I think the key here is that SolarWinds' C-staff deliberately downplayed the severity of the attack, and were very late in informing customers and regulatory agencies of the severity of the attack.
I.e. they are being prosecuted not because they were "incompetent and got hacked", but that they then "tried to cover it up", which is where the SEC comes in (illegal stock manipulation via false or incomplete release of public information).
The more these happen, the more likely it'll be that the role of CISO will need to be compensated commensurate to risk.
And report up to the CEO.
But it also depends on the nature of the action that's about to come down. My guess is something to do with misrepresentation of Solarwinds' security posture.
CISO needs to report to either chief risk officer (edit: who reports to the board) or the board directly imho. Anyone else (CXO) has incentive to apply pressure at odds with the role, or not take compliance requirements or regimes seriously. Checks and balances.
> CISO needs to report to either chief risk officer (edit: who reports to the board) or the board directly imho.
I mean, this is all company bylaws, you can't seriously legislate this. But in any case, C-execs do have skin in the game (particularly if investigated by the SEC). They're usually insulated, but if non-compliant (or grossly negligent), directors can be personally liable.
Comments like these implicitly deny the existence of heavily regulated industries.
When refusal to take cybersecurity seriously results in 1/3 of Americans losing their identity or when refusal to take cybersecurity seriously results in what happened to solarwinds they should be subjected to a regulatory scheme that will enforce seriousness.
There should definitely be a government inspector general empowered to poke around.
SolarWinds was a sophisticated operation, but there are a ton of security orgs for very important companies that are just inept, underfunded, or both. And absent mandated ability to inspect, they're not going to get the harsh spotlight of "unfuck this now" they deserve.
Typically the company would always have its own in-house compliance organization and executive, even if there is extensive, on-site federal regulation (like banking sector). So that would probably look like the company having its own CISO, but some of the technical decisions/changes being approved by or required by a regulatory agency.
CISO's are often hired for the purpose of having an executive head to cut. They'll commonly report to the CIO, but have c-suite titles or employee designations (at-will in some states). It's a stressful position with a lot of legal responsibility and little organizational influence and authority.
I mean as "selling a quarter billion dollars of stock before publicly disclosing the cyber crime of the century that you likely knew about for quite some time" is less "anything" and more "trading on material non public information."
Ha! On this, I will blame the bad reporting, then. This story seems to focus on response to a security event. Do you have a pointer to the trades that are in question?
Edit: Notably, where did you get that quote? I'm not seeing it in this story.
No amount of financial cost is sufficient for these kinds of things if you wish to truly prevent them in the future. There needs to be associated criminal charges for the individuals responsible. We are all still suffering from the Equifax breach all these years later and it won't be long before another Enron shows itself and that is simply because there was never any real consequences for the people primarily responsible.
We live in an age of binary reproducible builds and anything worth running is open source.
Windows-centric orgs barely know software from their ass.
If your org is dumb enough to run closed source software for core IT functions, or you run Windows on bare metal, or don't have TPM chips and secure boot enabled, you kinda deserve what you get.
Would mark a major escalation in executive accountability... Still no criminal charges, though.
>“Sunburst was a highly sophisticated and unforeseeable attack that the United States government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before,” a company spokesperson told Cybersecurity Dive in an emailed statement
From what I can tell, all we know is that the attackers definitely got into their build system (since the trojan was signed), and we know they moved laterally through exploits in various Microsoft products: https://en.wikipedia.org/wiki/2020_United_States_federal_gov...
Haha. I didn't follow it. After a bit of searching I had to laugh. They got owned by the 'hunter2' meme and call it a highly sophisticated and unforeseeable attack.
> Would mark a major escalation in executive accountability... Still no criminal charges, though.
If there was a criminal referral they wouldn’t announce it and any charges would usually sigbificantly trail civil enforcement action, judging from every other SEC civil + DOJ criminal action I’ve seen.
Readit News
I.e. they are being prosecuted not because they were "incompetent and got hacked", but that they then "tried to cover it up", which is where the SEC comes in (illegal stock manipulation via false or incomplete release of public information).
You mean like UPS just did?
https://news.ycombinator.com/item?id=36439033
Capone was taken down for tax evasion. Any tool we have, is a good one.
And the more shareholders and board members feel lax security could lead to a bad path (eg hiding the result), the better for all.
I can hardly wait for the first civil lawsuits, for any such incident, by shareholders over negligence and loss of value.
I can hardly wait until everyone had to provide a license validation for all code they use, so we can finally put node crap to rest.
I don't see a reason Node dies faster than say, Java, or Rust or ...
Dead Comment
And report up to the CEO.
But it also depends on the nature of the action that's about to come down. My guess is something to do with misrepresentation of Solarwinds' security posture.
@dvt: you can nudge with legislation (or in this case, executive branch rule making), we’re just at the initial phase of getting there: https://www.axios.com/2023/04/07/company-boards-sec-cybersec... | https://www.sec.gov/news/press-release/2022-39 | https://www.forbes.com/sites/bobzukis/2022/04/18/the-sec-is-...
Statute and rule making, like corporate bylaws, are mutable, and must adapt to the risk landscape.
(thoughts and opinions my own, interim deputy CISO in finance)
I mean, this is all company bylaws, you can't seriously legislate this. But in any case, C-execs do have skin in the game (particularly if investigated by the SEC). They're usually insulated, but if non-compliant (or grossly negligent), directors can be personally liable.
Edit: wish folks downvoting this would comment too. We're supposed to be curious here.
When refusal to take cybersecurity seriously results in 1/3 of Americans losing their identity or when refusal to take cybersecurity seriously results in what happened to solarwinds they should be subjected to a regulatory scheme that will enforce seriousness.
There should definitely be a government inspector general empowered to poke around.
SolarWinds was a sophisticated operation, but there are a ton of security orgs for very important companies that are just inept, underfunded, or both. And absent mandated ability to inspect, they're not going to get the harsh spotlight of "unfuck this now" they deserve.
Edit: Notably, where did you get that quote? I'm not seeing it in this story.
Windows-centric orgs barely know software from their ass.
If your org is dumb enough to run closed source software for core IT functions, or you run Windows on bare metal, or don't have TPM chips and secure boot enabled, you kinda deserve what you get.
Palo Alto detected the SolarWinds problem early, but failed to notify the Cyber Threat Alliance which it spearheaded, significantly exacerbating the impact: https://www.cfr.org/blog/most-tools-failed-detect-solarwinds...
The PE firm that basically ran SolarWinds into the ground (Thoma Bravo) bought Proofpoint in 2021, not too long after the debacle became public.
>“Sunburst was a highly sophisticated and unforeseeable attack that the United States government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before,” a company spokesperson told Cybersecurity Dive in an emailed statement
Not just any prod system... the one that distributed their trusted updates to their entire customer base I believe.
From what I can tell, all we know is that the attackers definitely got into their build system (since the trojan was signed), and we know they moved laterally through exploits in various Microsoft products: https://en.wikipedia.org/wiki/2020_United_States_federal_gov...
If there was a criminal referral they wouldn’t announce it and any charges would usually sigbificantly trail civil enforcement action, judging from every other SEC civil + DOJ criminal action I’ve seen.
Dead Comment