mean by that is, they...
It did not explain how the SEC’s action could put national security at risk, though some in the cybersecurity community have argued that holding corporate information security officers personally responsible for identified vulnerabilities could make them less diligent about uncovering and/or disclosing them — and discourage qualified people from aspiring to such positions.
I find these arguments kind of fascinating. One the one hand, I think the government's true aim here is to force change in organizations that won't do it on their own. What I mean by that is, they start to hold individual executives (in this case, the Chief Information Security Officer (CISO)) accountable, then the government expects it to cause enough fear and/or churn in the positions to force companies to take this stuff seriously.
If you read the linked article, the CISO on the chopping block right now started off at SolarWinds by pointing out all of their issues and problems, but at some point after that he let it go and started saying everything was fine. The implication that I take away from the article and my own personal experience is that due to influence from other executives, the story he told internally and the one that they shared publicly were not aligned.
But on the business' side, their argument is that by targeting individuals for these actions, the government is just going to cause actual cybersecurity work to be hampered due to the personal fear that these individuals have, so they will be willing to overlook and/or not look for any flaws or vulnerabilities in their systems.
I find this argument rather spurious since companies already behave in this way. Many companies overlook glaring security concerns for a number of reasons. The cost to fix them probably being #1, but also because a lot of business executives do not truly understand cyber risk and cybersecurity. There is also the misunderstanding that IT is just a "cost center" and not a "profit driver" (especially true in companies whose business is not IT focused - this is a very hard argument for SolarWinds to make since they are exclusively an IT company and should know better -- it probably goes back to point #1 about the cost to fix the problem being too high).
It will be interesting to see how this plays out in court, and what the eventual downstream impacts are. I have worked in IT for 20+ years and had cybersecurity roles for 8-10 of those years. My opinion is that no matter what happens, businesses will continue to look the other way or justify not fixing things due to cost for the foreseeable future. I think one argument (or truly, threat) that companies are making about this is the chilling effect it will have on public disclosures. If the SEC charge here is that the public comments made by the CISO did not match up with what their internal communications indicated (which, to my best understanding is the case - someone correct me if I'm wrong as I am not anything even remotely close to a lawyer (IANAERCTAL)) then companies will just stop sharing details publicly. I say this is a threat because this is basically them saying "Well, we definitely will not share the limited details we already do because you'll come after us for it!" is actually counter to our national security.
Again, I find that threat fairly laughable since many companies already only provide the bare minimum amount of public disclosure when they are compromised by attackers. The only thing I am not privy to that might be affected is any companies that work behind closed doors with federal agencies. It could be possible that some companies would see this as an excuse to not even do that, which could be very damaging to our security posture as a country.
I suspect that publicizing the security failure is part of the motivation for filing the suit. The government might not win, but defending is expensive and now many people will associate Solar...
I suspect that publicizing the security failure is part of the motivation for filing the suit. The government might not win, but defending is expensive and now many people will associate Solar Winds with fucking up cyber security.
Agreed 100%. The government is turning the screws to SolarWinds, and this a new angle for the SEC to take as far as I know, hence the kind of lashing out response we're seeing from the business. I...
Agreed 100%. The government is turning the screws to SolarWinds, and this a new angle for the SEC to take as far as I know, hence the kind of lashing out response we're seeing from the business. I think the only thing that remains to be seen is what the end result actually is, which is years down the road probably.
Personally, I think the only thing that starts to move the needle on cybersecurity overall is hits to the pocketbooks of investors. When companies start to lose market share because of these events, then there will be consequences. Until then, we're going to be stuck in the current climate which is disclose the minimum amount necessary to keep investors and/or customers happy and fuck the rest cause we're making money! (I may be slightly jaded lol - but I've see this with Equifax (super egregious if you read into that one), recently MGM (also super egregious if you believe what the attackers have said and what others outside the company have noted so far), and then any number of other companies that have been ransomwared over the past few years.)
Matt Levine:
...
...
...
...
...
I find these arguments kind of fascinating. One the one hand, I think the government's true aim here is to force change in organizations that won't do it on their own. What I mean by that is, they start to hold individual executives (in this case, the Chief Information Security Officer (CISO)) accountable, then the government expects it to cause enough fear and/or churn in the positions to force companies to take this stuff seriously.
If you read the linked article, the CISO on the chopping block right now started off at SolarWinds by pointing out all of their issues and problems, but at some point after that he let it go and started saying everything was fine. The implication that I take away from the article and my own personal experience is that due to influence from other executives, the story he told internally and the one that they shared publicly were not aligned.
But on the business' side, their argument is that by targeting individuals for these actions, the government is just going to cause actual cybersecurity work to be hampered due to the personal fear that these individuals have, so they will be willing to overlook and/or not look for any flaws or vulnerabilities in their systems.
I find this argument rather spurious since companies already behave in this way. Many companies overlook glaring security concerns for a number of reasons. The cost to fix them probably being #1, but also because a lot of business executives do not truly understand cyber risk and cybersecurity. There is also the misunderstanding that IT is just a "cost center" and not a "profit driver" (especially true in companies whose business is not IT focused - this is a very hard argument for SolarWinds to make since they are exclusively an IT company and should know better -- it probably goes back to point #1 about the cost to fix the problem being too high).
It will be interesting to see how this plays out in court, and what the eventual downstream impacts are. I have worked in IT for 20+ years and had cybersecurity roles for 8-10 of those years. My opinion is that no matter what happens, businesses will continue to look the other way or justify not fixing things due to cost for the foreseeable future. I think one argument (or truly, threat) that companies are making about this is the chilling effect it will have on public disclosures. If the SEC charge here is that the public comments made by the CISO did not match up with what their internal communications indicated (which, to my best understanding is the case - someone correct me if I'm wrong as I am not anything even remotely close to a lawyer (IANAERCTAL)) then companies will just stop sharing details publicly. I say this is a threat because this is basically them saying "Well, we definitely will not share the limited details we already do because you'll come after us for it!" is actually counter to our national security.
Again, I find that threat fairly laughable since many companies already only provide the bare minimum amount of public disclosure when they are compromised by attackers. The only thing I am not privy to that might be affected is any companies that work behind closed doors with federal agencies. It could be possible that some companies would see this as an excuse to not even do that, which could be very damaging to our security posture as a country.
I suspect that publicizing the security failure is part of the motivation for filing the suit. The government might not win, but defending is expensive and now many people will associate Solar Winds with fucking up cyber security.
Agreed 100%. The government is turning the screws to SolarWinds, and this a new angle for the SEC to take as far as I know, hence the kind of lashing out response we're seeing from the business. I think the only thing that remains to be seen is what the end result actually is, which is years down the road probably.
Personally, I think the only thing that starts to move the needle on cybersecurity overall is hits to the pocketbooks of investors. When companies start to lose market share because of these events, then there will be consequences. Until then, we're going to be stuck in the current climate which is disclose the minimum amount necessary to keep investors and/or customers happy and fuck the rest cause we're making money! (I may be slightly jaded lol - but I've see this with Equifax (super egregious if you read into that one), recently MGM (also super egregious if you believe what the attackers have said and what others outside the company have noted so far), and then any number of other companies that have been ransomwared over the past few years.)