Who Holds the Blame for the Solarwinds hack?
Many people were surprised at the recent move by the U.S. Securities and Exchange Commission (SEC), an unlikely actor in cybersecurity regulation: it is suing the IT firm Solarwinds and its chief information security officer, Timothy G. Brown, of securities fraud.
The SEC charges that they "defrauded SolarWinds’ investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened and increasing cybersecurity risks".
The attack against Solarwinds, dubbed Sunburst, occurred back in 2020 and was one of the largest supply chain compromises in recent times. The hackers managed to compromise the company's code repositories and insert a backdoor into the company's popular monitoring tool Orion. This was later delivered as an update to roughly 18,000 SolarWinds customers.
To be fair, the SEC complaint seems sloppy at times. At one point they suggest default initial passwords in shipped products is proof of lax cybersecurity practices at the firm, or that a "VPN vulnerability" allowed hackers to infiltrate the company's network. These and other points highlighted in Solarwinds' rebuttal against the charges certainly weaken the case.
However, it's telling Solarwinds is not mentioning the word "password" once in its rebuttal, apparently for good reason. One of the key charges in SEC's complaint is that "SolarWinds and Brown Falsely Claimed that SolarWinds Implemented a Strong Password Policy". The SEC rightly points to security researchers finding back in 2019 that the company’s software download website was protected by a simple password ("password123"), which was published as cleartext on SolarWinds’ Github code repository.
These allegations were never seriously countered by Solarwinds and are a very strong indication that critical systems at the firm lacked both strong password policy enforcement and multifactor authentication.
Claiming that the company had appropriate cybersecurity controls at a time when usage of weak passwords was pervasive, is a very basic failure by Solarwinds, one that the company and its executives will need to explain properly.
Both the U.S. and EU are moving in the same direction: individual responsibility
Yet people should not be surprised: cybersecurity experts and industry insiders have been asking for regulation and penalties for lax cybersecurity for some time already.
The U.S. move, while unexpected from a securities fraud perspective, is the "new normal": recent amendments to SEC rules are requiring publicly listed companies to disclose "material" cybersecurity incidents. The "material" part could imply individual liability at the executive level, and is bound to cause more legal battles in the future.
In the EU, regulators have also listened: the so-called NIS2 directive, which aims to provide measures to boost the overall level of cybersecurity in the EU, is making it possible to hold executives liable for breach of their duties in case of non-compliance. A hypothetical cybersecurity incident would offer authorities ample latitude to impose penalties or even charge individuals under the NIS2 regime.
But one does not need to look at the EU or USA: cybersecurity incidents now have so serious consequences that prosecutors don't need new regulations to charge individuals for cybersecurity negligence.
Consider the 2022 cyberattack against Albanian government organizations by Iranian hackers. The hack involved not only data destruction by ransomware, but also exfiltration and public leaks of sensitive records, such as identities of persons involved in criminal investigations, exits and entries logs at state borders, and even the identities and personal details of 600 Albanian intelligence officers.
At the end, the Albanian prosecutors charged five employees at the state IT provider for "abuse of duty", specifically for not patching the government servers in time. The charges carry penalties of up to seven years in prison, according to the Associated Press.
In short, one must expect prosecutors seeking more individual responsibility and liability in cases of cybersecurity incidents - the new regulations and rules are certainly going in this direction, after so many insiders asking for a tougher stance on cybersecurity. Whether that will boost cybersecurity at organizations is a different matter.