What could we learn from the SolarWinds investor lawsuit?

By Josephine Wolff, Assistant Professor of Cybersecurity Policy, The Fletcher School at Tufts University 

There’s not a whole lot of new information in the lawsuit against SolarWinds filed earlier this month by two pension funds that invested in the company, but the case does raise a new slew of questions—including just how much such legal action can compel companies to disclose about attacks they suffer.

It’s possible that lawsuits like this one could help shed some light on what exactly went wrong at the company—and how other targets might better protect themselves against this group of perpetrators, moving forward.

The lawsuit alleges that SolarWinds “suffered from internal cybersecurity deficiencies that defied elementary cybersecurity standards for any modern company.” We already knew about the infamous “solarwinds123” password that was accidentally posted online by an intern, we already knew that Vinoth Kumar had emailed the company about that password being publicly available back in 2019. We even already knew that the private equity investors Silver Lake and Thoma Bravo had cut costs at SolarWinds in part by outsourcing software development to countries in Eastern Europe.

But there’s still so much we don’t know about the SolarWinds compromise and how it was perpetrated. SolarWinds has said that the “solarwinds123” password was not what enabled the attackers to infiltrate its systems and that anyone using it would not even have been able to access the company’s IT systems.

No explicit connection has been made tying the infiltration of the company’s update servers to its staff or resources in Romania, Belarus, Poland, and the Czech Republic. The recent complaint alleges that this offshoring was dangerous because “Countries that were formerly part of the Soviet Union or the Eastern Bloc are well known to present a heightened risk from Russian operatives that pose a threat to American interests,” but as evidence for this danger the plaintiffs cite a completely different cyberattack—the 2017 NotPetya malware—rather than any indications that SolarWinds itself was infiltrated through its ties to Eastern Europe.

In fact, we still really don’t know much of anything about how Russia infiltrated SolarWinds and that’s a pretty significant problem given recent reports that the Russian hackers responsible for SolarWinds are continuing to target U.S. companies.

Depending on how thorough a forensic investigation SolarWinds has decided to do and how good their logs are, we may never know definitively how the breach started. But it’s sort of surprising that we still know so little given how significant the incident was and how much media and government attention it received.

The suit places blame for the compromise squarely on the shoulders of SolarWinds and its board of directors, rehashing the story of the publicly available information to argue that the SolarWinds board abdicated their responsibility to secure their systems and focused instead on cutting costs. The lawsuit also points out that various security risks were raised with the company in the years preceding the incident and the board appeared largely to ignore those warnings from both outsiders like Kumar as well as by their own Global Cybersecurity Strategist Ian Thornton-Trump in an April 2017 Powerpoint presentation.

But the recommendations Thornton-Trump gave the company—or at least the ones that are cited in the complaint—are very vague and cite no specific changes or vulnerabilities for the company to respond to. Thornton-Trump warned that there was “a lack of security at the technical product level” and “minimal security leadership” had nothing to do with any specific changes that the company needed to make to protect itself. The lawsuit does list some more specific SolarWinds security practices that the investors fault the company for, including that it “(i) used weak passwords for its software download webpages; (ii) did not properly segment its IT network; (iii) directed its clients to disable antivirus scanning and firewall protection on its Orion software; (iv) cut investments in cybersecurity; and (v) listed its sensitive and high-value clients on its webpage for anyone to see.” But here, again, there’s no actual attempt to link any of these specific practices to the breach that ultimately occurred in 2020.

If this lawsuit moves forward—a big if, given how difficult it can be for lawsuits alleging negligent cybersecurity practices to gain traction—it might force SolarWinds to respond to these allegations by investigating and revealing more details about the origins of the infiltration, how it was carried out, and why it went undiscovered for so long. If using resources in Romania really was the company’s vulnerability, it would be useful to know that! If terrible password policies were at fault, that would be good to know, too.

Fixing whatever went wrong in the particular case of SolarWinds obviously won’t be enough to protect all companies from all intrusions, of course. But it would be better to have some concrete information about what happened in this case than to just speculate that all servers in Eastern Europe are insecure or that bad passwords are always to blame.

Legal battles are one of the few ways that information sometimes comes to light in the aftermath of cybersecurity incidents and with luck they will help uncover answers to some of the many questions we still need answered about the devastating SolarWinds compromise.

This piece was re-published from The Record.

Leave a Reply