It’s been more than two years since incident response firm Mandiant disclosed the first details of a massive supply chain attack that targeted IT software firm SolarWinds and hundreds of the company’s most high-profile customers. A recent in-depth piece in Wired finds that federal officials have only begun to crack the surface of what happened.
The investigations by various U.S. government agencies into the complex technical and espionage aspects of this attack will continue for years to come. There are, however, other inquiries examining the actions of SolarWinds itself and the company’s executives, including one currently overseen by the U.S. Security and Exchange Commission.
In the past several weeks, CNN and others have reported several SolarWinds executives, including the company’s chief information security officer, have received so-called Wells notices from the commission. While these notices are not official changes, the documents could indicate that the SEC believes there have been violations of federal securities laws and civil enforcement action targeting certain executives and individuals may follow.
In a June 23 SEC filing, SolarWinds acknowledged its CISO and CFO have each received Wells notices from the commission.
The disclosure of the Wells notice has piqued the interest of the larger cybersecurity community. On LinkedIn, Jamil Farshchi, the CISO of Equifax, wrote that these notices are typically sent to CEO or CFOs when the SEC is investigating a Ponzi scheme or accounting fraud. The fact that SolarWinds’ CISO received one could mean material information related to the incident was not properly disclosed.
“If this is about disclosure, it shows the SEC isn’t sitting around waiting for cyber regs to be issued,” Farchchi wrote. “They’re taking action today. And for all of us in security, it means the light is shining on us brighter than ever before.”
Other experts and security insiders also note the SEC’s SolarWinds investigation could have profound impacts on the role of the CISO as well as how tech and security professionals approach their job.
“Traditionally, our primary focus has been on erecting formidable technical defenses and fostering a resilient security culture,” Craig Jones, vice president of security operations at Ontinue, recently told Dice. “However, there is an urgent need to consider the broader legal and ethical dimensions of our work, especially in terms of our actions during and after a security incident.”
Regulations Are Changing Cybersecurity
While enterprises and government agencies dealt with cyber threats for years, SolarWinds changed the game for the entire industry, including CISOs and their teams.
The SolarWinds supply chain attack, which may have started as early as 2019, affected about 100 companies and at least nine federal agencies, according to numerous reports. The attackers, believed to be associated with Russia’s government, compromised a software update to SolarWinds’ Orion network management product, which gave them access to thousands of potential businesses and government agencies.
The disclosures about SolarWinds led to multiple government reforms and rule changes designed to improve cybersecurity. It’s not the only incident, however, that has put CISOs and their teams on notice. The former chief security officer of Uber was sentenced in October 20222 to three years of probation for his role in covering up a data theft involving 50 million customers.
Besides Solarwinds, SEC is preparing new rules around security incident disclosures. The new regulations have been delayed, however, and are expected to publish in October.
Following incidents such as SolarWinds or the Colonial Pipeline ransomware attack, experts noted that newer and more strict regulations related to cybersecurity were inevitable.
“While most do not like regulations, they are what happens when corporations do not voluntarily regulate themselves as some feel they should,” Timothy Morris, chief security advisor at Tanium, told Dice. “All regulations have consequences if they're not adhered to. Like it or not, it is often in the regulator’s eye as to how and when those are enforced. Typically, fines come when there is negligence or unethical behavior. Civil and criminal action is reserved for the worst offenders.”
In turn, additional regulations show that the skills CISOs and their teams need are changing. No longer is a strict technological background the only qualification that potential employers look for in a candidate.
“The potential legal fallout for these executives suggests that technical expertise, while vital, is only part of the equation,” Jones said. “Our teams must not only be thoroughly versed in the intricacies of the cyber threat landscape but also possess an understanding of the legal and ethical implications of their actions. This development underscores the need for an integrated approach to cybersecurity, where technology, governance and ethical conduct intersect.”
For large organizations, additional regulations and rules related to cybersecurity could lead to more red tape in the security decision-making process. In turn, this could open the door to more vulnerabilities. Whatever happens, enterprises need clearly written standards and leaders who can properly follow those guidelines, said Andrew Barratt, vice president at security consulting firm Coalfire.
“If this does go down this path, there will need to be very clear standards that organizations are held accountable to, not just from a decision-making perspective, but also what is considered an acceptable risk or an acceptable set of technical mitigations,” Barratt told Dice.
Rethinking Cybersecurity Skills and Training
What seems clear from looming changes due to greater regulations and enforcement is that CISO and tech pros will need additional training around legal and ethical issues to go along with any technical knowledge.
“Our colleagues must be well-versed in relevant legal and ethical standards and understand how these principles apply to their everyday responsibilities,” Jones added. “This includes understanding the legal and ethical implications of their actions during a security incident, the importance of timely and accurate incident reporting and the need for transparency to maintain trust with investors and the public.”
There is also likely a need for security professionals to develop soft skills such as communication to ensure that, during a cyber incident, tech teams are capable of effectively conveying vital information to various stakeholders, making informed decisions under pressure, and navigating the complexities of their duties with integrity, Jones said.
Private companies might also have to raise CISO salaries to attract leaders who have the right technical and governance skills as well as those who are willing to take on additional risks.
“Actions like this will create a higher demand for leaders that have the necessary cybersecurity, governance and managerial talent and skills to build and run a world-class security organization,” Morris added. “That should have an impact on salaries, because of the current cybersecurity talent shortage, plus finding leaders that are willing to take on the additional pressures and responsibilities of these roles.”
On the flip side, these changes might make CISOs and their teams even more valuable to the organization, said Piyush Pandey, CEO of security firm Pathlock.
“Positions like the CISO become more important as they're not just responsible for the technical aspects of securing an organization, but also for instilling a culture of security and compliance awareness,” Pandey told Dice. “From a hiring perspective, this might mean looking for candidates who not only have strong technical skills but also a good understanding of cybersecurity policy, regulatory compliance, risk management and communication.”