The Weekly Breach Breakdown Podcast by ITRC - Gone with the Solarwinds - S4E32

Show Transcript

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for November 10, 2023. Thanks to Sentilink for their support of the podcast and the ITRC. Each week, we look at the most recent events and trends related to data security and privacy. This week, we catch up on one of the most impactful cyberattacks in recent history. We are talking about an attack against a widely used, but not well-known by consumers, enterprise software – the SolarWinds attack. That’s why we’re calling this episode “Gone with the SolarWinds,” named after the company targeted by Nation/State actors about this same time of year in 2020.

SEC Files Enforcement Actions Against SolarWinds & CISO

Last month, the U.S. Securities and Exchange Commission (SEC) filed enforcement actions against SolarWinds and, importantly, against the company’s Chief Information Security Officer (CISO). The allegations range from failing to implement adequate cybersecurity protections to making “materially false and misleading statements.” The SolarWinds CISO was further alleged to have personally profited from an inflated stock price that resulted from what the regulators claim was an incomplete disclosure statement filed in the wake of the SolarWinds attack.

A Look Back at the SolarWinds Attack

The attack saw Russian cybercriminals affiliated with the Russian government distribute malware to thousands of organizations worldwide by hiding it in legitimate updates to SolarWinds’ network management software. Some customers impacted by the SolarWinds attack included many U.S. government agencies.

SEC Spent Years Building Case

In the three years since the SolarWinds attack, SEC investigators have been building a case that SolarWinds knew their software was not fully protected. In a 2018 presentation cited by the regulators, a company engineer described SolarWinds’ remote access setup as “not very secure” and explained a threat actor could use it to “basically do whatever without us detecting it until it’s too late.”

For its part, SolarWinds has gone on the offense and is forcefully defending the CISO and the company by attacking the SEC. That’s usually not a winning strategy when trying to avoid punishment from a federal regulator.

What Charges Could the SolarWinds CISO Face?

What’s creating a buzz in cybersecurity circles are the charges against the CISO. The cybersecurity community remains split on the impact of the charges and any future resolution that includes punishing the CISO for making false and misleading statements about the state of cyber protections at SolarWinds. Some believe the regulatory actions will have a chilling effect and make it even more challenging to find and keep cybersecurity leaders in an already stressful job. Other cyber leaders believe it could have the benefit the SEC intends: Making sure CISOs and other executives deliver the cyber protections they claim to provide.

Contact the ITRC

If you want to know more about how to protect your business or personal information, think you have been the victim of an identity crime, or have questions about the SolarWinds attack, you can speak with an expert ITRC advisor on the phone, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the ITRC and this podcast. Be sure to check out the latest episode of our sister podcast, The Fraudian Slip. This weekend, as we honor the men and women who have served in the armed services on Veterans Day, take a moment to say thanks to a veteran for keeping us safe. We will return next week with another episode of the Weekly Breach Breakdown.