Export Compliance Daily is a Warren News publication.
‘Global Battlefield’

SolarWinds’ Liability Under SEC's Theories ‘Could Empower Threat Actors,’ Say CISOs

An organization’s information security team, led by its chief information security officer, “stands on the front lines against cyberattacks,” said roughly four dozen current and former CISOs in an amicus brief Friday (docket 1:23-cv-09518) at the U.S. District Court for Southern New York in Manhattan in support of SolarWinds’ motion to dismiss the SEC’s amended securities fraud complaint (see 2403250039).

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

The SEC is seeking to hold SolarWinds and its CISO, Timothy Brown, accountable for not properly disclosing the Russian government’s massive December 2020 cyberattack on the company and the security vulnerabilities that led to it. Those submitting the amicus brief in support of SolarWinds’ motion to dismiss included former HP CISO Joanna Burkey; Amit Elazari, former Intel head-cybersecurity policy; and Brett Wahlin, former Activision Blizzard and Amazon Prime Video CISO.

Defending against cyberattacks from criminal enterprises, insiders, non-state actors and hostile foreign governments, CISOs and their teams “serve as engineers safeguarding IT infrastructure,” said the brief. When a cyber incident occurs, CISOs serve as “emergency responders,” assessing and containing the damage and “protecting organizational and third-party assets,” it said.

As the risk of cyberattacks continues to grow, CISOs draw on “inherently flexible cybersecurity frameworks to iteratively improve their organizations’ practices” and mitigate the attacks’ “frequency and severity,” said the brief. Yet in the war between cyberattackers and defenders, the attackers “have a structural advantage,” it said.

Attackers need to find only one “exploitable weakness,” using a limitless array of strategies and tools, while organizations “must defend against evolving threats on multiple fronts,” said the brief. As the Cybersecurity and Infrastructure Security Agency recognizes, “not even the best-resourced CISO can prevent 100% of sophisticated attacks,” it said.

The four dozen CISOs “represent entities and individuals with vast experience on the front lines of this global battlefield,” said the brief. They submitted the brief “based on their deep concern about the negative impact of the SEC’s claims” against SolarWinds, it said. Much like the SEC’s original complaint (see 2312130014), its amended complaint disregards the customs and practices of the cybersecurity profession and the “limitations of the CISO position,” it said.

The agency proposes to sanction SolarWinds and CISO Brown, “based on internal communications aimed at improving cybersecurity,” plus alleged inadequacies in public filings, “which CISOs are not typically responsible for drafting or approving,” said the brief. The amended complaint also cites SolarWinds’ alleged failure to follow the National Institute of Standards and Technology “cybersecurity framework,” even though that framework “is inherently flexible and non-prescriptive,” it said.

Liability under the SEC’s theories “could empower threat actors,” chill internal communications about cyberthreats and “exacerbate the already severe shortage of cybersecurity professionals,” said the brief. It also could “deter collaboration” between the private sector and the government, it said. The four dozen CISOs submit that the SEC’s claims, if allowed to proceed, “could significantly harm U.S. cyber- and national defense,” it said.