Leadership & Executive Communication , Training & Security Leadership , Video
ISMG Editors: Fallout for CISOs in SEC-SolarWinds Probe
Also: Number of MOVEit Breach Victims Rises; Highlights From InfoSecurity Europe Anna Delaney (annamadeline) • June 30, 2023In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including the potential fallout from an SEC investigation of SolarWinds and its CFO and CISO, why the number of individuals affected by Clop's campaign against MOVEit is on the rise, and highlights from InfoSecurity Europe.
See Also: Netskope FERPA Mapping Guide
The panelists - Anna Delaney, director, productions; Tony Morbin, executive news editor, EU; Michael Novinson, managing editor, ISMG business; and Mathew Schwartz, executive editor, DataBreachToday and Europe - discussed:
- The fallout for security leaders from the U.S. Securities and Exchange Commission's investigation of SolarWinds CFO Bart Kalsu and CISO Tim Brown for potential violations of securities laws in their response to a high-profile software supply chain cyberattack in 2020;
- Why more victims of the Clop ransomware group's supply chain attack against popular file transfer software MOVEit continue to come to light;
- Key takeaways from InfoSecurity Europe's annual conference, which was held in London last week.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the June 9 edition on how Verizon's DBIR reveals a surge in BEC scams and the June 16 edition on the changing nature of the security profession.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney and this is our weekly editorial snapshot of the latest cybercrime trends and information security stories. I'm delighted to be joined today by Mathew Schwartz, executive editor of DataBreachToday and Europe, Tony Morbin, executive news editor of the EU, and Michael Novinson, managing editor for ISMG Business. Marvelous to see you all. And as Michael pointed out earlier, we're all outside today. Michael, you've got to start us off. You and your parrots, I guess.
Michael Novinson: Yes, indeed. I am at the Roger Williams Park Zoo in Providence, Rhode Island, just went there with the family over the weekend, and during the summer, they do a twice daily bird show at 11am and 2pm, where they let the birds fly around and narrate what they're doing. So this is an image from a previous purchase. Certainly a very colorful experience for one at all.
Delaney: Ah, very good. Did any talk to you? Say anything?
Michael Novinson: No, I wasn't feeling moved by the birds. But they certainly did make a lot of noise.
Delaney: Great stuff. Tony?
Tony Morbin: Well, that's looking down on the ExCeL center where I was with yourself last week at InfoSec Europe. So we'll be reporting back on what we saw.
Delaney: That is the dome behind you, isn't it?
Morbin: And then the dome over on my right shoulder; your left.
Delaney: Yes. Very good. Looking forward to catching up about that. Mathew, that's a beautiful scene behind you. We presume it's Scotland?
Mathew Schwartz: Yeah, thank you. This is T port. This is up near Dundee, there used to be a boat that would ferry people across the water here. But there's now a bridge in place, and you can walk across it and go on a bit of a ramble. So got to do that recently. Nice long walk.
Delaney: Stunning. Well, it was English wine here last week. I know you will know because you were celebrating too, weren't you? And to celebrate all of the vineyards in Surrey, they're open to the public, they open their cellars. Surrey is in the SouthEast of England. And this particular vineyard is called Greyfriars and it's in Guildford. And it was a great day. The sun was shining. It produces some excellent sparkling wines. I was very skeptical about English sparkling wines for a while, but I think they're improving year by year. And there was a band playing jazz and swing music and it was called The Jazz and Tonics. So a really enjoyable day all around.
Morbin: We shut down. It was English wines.
Delaney: Well, you can always catch up this week. Well, Michael, starting with you, big news this week regarding the biggest security story of 2020. The SolarWinds breach, of course, which affected thousands of customers in government agencies and companies globally. Now, the U.S. Securities and Exchange Commission has head executives of SolarWinds, including the CISO and CFO or notice that it may pursue legal action for violations of federal law in connection with their response to the incident. So tell us more, Michael, about how we actually got here.
Novinson: Absolutely. And thank you for the opportunity, Anna. So the SEC has been conducting an investigation really dating back to when this incident first became known to the world in late 2020. The first rumblings we heard of anything occurred in early November of 2022, when SolarWinds disclosed there are publicly traded companies that they disclosed to investors that SolarWinds, the company, had received a Wells notice, which is essentially a preliminary determination of wrongdoing, preliminary determination of violating U.S. federal securities laws. And what they had said at that point was that it was in respect to cybersecurity disclosures and public statements as well as internal controls and disclosure controls and protocols. So that was put out in November. Hadn't heard much since then. And then in a classic Friday afternoon news dump at about 4:10pm New York time on a Friday, SolarWinds made an updated filing where under a bunch of other information, they had indicated that now not only have SolarWinds, the company, received the Wells notice, but several current and former employees of the company received their own Wells notices saying that they, in particular, had violated federal securities laws. So two specific ones they called out were Tim Brown, who has been the chief information security officer there since 2017, as well as Bart Kalsu, who's been the chief financial officer since 2016. And they didn't mention any other names, but they did indicate there's other people - I think the one to watch would be Kevin Thompson, who had been the CEO there for nearly 15 years, left at the end of 2020, just weeks after the breach, after the cyber incident became known. His departure was unconnected to that So it's really a black box. I mean, SolarWinds is trying to get a bit on the offensive, they put out a pretty robust statement in response to it, saying that any potential action would make the industry less secure having a chilling effect and cyber incident disclosure. And that I know they also released a note that their current CEO Sudhakar Ramakrishna had written to employees. So I think they're really trying to get public opinion on their side. Obviously, the big challenge is we don't actually know specifically what Tim Brown or anybody else is being accused of. Jamil Farshchi, who's one of the best CISOs and best known CISOs in the industriy at Equifax. He had put up a LinkedIn post on Monday, he had noted that it was notable because he said it was the first time, he believes, that a CISO has ever received a Wells notice from the SEC. And in terms of what specifically they could be looking at around Brown, what he called out is failure to disclose material information. So there's obviously two questions. One is, is it around controls in terms of security, operational financial controls before the incident? What was the sense from the SEC that SolarWinds was insufficiently prepared? Or is it about what was done after they became aware of the incident? His feeling is, it's more likely to focus on the latter. As I guess we've seen so often in these cases, including Joe Sullivan, where the cover up itself is perhaps worse than the crime. So the SEC isn't talking, it's hard to really know what they found or what they saw. But since there hasn't been any final action taken, at this point, it seems like SolarWinds is trying to get some public opinion on their side in hopes of either getting I guess the SEC to perhaps drop some of these or perhaps to get some more favorable terms as negotiations between the two sides continue.
Delaney: Michael, if the SEC does pursue legal action and prevails the lawsuit, how might this impact the CISO, going forward? Could the move by the SEC mark a new set of potential liabilities to CISOs?
Novinson: That's a great question. And I think that's really the question here. I do think that Lisa Monaco, who is the deputy attorney general, for the United States government, she was a keynote speaker at RSA Conference this year, she was being interviewed by Chris Krebs, the former head of CISA under the Trump administration. And he had asked her specifically about the Joe Sullivan case. And you say you want public-private partnership and you want more incident disclosure, more information sharing, but you've had a very high prosecution of a CISO, doesn't that fly counter to that? Well, Monaco was saying - she made a big point that this is a one-off that we are not looking to go after CISOs who are doing the best they can in a difficult moment, that we're not... This is specifically a unique case where somebody had been dishonest with us, had committed egregious violations, and that people are doing the best they can in the heat of the moment isn't what they're looking to pursue. I mean, based on what we know, at this time, SolarWinds kind of fits that. There's no, this isn't an Equifax 2017 where things weren't patched, it seems like this was actually a highly sophisticated attack. And they, certainly in 2021, became much more public about what they're doing. They've invested in security and in design initiatives, their CEO has spoken a lot, keynoted at RSA talking about it. So it seems like from most outsider observations that they've tried to be a good member of the community since this happened. So without knowing what the SEC found, it's hard to say. But I think in that way, it is surprising. SolarWinds didn't seem like the incident where the SEC would be looking to make an example out of the security leaders just because what the Russian Foreign Intelligence Service did, why is it so sophisticated and complex.
Delaney: Thanks, Michael. No doubt, we'll be continuing this conversation. So let's see what happens. Thank you. Matt, Let's revisit a story you've been closely monitoring - the MOVEit hacks. You were speaking about the hacks a few weeks ago on this program. Now the victim count has now gone over, I think, 130 with the addition of Siemens Energy, University of California, and Schneider Electric. We always knew it was going to be bad. Did we think it was going to be this bad? And can you share the latest?
Schwartz: That's a good question. We never know how bad it's going to be until the information stops trickling out. And it's not clear to me that we will have all of the victims be named publicly. We've seen a lot of victims in the United States get named. There's also a researcher or researchers I should say, who have been looking at recent data breach disclosures and trying to read between lines on some of that. Some of them have been saying we've suffered a data breach or it was due to a third party. As you've reported before, Anna, especially in United States, the data breach notification rules are very tailored to inform individuals when their information goes missing. They're not so tailored to require the breached organizations to issue full and frank details about exactly what happened, which would be great for helping other potential victims better prepare themselves. So in some cases, it looks like this is being downplayed by organizations who maybe don't want to say that this was due to the MOVEit hack, hard to tell. But as you say, yes, at least 130 organizations, it seems so far have been impacted, either directly, because they were using this file transfer software, MOVEit, made by progress software, or indirectly, because they were working with a third party that was using MOVEit. So this is the second time this year, we've seen the Clop ransomware group wage, what isn't, in this case, a ransomware crypto lucky malware attack. But in the broader sense, ransomware in terms of extortion, they hit these users of MOVEit, they didn't crypto lock the systems, but they exploited this zero day vulnerability that they were somehow able to find, in order to steal information from hundreds of organizations in classic ransomware group form. They have contacted all of the organizations they want to contact directly. And they are trickling out a list of non-paying victims on the data leak site to try and force these victims to pay or to stand as a warning to future victims who don't quickly pay that if they don't pay, they're going to get named and shamed and their stolen data dumped. So some interesting things that have come to light are that we know, for example, that there's a British payroll provider where the BBC was affected. Also the boots, chemist chain, amongst other organizations. The attackers claim they don't have any data from the BBC, also, the U.S. Department of Energy was hit among some other government agencies in the United States and abroad. And they're also claiming they don't have anything from the U.S. government. They say they've proactively deleted data for about 30 organizations - this is Clop - and they don't get into details about who or how they deleted this data. But it looks like they're bending over backwards to make sure that governments will come after them for having stolen or possessed, I should say, government data. They're trying to keep their noses relatively clean in terms of this only being corporate data that they're shaking, shaking down corporates, seeking a ransom payment from these public and private businesses. Again, however, not governments, they're trying to appear to be non partial. So again, they've claimed to have deleted this stolen data, especially when it comes to governments, I wouldn't believe that, if I was them, Russian language, Russian speaking ransomware group, I would suspect they've already shopped it to the SVR who had SolarWinds, the FSB, or any of their other friendly neighborhood foreign intelligence services.
Delaney: And what do we know about what's been done in terms of law enforcement action in order to stop clock?
Schwartz: It would be pretty much ineffective. Anybody who gets breached loves to say we're working with law enforcement, but the barn doors already open, the horse, the cow, whatever was there, was bolted. Everyone says, "Oh, well, we've informed the FBI, we've informed CISO he's informed whoever," yes, they're probing it. And sorry, it's too late. All the data is gone. Now, if I was using a commercial File Transfer Utility, I will be a little concerned that if it hasn't been hit by Clop or another ransomware group that we know about yet, maybe it's got to be next. So some due diligence is definitely called for.
Delaney: Yeah, so any advice to those organizations in terms of what they should be doing to bolster defenses.
Schwartz: In terms of the file transfer companies, they should be doing very close code reviews, there were these again, this zero day attack that was exploited by Clop that Clop managed to find. Presumably, they hired some very skilled people to go looking for these sorts of things. They were exploiting just this sort of thing early this year in another file transfer products and FTA. And I suspect that they've been looking for it in other places, because these supply chain attacks, as we've seen, they can find this exploit and amass hundreds of victims. If a handful of those victims pay, it might monetize the attack really nicely for them. So anybody else who develops this sort of software should be doing a really close code review. Progress software to its credit, these attacks happened around May 28, May 29. It had a patch out May 31. And then it patched another two zero day vulnerabilities that weren't being exploited but then it did find after a very careful code review; those two patches came in by the middle of this month. Everybody else should be doing that too. Assume you've been breached. Work backwards.
Delaney: Excellent analysis. Thank you, Matt. No doubt the story continues. But that's it for now. Tony, we got to move on to you. This time, last week, as you mentioned, we were both at InfoSec Europe interviewing a number of security and privacy leaders and academics, analysts, technologists. And it certainly seemed like attendance was high. Although we weren't on the the dance vendor floor or keynotes. But from what I gathered from interviewees, they said attendance was high, keynotes were very well received, lots of questions from everyone. I did hear that perhaps there were fewer vendors or marketing budgets weren't as extravagant as previous years, with marketing, the weather, the stalls being a bit more modest. But what do you think, Tony, any highlights stood out for you?
Morbin: I'm going to concur. I mean, although the official visitor stats haven't been published, the exhibitors at InfoSec Europe at ExCeL last week, were reporting the attendance back to pre-pandemic levels or even exceeding it. And they too, was particularly busy on the exhibition floor. And as you said, the conference was also busy standing room only in many of the keynotes. I guess one or two of the stands took a minimalist approach to quite large standards, which, you know, did compare, you know, financially probably unfavorably with some of the previous standards that we've seen in the past, the multilevel and so on. In addition, though, anecdotally, from people that I spoke to, they did appear to be a high proportion of actual senior buyers attending, I don't know the reason for that, but possibly due to people working largely from home using the occasion to get out and meet peers and suppliers. Of course, over the course of the show, you and I, we conducted nearly 40 interviews to get a feel for the themes and the issues. So this isn't a claim to be a scientific exam sample, but I'm going to give my impression based on the people that I spoke to. And obviously, Anna, you might not necessarily agree with this, and you can, you know, chime in if you disagree. The trends that we've been reporting at ISMG over the past year is still very much the issues that concern the delegates at InfoSec. However, despite a lot of talk about innovation, apart from AI implementation, advances did appear to be more incremental than revolutionary. And overall, it seemed to be more consolidation of the trends that we've seen over the past two years. Nonetheless, what were once common themes of where are we going has become the established norms of doing business, particularly the three core themes of resilience, risk and zero trust topics whose profile was raised. Obviously, it of course includes AI, but also API security, mobile security, privacy, regulation, supply chains, breach, recovery and aligning security to business goals. Everyone's reacting to digital transformation given the way the pandemic drove hybrid working, resulting in a shift from 40% of business applications in the cloud in 2020 to 70% predicted for next year by Gartner. And now, implementation of zero trust frameworks is now underpinning most cybersecurity strategy today, and it's widely accepted as in principle is the way to achieve resilience. But there did appear to be more resistance to actually using that phrase by vendors. Now that it's more understood that there aren't actually any zero trust products, XDR and platform approaches to endpoint security to reduce product sprawl and complexity has now become commonplace. These are not the new kids on the block anymore. And while the new kid is generative AI, its integration into the cybersecurity ecosystem has been incredibly rapid. After last November's ChatGPT trial, generative AI arrived at scale. And now everything at the show was being described as both using AI to speed up automation of data handling and ready to tackle AI threats, mean to be fair to vendors, they have indeed become early adopters. But in part, that's because our attackers have to use it to find exploits and write malware as soon as it appeared. The AI discussion has moved on from saying that we shouldn't share our sensitive data with generative AI to how do we overcome the problems that could occur when using approaches that cut off AI's ability to learn from ourselves and others, taking away the collaboration of defensive approaches that the industry has been calling for. I mean, there are options including encryption anonymization of data to enable analysis of trends without using PI. And there were increasingly new methods to utilize our services without sharing sensitive data. There's generally support in principle that there should be more regulation on AI. But there are concerns that some jurisdictions are adopting a heavy handed approach that could stifle innovation. Plus this skepticism that regulation can be effectively policed, key issues to addressing through transparency consent, as well as making the ability to understand the basis and fairness of decision making algorithms clear to everybody. Yet, despite AI further speeding up automation, the biggest concern remains people: both the inability to recruit, train and retain sufficient numbers of suitably qualified professionals, but also the ongoing ability of criminals to circumvent technological barriers by socially engineering people to give away their credentials. Hence, the need for greater workforce-wide awareness of cybersecurity. But this isn't about blaming users, it's rather about ensuring the technology enables them to do the right thing without being a security expert. The education element obviously goes a lot further for both security professionals and enterprise leadership, with cybersec pros increasingly needing to take a risk rather than a tech approach to security, viewing it in the context of the organization's business goals. And that includes promoting the positive impacts of good risk controls, enabling organizations to take on appropriate risk securely. Conversely, business leaders, including C-suite, and every head of a line of business now needs to take cybersecurity on board as an area of their own responsibility that impacts their ability to deliver on their remit, whether that be profit, health care outcomes, or some other mission. So my takeaway would be, is now understood how digital threats can impact us all. And as a result, implementing cybersecurity has become everybody's business.
Delaney: Well said, Tony, I couldn't have said it better myself. That was excellent. Definitely CISOs are talking about navigating the challenges. And the innovations such as AI and ML, and our security could exploit the same technology. And as you said, API security. That's what I picked up on, supply chain risk, a lot of cloud sprawl discussions and the need to simplify security. And as you said, the human element, improving user education that comes up time and time again, but we're still talking about it and making sure we bridge the communication gap better when it comes to the executive and getting buy in, again, yawn, but they're still talking about.
Morbin: I mean, you know, the data breach recovery, I didn't go a bundle on but yes, that was very big, I didn't mention the mental health issues and some of those other personal issues that were being raised. And things like, you know, shadow IT, and particularly shadow IT, as you said, in the cloud, and the lack of visibility, and so on. So, you know, those were some of the other things, but I would say, yeah, the resilience was probably the key one, and the transfer to a risk approach. Yeah.
Delaney: And I was speaking with security veteran, Paul Watts. And I asked him about what he saw on the vendor floor in terms of new tech that was interesting. He said not really very much anything new. That makes sense, nothing new or very samey. And yet, he was impressed to see that the InfoSec championing the cause of the startup. So that was great to hear, like to know more about that. I hadn't really investigated it at the time, but I will post it.
Morbin: I was originally going to say, you know, there was a lot of talk about innovation, but I didn't see much, but I thought that was a bit harsh, given that I didn't get the opportunity to, you know, see enough of the stands to validate that claim. So I thought, you know, the little bit I did see, I didn't see an awful lot of innovation, but that's not to say it wasn't there.
Delaney: Yeah. Well, it was a very enjoyable few days. Tony and I, we look forward to publishing the interviews very soon. And finally, and just for fun, it's time to grab your suntan lotion. As they head to the beach. I thought it'd be fun and necessary to discuss summer holiday reading. What can you recommend? What's on your list for this year? Michael, jump in.
Novinson: This is definitely not a B tree but a good read which is Roz Chast. Can we talk about something more pleasant? For those who aren't familiar, she's a graphic novelist. And it's essentially the story of her parents who lived in New York City and kind of coming to terms with the declining health and the fact that they're going to be moving on so it is, yeah, probably not a happy treat. But very well done. Funny. Quite funny, in parts are sad and others are, but I'm working my way through now. I'm really liking it.
Delaney: Yeah. Sounds very interesting. I'd like to read it too. Tony?
Morbin: In truth, it would probably be fiction, not bought yet. Or maybe I might have bought it and it's neglected on the bookshelf at the moment. Nothing to do with cybersecurity. So I've got a few novels, they're waiting to be read. If I went factual, it would probably be something on AI just to bring myself really up to speed at all. I've seen a nice book that I'm thinking keen about getting which is, This Is How They Tell Me the World Will End: The Cyber Weapons Arms Race by Nicole Perlroth. But that's not actually new. It's a few years old.
Delaney: Yeah. Nothing bad with old. Still relevant. Mathew, what's on your list?
Schwartz: So the book I just read that would be a good beach read is The Guest by Emma Cline. It's about a young woman who drifts in and out of Hamptons life, very well written, not super long, which is always great for summertime read. And then what I'm looking forward to reading is a book that just came out by Charles Stross who I love. He has this humorous blend of the real world with a fantasy take on things. And he's got this thing called the Laundry Universe, basically, where there's this parallel world where magic is done via higher-level mathematics. And there's a British government agency that's set out to protect the country from all of the Eldritch Horrors that result. And he's got a new book called Season of Skulls, which is about an ultra Prime Minister with unimaginable powers. Everyone who does anything wrong gets put to death. And yet, some people resist. I haven't even read it. This is the tagline. I'm looking forward to that. Great title.
Delaney: Great title. So I will have to read If It's Smart, It's Vulnerable by Mikko Hyppönen, which was picked up by Mathew Schwartz for me a signed copy at RSA. So that's very special, but I have to make a start on that. Elena Ferrante's Neapolitan quartet, if anyone hasn't read it, brilliant piece of fiction series of four books. So thank you, Jasmine for your recommendations. Happy reading. Happy Summer holidays.
Schwartz: You all can bring us some wine next time.
Delaney: I'll try.
Morbin: To just offer a recommendation of one that we've read you know, The Goldfinch by Donna Tartt. Really enjoyed that.
Delaney: Love that and actually want to read The Secret History.
Morbin: I've read that as well.
Delaney: Noted. Thanks again, everybody. This is excellent and thank you so much for watching. Until next time.