A lawsuit by the U.S. Securities and Exchange Commission (SEC) against SolarWinds and its CISO over the massive 2020 supply chain cyberattack is sending chills through the MSP and cybersecurity services community, highlighting the risks involved in securing clients against cyberthreats.
The SEC’s complaint raises significant concerns about liability incurred by cybersecurity providers. Although the suit didn’t seem to shock industry executives and observers interviewed by MSP Success, the charge against CISO Timothy Brown appeared unexpected.
“What surprised me about this SEC action is that it drilled down to the IT management level, not just against the CEO or CFO. That should send chills down the spine of every IT professional, even those that are not in public companies governed by the SEC,” says Mike Semel, founder of MSP consulting firm Semel Consulting.
Kevin Beaver, cybersecurity expert and founder of Principle Logic, says the lawsuit will have a major impact. “This is going to send a chilling effect across the information security industry, in particular those who are currently serving as a CISO or those looking at that role as a career path. It’s kind of ironic that CISOs rarely get the respect, budget, and political backing they need to make things work and yet, in this case, the CISO is the bad guy.”
The SEC filed its complaint against SolarWinds in the Southern District of New York. In a news release, SEC Division of Enforcement Director Gurbir Grewal lobbed some damning accusations: “For years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well-known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security-minded company.’”
Anthon Oren, CEO of MSSP Nero Consulting, minced no words about the suit. “I welcome the SEC finally growing some teeth and biting offenders of weak security. IT as an industry is wholly unregulated, so until there are some actual laws in place to punish cybercriminals and the companies who are lax about cybersecurity, we will never see real progress.”
Joshua Liberman, president and founder of network services provider Net Sciences, wondered about the fairness of targeting Brown. “I hope that they did their diligence and are charging the right person and not just the one ‘left holding the bag’ for execs there.”
Massive Responsibility
The lawsuit comes as a reminder that MSPs and MSSPs take on a massive responsibility when delivering cybersecurity services. The SolarWinds breach was a supply-chain attack; the perpetrators knew they could reach hundreds or thousands of companies by targeting a single IT supplier.
MSPs, says Oren, should apply a zero-trust mindset to securing themselves and their clients. “MSPs need to rethink how they should be setting up network perimeters that have no limits. How should they support apps that are based in the cloud? Do their RMM security tools support someone’s non-Windows device?”
Robin Ody, principal analyst, MSP Analysis Lead, at analyst firm Canalys, says the SolarWinds breach, among others targeting IT companies, highlights the need for MSPs to audit their technology stacks and build greater monitoring and response capabilities.
To protect themselves and clients, he advises, MSPs should “start with the theory that you and every one of your customers has been breached and walk back from there. Build a robust response program, be it entirely your own or leveraging a third-party MSSP/MDR [managed detection and response] provider and be fully aware of your SLAs.”
Liberman says MSPs should be choosy about their vendors. “We should all be reviewing vendors, vetting their procedures, and insisting upon more than boilerplate responses.”
Regulatory Remedies
In light of supply chain attacks such as the SolarWinds breach, the U.S. Cybersecurity & Infrastructure Security Agency’s (CISA) Joint Cyber Defense Collaborative (JCDC) has released a Cyber Defense Plan to protect the RMM ecosystem.
The plan is a step in the right direction, but not a cure-all. “Nothing can guarantee supply-chain safety. The threats and risks are always there, and the actors are always evolving,” says Ody.
Semel says CISA’s guidelines only help “if users properly follow them, and then only to a certain point because there are so many layers that may still be exploitable to hackers.”
