On October 30, 2023, the U.S. Securities and Exchange Commission announced formal charges against the software company SolarWinds as well as their chief information security officer, Timothy Brown, for “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.”
These charges come in the wake of the disastrous two-year-long hack of SolarWinds’ Orion product, which gave malevolent agents access to customers’ data—including Microsoft and the U.S. Department of Defence. The SEC claims, based on internal communications, that Brown and SolarWinds leadership knew their software was vulnerable to attacks but led investors to believe their software was far more secure than it was.
This is bad news for SolarWinds and Brown, but it’s good news for application security leaders everywhere. AppSec leaders have been making the case for devoting more resources to finding and fixing known vulnerabilities for a long time now. As governments continue raising security expectations for vendors (and take action against software companies who neglect security), the case for improving security measures for both your commercial and internal applications gets stronger.
Let’s take a look at the implications the SEC’s case has on cybersecurity leaders moving forward.
1. Software vendors will be held more responsible for breaches
It’s one thing to write cybersecurity policies—it’s another to enforce them. While the U.S. government’s push for stronger cybersecurity policies will raise security standards for vendors hoping to sell into the government and critical industries, there’s still the problem of holding companies accountable for any damage resulting from insufficient security.
In the case of the SolarWinds breach, data from U.S. citizens, companies, and government entities was accessed by a group of hackers believed to be connected to Russia’s foreign intelligence service. The public still doesn’t know the hackers’ plan for using this data. The stakes are high. Domestic vendors are far easier to prosecute than foreign hackers, and governments are looking for ways to keep these kinds of attacks from happening.
This case from the SEC is one of those ways. The current complaint is that SolarWinds misrepresented their security position to investors and neglected to protect their key assets—claims supported by the internal communications of SolarWinds employees. We imagine governments will find ways to hold vendors accountable via other three-letter agencies in the future, but for now, they’re starting with the SEC.
This is bigger than SolarWinds—the government is sending a message to software companies everywhere. And the SEC isn’t coy about this fact. The official announcement quotes the SEC’s director of enforcement, saying that the case “underscores (their) message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
In the future, we can expect governments to apply more pressure on software companies to clarify their security positions and satisfy rising security standards—or pay the price.
2. This is the CISO’s moment in the spotlight
While this isn’t good news for Timothy Brown, it is good news for CISOs and other cybersecurity leaders who have been vying for more resources all this time. The SEC is pursuing “an officer and director bar against Brown,”—which means CISOs in the United States can now pressure organizational leadership to increase security measures.
The argument for better security has moved from “We need to improve security” to “We need to improve security, and I’m not willing to go to prison if we don’t.”
For cybersecurity leaders who have already prepared a security roadmap, now is the time to push for it. The SEC case gives you more career leverage than you had before because your organization now has to choose between increasing security and risking government prosecution. Competent and trustworthy cybersecurity leaders can press for better security or threaten to resign—a situation no tech company will want to explain to their investors.
3. Software companies might have to rethink their threat modeling
Companies already have done threat modeling, and that forms the justification for their internal security roadmap. This SEC case is a wake-up call. It’s time to revisit how the organization sizes up and mitigates threats.
A lot of organizations assumed in their threat modeling that they would not be targeted by nation-states, and if they did, they could “plead the fifth.” Well, think again. Attacks on Equifax and now SolarWinds have shown that nation-states are interested in a lot more than we assumed, and the US government is enforcing accountability.
If this is your situation, you can take three immediate steps to begin strengthening your security position.
Understand the three levels of hackers your company faces
Not all cybercriminals are created equal—but you need to be prepared to defend your applications against all types of malevolent agents:
- “Script kiddies.” These are the petty, street-level cybermiscreants who commit one-off hacks. These actors are usually small-scale cyber conmen, exploiting known digital and social vulnerabilities to do quick, small jobs.
- Organized cybercrime. These actors are equipped with more financial, technological, and human resources and commit cyber crimes at scale—usually with the end in mind of stealing money (or extorting people for it). Organized cybercrime may attack foreign and domestic victims. Depending on whom they’re attacking and where they’re attacking from, they may not face domestic legal ramifications for their activities—as some governments are happy to turn a blind eye if domestic hackers are targeting foreign entities.
- Nation states. Cyberwarfare is the new front for international conflict. Nation states may employ hackers to spread misinformation, spy on other nations, or even tamper with financial systems and elections. These actors have access to vast resources that help them penetrate systems and conceal their activities.
While the first two types of actors have been on the radar for a long time, software vendors need to understand that the third type is active as well. Security vulnerabilities aren’t just being exploited for money—they’re being exploited to further malevolent international interests. Neglectful software security can lead to national security problems, and the vendors may be held liable.
Bolster your security model in reasonable ways
Most security models today fall between two extremes: perimeter security and zero-trust security.
Perimeter security puts all security measures to the outer edge of your organization—it focuses on keeping the wrong people from getting “in.” If we were to compare this to securing a home, perimeter-only security is like building a wall around your property and requiring anyone who comes through the gate to verify their identity but leaving the doors and windows of your house unlocked.
Zero-trust security applies stringent security measures to every single aspect of your organization. No one and nothing gets special treatment: every access attempt requires complete verification. If we were to apply this to the home security analogy, zero-trust security is like requiring proof of ID and a retinal scan in order to open not only the front gate but also any door, cabinet, or drawer in your home.
For most organizations, the practical solution is somewhere in between. Perimeter-only security is not enough, but a zero-trust approach is usually impractical. Implementing thorough resistance measures throughout your organization to protect key social, physical, and digital assets is key—allowing you to allow quick and reasonable access to trusted users and present numerous hurdles to users who don’t belong there.
Mitigate known vulnerabilities
Hackers are smart. They know that software companies have two major vulnerable areas: their open-source libraries and their people.
People are vulnerable to all kinds of artful ruses that can give hackers access to confidential information—and according to one 2019 PurpleSec survey, 98% of all cyber attacks relied on social engineering (see page 3 of Higher Education Social Engineering Attack Scenario, Awareness & Training Model from Sacred Heart University). Training your people to spot potential threats and protect themselves and their credentials should be an ongoing endeavor at any software organization.
However, hackers also know that most companies build their applications on open-source code libraries—and when these libraries aren’t kept up to date, they tend to be riddled with known vulnerabilities. Malevolent agents know that companies often allow known vulnerabilities to linger in their code or, worse, continue to actively download vulnerable libraries. (Sonatype estimates that about 10% of downloads from Maven Central in 2023 included known vulnerabilities.) This is the juiciest opportunity for cybercriminals, and as more people join the ranks of cybercrime, you can expect software supply chain attacks to increase, too.
Humans will always be vulnerable, but our code doesn’t have to be. One way to mitigate software supply chain attacks is to invest in a strong software composition analysis (SCA) tool, which will help you see where you’re vulnerable, prioritize issues, and give your developers guidance on how to fix them.
Prepare for the future of cybersecurity
Cybercrime is on the rise, but so are government efforts to protect against it. For cybersecurity leaders who have seen the writing on the wall for some time, the SEC’s case against SolarWinds can fuel efforts to invest in stronger security measures for both commercial and internal software applications. For companies who have not yet prioritized security, the pressure is increasing: in addition to facing threats from hackers, negligent companies may soon face prosecution from government authorities.
About MergeBase
MergeBase is a premium software composition analysis (SCA) tool that helps organizations find, prioritize, and fix known vulnerabilities in their software supply chains. MergeBase is known for its elite accuracy and developer guidance—organizations often switch to MergeBase to alleviate the strain of false positives and speed up the vulnerability remediation process. If you want to see how MergeBase can help you secure your software supply chain, start a free trial today.
