Ex-CISOs, trade groups back SolarWinds, saying SEC case threatens security

Former US cybersecurity officials and CISOs, plus business advocacy groups, warned that the SEC’s fraud suit against SolarWinds could chill intelligence sharing from businesses.

Influential business and technology industry stakeholders have filed amicus briefs in the US District Court for the Southern District of New York (SDNY) in a motion to dismiss the SEC’s civil fraud lawsuit against SolarWinds. 

Along with such groups as the US Chamber of Commerce, more than 20 current and former chief information security officers and law enforcement figures, including former National Cyber Directors Chris Inglis and Kemba Walden, urged the court to consider whether the SEC’s case would make companies reluctant to come forward with urgent threat intelligence.

The SEC’s civil charges

The securities regulator filed its civil charges back in October, both against SolarWinds and its CISO, Tim Brown. The SEC’s complaint stated that from at least its October 2018 initial public offering through at least its December 2020 announcement it was the target of a massive, nearly two-year long cyberattack, dubbed “SUNBURST”. SolarWinds and Brown are said to have defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks. 

In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.

The incident became one of the most significant cyberattacks in history, resulting in nearly 18,000 customers receiving a compromised software update. Those customers included the US government.

Case ‘will undermine cybersecurity’

The CISO group includes current and former officials from major companies, including Salesforce, Exelon, Clorox, Blackstone and Activision Blizzard.

In a separate brief, The Software Alliance, a software trade group also known as BSA, said the SEC action would force companies to publicly disclose software vulnerabilities that could make them more vulnerable to malicious attacks.

“Three years later, the US SEC now accuses SolarWinds – the victim of that nation-state attack – and its CISO of securities fraud. The SEC acknowledges that SolarWinds warned investors that it was vulnerable to cyber-threats and, within two days of learning about the intrusion, filed a Form 8-K in which it publicly disclosed that it had been the victim of a potentially massive cyberattack. Nonetheless, the SEC accuses SolarWinds of defrauding investors by not publicly disclosing details about its cybersecurity vulnerabilities or exactly how many customers were infiltrated through the Sunburst attack,” according to the filing from The Software Alliance.

“This case is unprecedented,” the filing continued. “Never before has the SEC sued the victim of a nation-state cyberattack; sued a company for securities fraud based on the company’s cybersecurity disclosures; or sought to hold an individual personally liable for those disclosures. This case is not only novel, but also threatens to undermine cybersecurity by making it more difficult for companies to respond to increasingly sophisticated and highly-resourced cyber-threats.”

The Software Alliance said that “if public companies must now fear the SEC will comb through their communications for evidence purporting to show that some of their employees were aware of undisclosed vulnerabilities, as the SEC has sought to do in this case, candid internal deliberations will be chilled and communications with law enforcement and national security authorities, other companies, and the public will be stifled, even though those communications are essential to effective cyber-defense.”

“This case is unprecedented. Never before has the SEC sued the victim of a nation-state cyberattack and sued a company for securities fraud based on the company’s cybersecurity disclosures.”

The Software Alliance, in its brief to the US SDNY

An SEC spokesperson declined to comment to news outlets on the briefs and pointed to its public filings and prior statements when the case was originally filed.

In response to an inquiry from CRN, Serrin Turner, an attorney at Latham & Watkins ,who is representing SolarWinds, said in a statement that “we are grateful for the thoughtful amicus briefs filed by a wide range of stakeholders, which highlight that the SEC’s positions in this case are not only unsupported by the law but raise serious security concerns for companies, CISOs, and the public at large. We remain confident that SolarWinds’ disclosures at all times were appropriate, and the SEC’s assertions otherwise are fundamentally flawed.”