Published by Chris Pogue, Director, Digital Forensics and Incident Response, CyberCX United States and Alex Major, Partner, McCarter & English law firm, United States on 20 December 2023
The genius of the Oath of Affirmation taken by witnesses in the US court system is threefold.
The oath means that the witness swears to
- Say things that are, to the best of their knowledge, factual
- Say the entirety of those things (leaving out nothing intentionally), and;
- Say things that are factual, without interspersing them with things that are not factual.
In other words, say true things, say all the true things, and say only true things.
The Securities and Exchange Commission (SEC) has something similar. Often referred to as the “truth in securities” law, the Securities Act of 1933 (Act) has two basic objectives:
- Require that investors be provided with financial and other significant information concerning securities being offered for public sale, and;
- Prohibit deceit, misrepresentations, and other fraud in the sale of securities.
The full text of the Act is available at http://www.sec.gov/about/laws/sa33.pdf
In other words, say true things, say all the true things, and say only true things. TL;DR – don’t, either by commission or omission, lie to the SEC.
On October 30, 2023, the SEC announced that it is bringing charges against Solar Winds and its Chief Information Security Officer (CISO), Timothy G. Brown, for fraud and internal control failures related to allegedly known cybersecurity risks and vulnerabilities (also Complaint).
According to an SEC press release:
“As the complaint alleges, SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds’ remote access set-up was ‘not very secure’ and that someone exploiting the vulnerability ‘can basically do whatever without us detecting it until it’s too late,’ which could lead to ‘major reputation and financial loss’ for SolarWinds.
“Similarly, as alleged in the SEC’s complaint, 2018 and 2019 presentations by Brown stated, respectively, that the ‘current state of security leaves us in a very vulnerable state for our critical assets’ and that ‘access and privilege to critical systems/data is inappropriate.’”
Perhaps more disconcerting is the complaint identifying that Brown knew of SolarWinds’ risk but did not do what he needed to resolve or elevate the issues internally.
The modern challenges facing the CISO
In the modern threat landscape, every CISO at every company around the world faces a daunting and complex challenge. They all have insecure systems, limited resources, and a potentially unfamiliar CEO or CFO. All while an active adversary paces back and forth like a lion.
The authors, one an attorney and the other a former CISO, understand the challenges inherent in communicating and conveying the complexities of the CISO’s role to a CFO, CEO, and/or board of directors in a single sentence, but it boils down to this:
Being a CISO is an increasingly difficult position to want, hold, and succeed in. On the surface, it appears that the SEC may be making an already difficult position worse. But what if we told you that it may be making it much better?
In reviewing the Complaint, it’s important to recognize that it is not an indictment of the complexities of being a CISO in today’s modern threat landscape. Nor is the Complaint an unrealistic demand that CISOs get things right every time against an adversary that only needs to get things right once.
Rather, it is a Complaint that reinforces the critical nature and obligations of a CISO, and reminds that executive that they have a duty to the company, its shareholders, and its leadership to avoid being docile in a manner that willfully and knowingly aids in the deception of regulators (…like the SEC).
The issue has less to do with the messenger, and more to do with the recipients of the message – the executives at SolarWinds who allegedly appear to have known better and did nothing.
As Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, reflected:
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company.’”
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information. Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
CISOs: Say True Things
If you set aside the cyber element of this case for a moment and focus on the perspective of accurately reporting company information to the SEC, there’s little difference between this Complaint and the charges levied against Enron executives Kenneth Lay and Jeffrey Skilling in the early 2000s. As you may recall, those events led to Skilling being sentenced to 24 years in prison and Lay passing away prior to his sentencing (he was convicted on all six counts, which carried a maximum sentence of 45 years).
Although there were more than 50 unique Enron-related enforcement actions brought by the SEC against those involved, the core issue was that Lay and Skilling lied to the SEC. They knew the company’s revenue numbers and organizational health were nowhere near what they were reporting, and they willfully chose to mislead the SEC by misrepresenting the facts.
In the SolarWinds complaint, this “don’t lie” element is effectively buried, feeling more like the “theme” than the “plot.” It is for that reason that we believe that CISOs around the world are expressing some hearty and perhaps justified concern. It’s a reminder that when a CISO – or any executive – is on the hook to advise the SEC (or any regulator, shareholder, partner, etc.) on something relevant to the operations of their business, they must be open and forthright and ensure that what is being said by them or because of them is current, accurate, and complete. Say true things, say all the true things, and say only true things.
In many respects, the Complaint should serve as a wake-up call to CISOs and the entities that employ them. It suggests that CISOs need to shift their positioning a bit and approach their job like the general counsel does. They are present – and need to be effectively empowered – to give expert advice based on their skills and experience. A CEO can do as he/she chooses, acting in contradiction to the advice of the CISO, just like they can act in contradiction to the advice of counsel. However, if they do, it is they, not the CISO, who own the outcome .
The days of hog-tying the CISO with vetoed security roadmaps or shoestring budgets, then blaming them when something goes wrong, need to end – so sayeth the SEC. It is clear that regulators are poised to ensure that a company cannot underinvest in cybersecurity then point to the CISO when things go badly.
A Wake-up Call for CISOs and C-Suites
This is now the second time a CISO being brought up on charges for their actions within their companies has grabbed headlines (the other instance involved Joe Sullivan, former CISO at Uber). But in this case, there is a clear indication that the CISO did not do enough to ring the warning bell to avoid issues and right the ship. Specifically, the CISO did not do enough to ensure that leadership was listening and understood the implications of what was being reported.
Therefore, the SolarWinds complaint should not be viewed as an indictment against the challenges of being a CISO, it should be seen as an affirmation of the role and authority a CISO should possess. It should serve as a wake-up call to both CISOs and C-suite leadership that information security does indeed matter and that listening and understanding – even what appears to sound like techno-babble – remains core to the role of leadership.
For CISOs specifically, the Complaint should serve as a reminder that a CISO should be neither a cyber-doormat nor a fall guy, but instead a vested member of leadership endowed with the ability to make necessary decisions. This responsibility, however, means that it is no longer just reputation or career that may be at risk, but also freedom.
There’s nothing like the knowledge that you can be found criminally negligent, convicted, and sentenced to inject some bravery and stamina into a CISO’s spine so they can take the steps needed to secure their companies. At its crux, the Complaint serves as a stark warning that CISOs must ensure that security messages are delivered to the executive team in a language they can understand, relate to, and act on.
This will be a paradigm shift. If CISOs, boards, and HR departments aren’t sweating, they should be. The SEC’s actions are a siren song for whistleblowers to come forward, for IT team members to raise their hands, and for CISOs to raise their voices. Outside counsel and cybersecurity experts are critical in this stage, as they literally have no horse in the race, are less likely to sugarcoat findings, and have the benefit of decades of experience across hundreds of clients. They will have the company’s best interest in mind and will not protect single individuals trying to cover up their own decisions or inadequacies.
So, while many may be lamenting the SEC’s complaint as confining to CISOs, we suspect it may actually be liberating. Not only are they permitted to be completely honest and forthcoming regarding the true nature of their security posture, but they had darn well better be.
Additionally, when that truth is spoken to power, what CEO would now knowingly stick his or her neck out to veto the CISO, knowing what the stakes are?
There is a real kinetic impact here that is only now beginning to be felt but will continue to send shock waves through the global market. This is not an issue of cybersecurity; it’s merely the next front of a battle that has been fought for centuries – the battle of truth versus lies.
Authors
Chris Pogue, Director, Digital Forensics and Incident Response, CyberCX United States
Alex Major, Partner, McCarter & English law firm, United States