Lessons From SolarWinds: A Case Study in Negligence and Deception

The SolarWinds saga is a Russian nesting doll of cybersecurity failure, an exposé of systemic inadequacies, and a testimonial of corporate misdirection. When the SEC (Securities and Exchange Commission) complaint against SolarWinds and Timothy G. Brown went public, it read like a suspense novel, complete with foreshadowing and plot twists, only with higher stakes and real-world consequences. There were warnings, glaring ones, dating back years, but they fell on deaf ears. Let's break it down.

Ignored Warnings: The Ominous Prelude

From as far back as August 2018, the alarms were going off, yet they were conveniently ignored. A vulnerability was known, and it was neither patched nor disclosed. Fast forward to September 2019, and we have emails that spotlight gaping holes in SolarWinds' authentication system. Passwords had no specific parameters, and the basic tenets of cybersecurity were treated as optional. Then came the presentations in October 2019 and April 2020, each laying bare the company’s lack of awareness for security and compliance requirements. This wasn't mere negligence; it was an escalating pattern of disregard for best practices.

Deceptive Practices: The Plot Thickens

In an intricate web of falsehoods, SolarWinds and Brown engaged in misstatements and omissions to paint a rosy picture of their cybersecurity posture. They lied not only to the general public but also to cybersecurity firms. When caught in the snare of a cyberattack, they downplayed its severity. It’s as if they were trying to cover up a gaping wound with a band-aid, hoping no one would notice the blood seeping through.

Failing to Act: The Unraveling

Even as the SEC complaint reveals their knowledge of vulnerabilities, SolarWinds and Brown showed a striking failure to investigate or remediate. It's like knowing there's a gas leak and failing to call the emergency services or even evacuate the building. This wasn't just poor judgment; it was a failure to perform the most basic fiduciary duty to protect their assets, their clients, and indeed, the national security infrastructure.

The Inescapable Lessons

1. Transparency Matters: Hiding problems never solves them. It only postpones the inevitable and magnifies the damage.

2. Proactivity is Non-Negotiable: Don't wait for a full-blown crisis to react. Address vulnerabilities as soon as they come to light.

3. Governance Over Compliance: Creating a culture of security goes beyond ticking boxes. It’s about a systemic awareness and commitment from the top-down.

4. No Room for Ego: Cybersecurity is an evolving landscape. Pretending to know it all and refusing external help or oversight is a recipe for disaster.

5. Accountability is Key: When things go wrong, and they will, owning up to mistakes and taking immediate corrective action is not optional; it's obligatory.

The SolarWinds incident is a text-book example of what not to do in cybersecurity. It’s a wake-up call, and heaven help us if we hit the snooze button on this one. The code is broken in more ways than one, and the call to fix it is urgent. We’ve been warned. Let’s act.

SEC Complaint against Solarwinds and it's CISO -->> https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023-227.pdf