The long hangover from the notorious 2020 state-backed supply chain attack on SolarWinds doesn’t appear to be ebbing. If anything, it may be gaining some steam.
For at least the third time in three years the Securities and Exchange Commission (SEC) is probing for more information on the massive SolarWinds Orion cyber espionage attack that hit nine U.S. government agencies and hundreds of businesses in late 2020.
This time around the regulatory watchdog appears to be looking for inside intelligence from IT companies and telecom carriers exploited in the incident, specifically what they knew and when they knew it but may not have disclosed, according to a Bloomberg report. The SEC wants internal communications of the data-siphoned companies and is also poking around for cybersecurity gaps, the report said.
To date, the IT companies and telecoms involved have not been identified.
SolarWinds Probe: SEC Motivations in the Investigation
The check-in raises serious questions not just for current cyber breaks but also for future events. Is the SEC gunning for SolarWinds as an example or is it broadening cybersecurity disclosures by zeroing in on the company and its customers?
The SEC has an incredibly long reach. Given the magnitude of the breach, by examining customer corporate cyber policies and protections is the regulator signaling an evolving blueprint before the fact for future cyber breaks? In other words, publicly held businesses better have their cybersecurity systems and procedures buttoned up ahead of an event to meet standards or potentially face prosecution.
While SolarWinds Orion is used mainly by IT professionals to monitor corporate and government networks and is not part of the SolarWinds MSP toolset to record network activity, some MSPs leverage Orion for various monitoring purposes.
MSSPs and MSPs: Perpetrators or Victims?
Might that put MSPs and MSSPs in the SEC’s crosshairs?
“I don’t think the SEC is necessarily looking into the MSPs' and MSSPs' cybersecurity hygiene,” Eric Tilds told MSSP Alert. Tilds is an attorney who previously served as chief legal officer of Logicalis until starting his own firm in 2021. The SEC is probably looking at the MSPs and MSSPs as the victims here, and investigating what impact the SolarWinds issues had on them, he said.
SolarWinds’ stock price dropped 25% in the two days following the event, no small matter to the SEC, which has claimed that the company knew about its vulnerabilities for two years prior to the attack.
Now that the SEC has looked at cross-stream and downstream victims of the attack, could a further post mortem SEC investigation extend from SolarWinds Orion end-customers to their supply chain and channel partners?
That’s unlikely but possible, Donald Geiter, an attorney specializing in cybersecurity law and policy, told MSSP Alert.
MSPs/MSSPs Need Written Contracts with Clients
“I do think they should be concerned anytime the government attempts to regulate in an area that it doesn’t fully understand,” he said, in a nod to cybersecurity protections. “One area of concern, among many, is where an MSP/MSSP lacks a written contract with their client, especially if their client is a regulated entity under the purview of the SEC or other administrative bodies,” he said.
It’s unclear just how far the SEC will take the probe and how deep it will drill down. On the one hand, requests for information are typically voluntary but on the other hand, companies that fail to disclose breaches or have sub-par controls in place could face penalties. That has to have some corporate executives concerned that information from the SEC’s investigation could expose them to liability.
CISO Named in Lawsuit
The look-see comes six months after the SEC slapped SolarWinds with a lawsuit claiming the software company and its chief information security officer (CISO) defrauded investors by overstating its cybersecurity practices and understating its weaknesses in regulatory filings.
Is the SEC focusing on a company’s disclosures prior to a cybersecurity incident?
It’s not known if the agency’s information run is directly related to the lawsuit, which was the first time that the regulator had leveled fraud charges in a cybersecurity breach case. The lawsuit came as the SEC will enforce new disclosure requirements and other issues such as insufficient internal controls as related to subpar cybersecurity protections.
“It seems to me that the SEC is indeed attempting to broaden cybersecurity disclosures beyond legal mandates,” Geiter said. The SEC's lawsuit may have a “potential chilling effect on cybersecurity information sharing,” he said.
SolarWinds Goes on the Offensive
But SolarWinds is fighting back. In a recent filing in U.S. District Court, the company asked for the suit to be dismissed, contending that documents, including its self-assessments performed under the National Institute of Standards and Technology (NIST) framework, show a robust cybersecurity program.
“[SolarWinds] argues that the SEC's claims are flawed and contradicted by documents,” said Geiter. “My favorite quote [in the memorandum to dismiss] is from SolarWinds’ attorney: ‘As reflected by the SEC's long and rambling amended complaint, this is a case in search of a theory: The SEC has thrown everything it can think of against the wall, but nothing sticks…’”
In the infamous December 2020 attack, hackers targeted SolarWinds by deploying malicious code into its Orion IT remote monitoring and management software used by thousands of businesses and government agencies worldwide. Russian operative Cozy Bear/Nobelium, which reportedly made away with vital information, is widely named as the attackers.
Roughly 18,000 SolarWinds customers among a total of more than 30,000 had downloaded the malware-infected software, though the number of fully compromised victims ended up in the hundreds. IT companies and telecoms were included in the infiltration.
The initial SEC SolarWinds investigation came on the heels of President Biden's executive order issued in May 2021 that referred to the role of IT service providers in cybersecurity more than dozen times.