Search
Close this search box.
EPISODE 147
 

SEC Complaint against SolarWinds Corporation

EP 147: SEC Complaint against SolarWinds Corporation

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

December 19, 2023

What can we learn about the SEC Complaint against SolarWinds Corporation and Timothy G. Brown? Let’s find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

EP 96: “Normalizing Greater Accountability For Cybersecurity Fraud”
https://cr-map.com/podcast/96/

EP 109: “FTC’s Strange Action Against Cafe Press”
https://cr-map.com/podcast/109/

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein partner at the law firm of K&L Gates. Visit them at CR-Map.com and KLGates.com.

Jake Bernstein: So, Kip, what are we going to talk about today in episode 147 of the Cyber Risk Management Podcast?

Kip Boyle: We may regret this, but we're going to talk about something that's controversial lately in the cyber security community, the information security community. What we are going to do is more closely examine the SEC complaint that was released recently against the SolarWinds Corporation as well as individually, Mr. Timothy G. Brown. We're going to do this because we want to try to figure out, what can we learn from this? Big disclaimer, we're not trying to figure out right and wrong. They're right, they're wrong, whatever. This is not the blame game episode. We just want to see as cyber risk practitioners, what can we learn from these allegations? That's what we're going to do today.

Jake Bernstein: That sounds really important. I think it's going to be one of our most listened to episodes of the recent...

Kip Boyle: Possibly most hated.

Jake Bernstein: Well, look, I think we're going to try to make it so... We want to talk factually about what this is. What does it mean? What's going on? How is it different from Joe Sullivan at Uber?

Kip Boyle: Right.

Jake Bernstein: What this is, and let me just dive right into that. So, first, here's my disclaimer. I am not super familiar with the SEC, or the SEC laws, or complaint process, or any of that. However, I am extremely familiar with, obviously, the general process of writing and filing a civil complaint against companies and individuals for violations of fraud statutes. After all, I did that myself for eight years at the Attorney General's office. A couple of things to know to begin is that this, the SolarWinds and Timothy Brown SEC complaint is not some weird, unusual special document that only the SEC gets to do. Now, this is a standard federal district court civil complaint that looks like every other civil complaint that gets filed by the FTC, or the FDA, or the State Attorney's General, although they usually do it in their own state courts.

To be clear, it's a civil complaint, right? Not a criminal complaint. There is no risk that Mr. Brown is going to go to jail under this complaint. I don't know if he'll be charged separately. I don't know who would do that. Usually, only the DOJ can file criminal complaints, and let's just make that differentiation right now. Joe Sullivan was charged with obstruction of justice by the DOJ in connection with a number of the Uber cybersecurity breaches way back in 2016. That was a situation where the outcomes were innocent or guilty. Potential jail time. There's still fines with criminal cases.

Kip Boyle: Like television court?

Jake Bernstein: Yeah, it was a true criminal case.

Kip Boyle: Okay.

Jake Bernstein: This is a civil complaint. This is looking for injunctive relief, which means that the primary relief that the SEC wants is, "You can't do that again. Stop saying these things that are not true." Then, in Mr. Brown's case, "You can't serve as an officer or director anymore on a public company." So, that's a significant request for relief, but it's not criminal. Then civil penalties, what they call disgorgement of misbegotten gains... It's restitution, it's payback. Basically, "You cost people money with your lies, therefore you should pay it back."

Kip Boyle: We have to stress, these are allegations at this point, right? These aren't facts.

Jake Bernstein: No, this is all just a complaint. Everything I just mentioned was request for relief that the SEC is getting from a judge. It's very similar to, in the pre-show. We were talking about the Lincoln Law, the False Claims Act. That's a civil claim, as well. It's the same type of deal. When you're in civil court, the burden of proof is a preponderance of the evidence, which just means more likely to be true than not. We're not in beyond a reasonable doubt land, that is criminal law. This is not a criminal case. So, beyond a reasonable doubt, it doesn't matter. Is it more likely to be true than not, is the standard of proof.

Kip Boyle: That's a lower bar, right?

Jake Bernstein: It's a much, much lower bar. Yeah. Beyond a reasonable doubt is the highest possible bar. It's essentially saying this is true. Even that it isn't saying that it is saying that any given allegation is true beyond a reasonable doubt. That is the highest form of standard of proof that we require in our judicial system. So, what is going on in the SEC complaint? Yes, I think the right word here is allegations. They are making statements that they believe to be true. They will have to support those claims with evidence. There will be... I believe they requested a jury trial. Let me just double check.

Yes, indeed. They demanded a trial by jury on all issues. So, try-able. So, that's normal. This is all normal. I think that one of the reasons this particular complaint has drawn such interest in the community, and you and I were both at SecureWorld... Well, at the time of recording, it was earlier this month, whenever this publishes. It will be within the last couple of months. But it was obviously like this issue, this SEC complaint was obviously a big deal. A lot of people are concerned. I'm seeing tons of activity on LinkedIn about it. People saying, "Well, I'm not going to be a CISO anymore because I might get charged." A lot of reactions, some of which I think are quite reasonable. I think it's difficult to be able to, I'm not sure what advice to give to my friends who are CISOs right now, other than something that is probably easier said than done, which is, you need to be completely honest in your dealings with the public and the SEC, and I think what we should do is start to go through our very rough outline.

This is a tough thing to dissect, right? There's a lot going on here. It's a 68 page complaint.

Kip Boyle: Yes. There's a lot.

Jake Bernstein: That's a long complaint. Just to be clear, I've filed long complaints. I've probably hit 50 pages, but one can file a complaint that is four pages, right? There's nothing necessarily about this process that requires such a long complaint. I would almost say this is an unusually long complaint. The issue is that under the legal system, the lawyers who put all this stuff in there have to have a basis for doing it, right? If they're not going to just make stuff up for a number of reasons, particularly under the Federal Rules of Civil procedure, whenever you sign a document as an attorney, there is something called Rule 11, Federal Rule of Civil Procedure 11. It basically says, you're responsible for anything that you put in a document that's submitted to the court that is not true.

Kip Boyle: That's how the attorneys that used ChatGPT to file bogus cases got tripped up.

Jake Bernstein: I don't remember if they were in federal court or not. I think they were.

Kip Boyle: But they could. They would've inaudible

Jake Bernstein: Also, just to be clear, every state has a version of Rule 11, but Rule 11 is the anti-harassment law. That's bad word... Anti... Why am I blanking on the word? The anti-junk lawsuit rule, right? Basically, it's the rule that permits opposing counsel to basically go after the lawyer who filed something that the lawyer should have known was fake or untrue. I'm oversimplifying here. This is not a quick a crash course in federal civil procedure, but it does matter because when I see a complaint that's 68 pages long with that much detail, I think to myself, "Well, these guys already know most of this stuff, and they're not going to..." So, yes, you say they're allegations, which is true. They are allegations, but you're not going to make those allegations in a complaint and sign your name to it, unless you're pretty darn sure you're going to be able to prove them. So, that's what makes it interesting, and why it's so long.

Kip Boyle: Okay. Now, there's a lot of allegations in there. My reading is that they're serious allegations. I wanted to ask you, do you think they went through a discovery process already? Because in there they reference emails, PowerPoint presentations, instant messages, they reference risk acceptance forms that were probably online internal to the organization. I'm like, "Where in the world did they get all this stuff?"

Jake Bernstein: So, I can answer this, and again, this is one of the areas that I'm not a hundred percent certain about the SEC in particular, but I'm assuming that they have a civil investigative demand process that is just like the FTC, that is just like the one I used to use. A civil investigative demand process is essentially the ability to conduct full civil discovery without filing a lawsuit. It's an investigation. It's different from a criminal investigation, where the police are more... There's a lot more rules under criminal law about what they can and can't get. There's the whole unlawful search and seizure, all that stuff. That's all criminal law.

Civil law is basically, I get to send you a letter demanding a bunch of stuff, and you have to send it to me unless you have a really good reason not to. One second, bad noise, figured it out. No big deal. The question from a civil investigative demand standpoint becomes, "Am I going to fight this civil demand or CID?" I may slip into CID what I used to say all the time. Generally speaking, you're not going to because these federal agencies, the state attorneys general, whoever has civil ID authority, which has to be very specific in a statute, is generally entitled to that information. Yes. One of the reasons I said, this is one of the things that allows them and other investigatory agencies to file a 68-page hyper-detailed complaint is that they were able to get information before filing.

Kip Boyle: Right. Okay, that makes sense. Now, the SEC did send a Wells notice months and months and months inaudible

Jake Bernstein: So, I have no idea what that actually is. I'll be honest, that's an SEC thing. A Wells notice is going to refer to an SEC case. I don't know exactly what it is. I'm assuming that it is similar to other rules that say you have to give notice before you start investigating. Or the Wells notice actually might be the CID. I could look it up, but I don't think it's important.

Kip Boyle: Okay. Well, so I just want to say for people who read this, if you end up reading this complaint, you're going to see all kinds of references to what I would presume are internal documents, internally held data. That made me wonder, where did this come from? So, Jake, I think you've done a good job of explaining it as you were explaining it. I remembered, "Oh, right. I remember seeing a news story months ago about a Wells notice," and I looked it up and it says, the SEC issues Wells notices... Wells must be the name of a person who had something to do with this. But they issue it to firms when it is planning to bring enforcement action against them.

Jake Bernstein: Yeah. So, I just quickly looked it up. It's named after the Wells Committee of the SEC, which proposed the process back in 1972. More specifically, it is a notice, yes, that, "Informs the people or the firm in question that the SEC is going to bring an enforcement action against them. The notice will indicate that it's going to bring a civil action and will provide the person or firm with the opportunity to provide information as to why the enforcement action should not be brought." Generally, you get 30 days to respond to it. Yeah. So, this is very, very similar to... Again, I'm not sure if there's a full CID authority, but this is basically what this is.

Kip Boyle: Okay.

Jake Bernstein: We don't need to know.

Kip Boyle: Don't need to drill into that anymore. But the point is that there was a form of discovery that was conducted and they got all this information. They obviously analyzed the hell out of it, and now we've got a 68-page complaint, which to your point, nobody would assemble a 68-page complaint of fluff.

Jake Bernstein: It's not fluff. It's not fluff. inaudible there's a portion of it that's boilerplate. That's things you just have to say. But that's like five pages. So, the vast, vast, vast majority of this thing is very detailed allegations.

Kip Boyle: So, I want to focus on one allegation in particular. I think this is something that we can learn from right now. I don't think this is a new lesson, but I think it's a lesson that's being repeated. So, I really want to focus on that. Time permitting, we can look at other things, but I believe that there is an allegation in there that really cuts to the core of what's going on in the world right now, and what's been going on for a long, long time. As somebody who's worked in cyber security since 1992, I've seen this over and over and over again, and I'll give you some specifics here in a moment. But I would roll it all up and say that we have, as an industry, a pervasive culture of cyber security theater, where we say and do things to make stakeholders feel good. But the reality behind what we say isn't necessarily the same as what we say. I've seen this over and over and over again in different roles that I've had.

So, I'm essentially saying, I've observed this sort of thing on the job for years and years and years, and I feel like this is something that the US federal government is finally saying, "We're not going to put up with this anymore."

Jake Bernstein: That's one thing we should have done, which we didn't yet, is describe what exactly the SEC is saying here in terms of what the legal violations are. This is very, very, very important because if you just see a headline, SEC charges SolarWinds and its CISO with violation of securities laws. It's pretty vague. You might not realize that, you might think that they're getting sued or charged with a crime even, which we've determined is not the case. This is not a criminal case, because they got hacked successfully, right?

Kip Boyle: Right.

Jake Bernstein: It is not the case. Let's just be super clear. Not this one, perhaps not ever. There is no law that requires you to not be hacked. That would be the equivalent of saying thou, thou shalt have perfect cyber security, and thou shalt never lose to the bad guys. Which...

Kip Boyle: By the way, there's a whole other episode here that you've just touched on, which is why are we getting pissed off at companies that get hacked when we are now pivoting to assume breach?

Jake Bernstein: Well, and let's talk about that. So, oh man, that is a separate episode, Kip, but look, the SEC here isn't saying that you are getting charged with these violations of the securities laws because you got hacked. The securities laws, very similar to both the Federal Trade Commission, unfair deceptive acts for practices, very similar to the Consumer Protection Act that I enforced. It all comes down to essentially misleading, fraudulent statements, lying, not telling the truth. In the securities arena, it really comes down to something that I don't think is all that difficult to understand. You can best describe it as this, the way that a public company works is it offers up its stock, right? A stock is a classic security.

That's what we're talking about when we say the Federal Securities laws is, and usually a piece of an ownership in stock is the classic, easiest example, though there are many others. In order to help investors determine what stock they should buy and what they shouldn't buy, these public companies have to disclose a whole bunch of data. You need to talk about the revenue data. You need to talk about the number of employees. You also have to disclose your foreseeable risks and the risks to your business that might cause the stock value to go down.

Kip Boyle: Right.

Jake Bernstein: Fundamentally, all of this with the SEC is about the price of the stock and the potential harm to shareholders. In other words, investors. Because that's what the SEC does, that is its sole purpose in life, is to protect investors and regulate the securities markets for one very, very good reason. This is a classic market failure. I mean that in the sense of Adam Smith theoretical markets is lack of information, which the ultimate lack of information is when you're lied to, right? Because you as the investor have no ability to determine... You just know what you've been told. When somebody lies and creates a false impression or otherwise tells the not truth, you are very likely to get injured, because you don't know what you're doing. You can't know, right?

Kip Boyle: Right.

Jake Bernstein: So, we've determined in our society that lying and cheating in the marketplace is bad, which I don't think anyone disagrees with that. This is not a controversial position.

Kip Boyle: There's a whole other episode we could go to about digital currencies and...

Jake Bernstein: inaudible Do you think it's all pretty similar, right? It's all pretty similar.

Kip Boyle: Yeah, yeah.

Jake Bernstein: So, what the SEC is complaining about here is that ultimately, it wasn't even the cover-up, it was worse than that because SolarWinds and Mr. Brown had been saying in public documents, and also non-public as we'll see, various things about SolarWind security posture. In the public documents, they said, "We're good. Essentially, everything's fine." They provided very vague standard boilerplate risk disclosures about fire, flood, earthquakes, acts of God, cyber attacks, loss of power...

Kip Boyle: The stuff everybody says.

Jake Bernstein: Blah, blah, blah, stuff everybody says, and here's the big issue is according to the documentation that the SEC obtained has obtained, and then therefore, and then put into the complaint, that was untrue. When those statements were made, SolarWinds and Mr. Brown knew they were untrue. That is the allegation, right? The allegation is that, "You were lying," right? This is all about falsehoods. It is that simple. So...

Kip Boyle: Okay. Now, thank you. Now, what I want to do is I want to share just a few things that I pulled out, some allegations that I pulled out of the complaint that will then set us up to have a conversation about why is the cyber security theater going on? Why is this so pervasive? If these allegations are facts, what probably happened, right? How can CISOs and the people who support them and serve them avoid this? Okay?

Jake Bernstein: Yep.

Kip Boyle: Okay. So, in paragraph four A of the complaint, it says that, "A security statement that purported to describe the company's cyber security practices and policies was posted to the company's website." I'm not going to read that

Jake Bernstein: Public statement, that's the important part.

Kip Boyle: It's a public statement. Yep. That was four A. Now, if you skip down to eight a paragraph eight A, it says, "A January 2018 email to senior managers, bluntly admitted that the security statements secure development life cycle section was false." That's like a smoking gun, wouldn't you say?

Jake Bernstein: The smokingest.

Kip Boyle: Okay. Now, let's skip to paragraph eight E. It says, "In 2020," so, about two years later, "Portions of SolarWinds flagship Orion software platform were still not developed under a secure development life cycle process, and solar Winds employees noted this was a problem."

Jake Bernstein: Then you get...

Kip Boyle: So, this is before they got hacked.

Jake Bernstein: It was, and then you get to the kicker. Go ahead and read it. I know you want to.

Kip Boyle: Yep.

Jake Bernstein: Paragraph nine.

Kip Boyle: Paragraph nine. "Even though Brown and/or other SolarWinds employees and executives knew about these risks, vulnerabilities, and attacks against SolarWinds products, SolarWinds cybersecurity risk disclosures did not disclose them in any way, either individually or by disclosing the increased risk they collectively posed to SolarWinds." That's pretty damning.

Jake Bernstein: It is. I don't know how they're going to defend this. As you said repeatedly, these are allegations. But look, they've got the evidence. This does not look good for the company or Brown. Why was Brown singled out? I don't know. That was an interesting decision. I think there'll be a lot written about that. Other employees, and...

Kip Boyle: We are not here to try to answer that question.

Jake Bernstein: We don't know. We're not here to try to answer that. We're also not going to really opine on whether it was right or wrong. I don't know the facts. I don't know the situation. I don't know Mr. Brown.

Kip Boyle: Yep.

Jake Bernstein: What I do know is that he signed documentation and statements that, according to the allegations, he knew were false. Just to be very clear at the fundamental level, that's what he's being charged with. It's not, "You didn't have good enough security." It's, "You said you had good enough security, but you knew you didn't, and you said it anyway." That's the long and the short of it. So, I think the reason that security folks and other CISOs feel like this is potentially unfair is that they know what it's like to be a CISO.

Kip Boyle: Yes, and the pressures that come upon you.

Jake Bernstein: Yes. By the way, maybe I don't think it's a separate episode, but we've talked in the past about the reporting lines for CISOs.

Kip Boyle: Yes.

Jake Bernstein: I think this case could really change the game for CISOs to no longer be... They need to report to the board and to the CEO. We can speculate. We don't know. We don't know what Mr. Brown was trying to do. That's why we're not making any...

Kip Boyle: It's not a blame game.

Jake Bernstein: It's not a blame game. We're not even making any judgments. I just have no idea. This could be a situation where he did everything he could right, and then was coerced into basically saying, "Sign these statements, or you lose your job." We don't know. We can speculate. We don't know. I don't know. I haven't read anything about it either. If there....

Kip Boyle: Maybe that'll be part of the defense. Who knows?

Jake Bernstein: It could be. It could be. The problem though, Kip, is that it is irrelevant, right? Because when you sign your name to something... This is actually the fundamental Rule 11 thing that I was talking about about lawyers. When you sign your name to something. It was your job, you had a duty to know if that was true or false. If you knew it was false, and you signed it anyway, you need to figure out why. Or, it's going to be your problem rather. So, again...

Kip Boyle: Is culpability the right word?

Jake Bernstein: There is a level of... Sure, innocent guilt isn't the right phrasing here because it's really about being liable or not because it's not a criminal case. Normally, I would hate to speculate, but I think we have to, because I think what's being questioned here in the community, by our listeners, is a completely valid, very important set of questions, which is, if Mr. Brown was many of us other CISOs and security employees, and we know from our day-to-day lives that we're being ignored by upper management, what are we supposed to do? It's very tempting for some to just say, "Well, just quit in protest." But that's not a fair or realistic piece of advice, right? "Well, just quit your job." No, you can't.

Kip Boyle: Or, "Just become a whistleblower."

Jake Bernstein: Or, "Become a whistleblower," or all this stuff. It's not that simple, right? It's not that easy.

Kip Boyle: No, it's not.

Jake Bernstein: Look, I thought it was interesting. The SEC complaint does specifically say, "All of these statements would've been violations of the securities laws, whether or not SolarWinds had been hacked, them being hacked is what made it possible for everyone to know that there were violations going on." I think if there's a lesson for everybody in this complaint, it's that, right? It's that, if you as a CISO, or a CEO, or a CFO, or a board are making statements that you've been told are not true, but you're making them because you're basically just hoping that nothing bad will happen to therefore expose those false statements. This is the risk that you run. The risk you run is that something bad will happen. All those false statements will come to light as having been false when you made them. You can get sued by the SEC.

Kip Boyle: So, you'll not just suffer the consequences of the hack, the cyber attack. There'll also be regulatory sanctions and consequences.

Jake Bernstein: Oh, it could get very bad for a lot of people as individuals. That's the other thing too, is I know a lot of people will say things like, "Well, the hack didn't matter because look at the share price of target after its hack, it recovered just fine." I'm not going to argue with that because that's a factual statement. It's true. But there was a human cost to all of these attacks, right?

Kip Boyle: Oh, yeah.

Jake Bernstein: There were executives whose lives are fundamentally altered.

Kip Boyle: Their careers are over.

Jake Bernstein: Right? Their careers are over. Unemployable in many situations. So, yes, you're right. The company, the entity, may ultimately recover, but there are people who will not. Who will not recover. The fact is, is that those individuals will get found out, those consequences will be felt. Again, I feel like we are necessarily putting a lot of security employees between a rock and a hard place, which is what do you do? That's like seven episodes, Kip. I'm not sure I have an answer, even if we were to...

Kip Boyle: Well, yeah, this is the essence of what people say when they talk about how chief information security officers are just chief scapegoats.

Jake Bernstein: Yep. Scapegoats. I'm not quite sure what you said there, but it's a scapegoat.

Kip Boyle: I don't know either. It was dumb. But anyway, I got too much turkey in my bloodstream. It's the day after Thanksgiving, as we record this. But yeah. So, I'm a scapegoat, right? It's like, "I'm there to say whatever they want me to say to make people feel good, but if the shit ever hits the fan, well, they're going to hang me out to dry, and that's going to make everything better." I think that's what a lot of the community really seizes on. We saw that with Uber and Joe Sullivan, and now we're seeing it with SolarWinds and Mr. Brown.

Jake Bernstein: I think what's so interesting, Kip, about this issue is that it's quite possible, maybe even likely, that this complaint will empower future CISO's in ways that their past brethren have not been empowered. Here's the thing...

Kip Boyle: I'm hoping...

Jake Bernstein: Are you going to take a CISO job without contractual protections against this stuff? Are you going to take a job where you are going to be required to, and again, I'm making assumptions here. Let's just say for sake of argument that Mr. Brown didn't want to sign these documents, but was basically given the choice of, "Sign them or we'll find someone who will," and then look, there's a lot in that statement that could be controversial. I'm not meaning it to be. I'm just saying, just assume for a moment that is the case.

Kip Boyle: Right.

Jake Bernstein: What should he have done? All of us, in many situations have been put in situations like that, or could be. One of my classic examples was, I've got a client who is trying to get away with something. It's like, what do you do? Do you just quit? If you quit, they might just find a lawyer who's going to bless everything. But if you stay their lawyer, maybe you can guide them into the path of righteousness. I'm being hyperbolic. But the point is that inaudible

Kip Boyle: You're in a bad situation.

Jake Bernstein: You're in a bad situation.

Kip Boyle: Yeah. So, let me tell you what I think about when you talk about these things. So, when I was in training prior to being commissioned as a second lieutenant in the United States Air Force, one of the things that they taught us was this concept of a lawful order. The reason why they taught us about that is because they were trying to help us, if we ever got into a situation where a superior officer, somebody who outranked us, who had the legal authority to compel us to do things, if they ever tried to compel us to do something we knew was illegal, for example, "Lieutenant Boyle participate in this action," and I knew that the action was a massacre, if the action was to kill civilians or whatever, or basically it's an unlawful order. I have the right and the obligation, according to my sworn duty, to disobey illegal, unlawful orders. I'm required to do that.

What they specifically told me to do is they said, "If you are given an unlawful order, you must request it in writing. If the person issuing the order will not give it to you in writing, that is a sure sign in the heat of the moment that that person has asked you to do something unlawful and illegal, and you are not to obey that order."

Jake Bernstein: Yeah, it's interesting. I suppose I should have known that was part of the education of officers, but I'm really glad it is, because it's really important, right?

Kip Boyle: Yeah. So, I would say, you were asking rhetorically, what should you do? Well, nobody I know in civilian life, to the best of my knowledge, has ever been told what to do if you're given any illegal order, if you're told you have to sign these documents that contain falsehoods, right? Now, civilian life is different. But I would say that that would be a way that you could navigate that is you could say, "Please put it in writing that you're asking me or compelling me to sign these documents under the threat of being fired or sanctioned."

Jake Bernstein: I'd say, Kip, that a lot of people do that just in the civilian world. We just call it a CYA memo, right? That's what it is. That's what it is. You're covering your own butt.

Kip Boyle: Yeah. CYA files.

Jake Bernstein: That's perfectly acceptable. I think more than that, I think, look, nobody wants to admit in a public filing that their cyber security sucks when they're a fundamental infrastructure company. There's major, major things. What's going to happen? People might just flee, right? Customers might flee. Your stock price is going to go down.

Kip Boyle: Right.

Jake Bernstein: It's bad, bad to do that. However...

Kip Boyle: Absolutely.

Jake Bernstein: I would say there need to be consequences when you lie about it. That's inaudible

Kip Boyle: That's what this is getting at. Now, let's go ahead and continue on because, first of all, what I want to say is, okay, I've read to you, verbatim quoted four allegations out of the complaint. But my friends who are listening to this, there's 68 pages to this complaint, most of those pages are full of allegations. So, if you want more of what I just read to you, just go to the complaint.

Jake Bernstein: Just to be clear...

Kip Boyle: There are many, many, many more just like this.

Jake Bernstein: We got to paragraph. So, the great thing about a complaint is that every paragraph is numbered. We got to paragraph number nine.

Kip Boyle: Yep.

Jake Bernstein: I want to let you all know that it's up to paragraph 202, and that's not the end of the complaint. That's just the end of factual allegations. At 203, you get into what I call the boilerplate, claim for relief stuff. It's relevant, but you're no longer in the allegations. So, there's 202 approximately paragraphs that are dedicated to making...

Kip Boyle: Just dripping with this kind of detail.

Jake Bernstein: There is a lot of detail.

Kip Boyle: There's a lot. There's a lot of detail. You might be shocked at some of the sources of the detail. For example, the instant messages. If you're using instant messaging and you think it's ephemeral, it's just going to disappear later on. This complaint shows that's not true in all cases. So, be careful.

Jake Bernstein: Also, other employees, there's other employees that are cited as sources.

Kip Boyle: That's right. Who made statements in other instant messages that Mr. Brown wasn't a part of, right? So, be careful. Now, assuming that these allegations are facts, let's just assume that they are. I think we have to ask ourselves, what was the root cause of this failure? Why was this cybersecurity theater going on? Why were they making public statements that were false, knowingly false, and at the same time in internal communications channels stating to each other that, "Everything we're saying or a lot of the things we're saying are just not true." So, what causes this? I think what causes this is an issue that I've run into a lot, that I've talked with Jake and our customers about our clients about, which is a CISO typically has no line management authority to compel people to do anything, except the people who report directly to them on their team whose performance appraisals they write.

This is a fundamental problem for every CISO I have ever talked about this with. I can tell you that in my work as a W2 employee, as well as in my small business that I run right now, this is an issue. It is extremely difficult to operationalize cybersecurity. What I tell people in my position who are operating as a CISO is, "Don't even try to do it on your own authority. Don't go out there and try to influence people. Don't try to cajole. Don't buy pizza to make people do the things that you're asking to do. What you have to do instead is you've got to go to senior decision makers, and you've got to get them to cascade the changes that are necessary to operationalize these policies through line management."

People's supervisors have to look at them and tell them, "Yes, I expect you to do this, and if you don't do it, then I will note that on your performance appraisal, I will enter you into some a progressive disciplinary system, as it's administered by our human resources department." That is the best, and in my opinion, only way for a CISO to operationalize these things and to stop putting on this cybersecurity theater. I think that's probably what happened here.

Jake Bernstein: I would say document, document, document. Build the largest CYA file that you've ever seen.

Kip Boyle: Yeah, definitely. Definitely. If you can't get senior decision makers in line management to implement the things that need to be done and you're being compelled to lie about them, then you need to document all of this, all of your attempts to get them to implement, to operationalize these policies and standards and procedures. There's got to be a point past which you have to ask yourself, "Why am I here?" If this continues to happen. I've met so many people, I've met so many people who have come up to me in public educational sessions that I've run, in webinars that I've done, live streams and so forth, and they say to me, "How can I get my management to take me seriously and to do these things?"

I tell them, "Look, if you've put a reasonable amount of effort into it and you can't get them to see your point of view, you either have to just accept it and do the best you can, or you need to change jobs," because you cannot compel senior decision makers to have a different risk appetite, to have a different risk tolerance. It's too personal. People aren't going to just do it because you say so.

Jake Bernstein: Kip, there's a whole season, a whole year of episodes lurking in this discussion, if we wanted there to be.

Kip Boyle: Yeah.

Jake Bernstein: But it's so much bigger than just this complaint. It's so much bigger than just this one guy. Or even just the concept of a CYA file. The questions that are being raised are, "How much does cyber security matter at the end of the day? Right?" Is theater enough? Because look, there's people right now who, or there are people who would, I think fairly ask, "Well, wait a second. At what point is the tail wagging the dog? Well, what is the point of the company?" The point of any given company is never to be, the goal of the company is to make money, is to do what their business is, right? Cyber security...

Kip Boyle: Take risks.

Jake Bernstein: ... Is a supporting function. We know that. We get that right? There's no...

Kip Boyle: Risk enablement business.

Jake Bernstein: There's no debating that. I'm fine with it. I think we're all fine with it. Look, lawyers are, that's the same thing. We give advice. We can't force anyone to take it, but we give advice. Ultimately, the business decides if they want to take a risk or not. That's never going to change. What I think does need to change though is one, never again should a sizzle sign their name to something that they know is false. Again, it's an allegation, but let's just assume that he did know it was false.
The allegations certainly make it seem that way. If we assume that there's evidence to back those up, and we further assume that he did know some of this stuff and he was doing it anyway, it almost doesn't matter what his reason was. As you said, Kip, there could be defenses? Mitigations, right? Certainly it's the classic gun to your head situation. You're not criminally responsible for something that you do when you've been forced to do it. So, there's all kinds of questions about this particular instance. But fundamentally, I think the real problem is that the highest level executives weren't taking cyber security seriously enough.

Kip Boyle: Or, maybe they knew they were serious, but the way they chose to deal with those risks was to lie about them.

Jake Bernstein: Maybe that's true. We've seen that before. The classic case of the Ford Pinto, right?

Kip Boyle: Yeah, absolutely. Right. So, the Ford Motor Company did this analysis on these crashes that were being reported about the Ford Pinto, and there was an engineering problem. They eventually knew for a fact that the placement of the gas tank in the Ford Pinto was dangerous. They did an analysis about how much would it cost the company to fix it, versus how much would it cost the company to just continue to settle legal claims when those gas tanks would rupture and cars would catch on fire and people would be hurt, property would be damaged, and people would be killed. They decided economically it was cheaper to just let it ride. Just let accidents continue to happen. It would be less money for them to deal with the fallout of it than it would be to actually correct the defect. Ultimately, that all came out and it was a huge scandal.

Jake Bernstein: So, this is the thing, and there's many of these. Tobacco, asbestos.

Kip Boyle: Asbestos.

Jake Bernstein: There's Bayer, who bought Monsanto just got absolutely obliterated over Roundup.

Kip Boyle: Yup.

Jake Bernstein: These things happen a lot. We could argue for months about whether the corporate laws need to be changed to this, that, or the other thing.

Kip Boyle: So, can I tell you what I think the lesson is for people working in cyber security? Don't lie.

Jake Bernstein: Don't lie.

Kip Boyle: Don't lie. Do not lie when you sign these forms. Don't lie when you publish statements to stakeholders outside your organization, be they statements on your website or statements in contracts like data security addenda where you say, "Yep, we're going to do all this stuff," and you know for a fact, that half or some significant percentage or maybe even everything in that data security addenda, you have no intention of doing, but you're signing it anyway. Be careful when you sign applications for cyber insurance where they say to you, "Sign here to attest that all of the things that you put on this application are true to the best of your belief."

Don't sign that thing if it contains falsehoods. That is a good way to stay out of trouble with these kinds of allegations that are being filed in these complaints. If you have to change jobs, change jobs, it's not that big of a deal in the sense that you're not going to be sitting on the bench for a long time. If you are good enough to have a CISO job today, right now, you'll get another one.

Jake Bernstein: What's more than that is that once you lose your integrity, you're done.

Kip Boyle: You're done. It's reputation.

Jake Bernstein: You're never getting it back. The company you work for...

Kip Boyle: No, this is reputation.

Jake Bernstein: It's reputation. The company you work for will recover, most likely.

Kip Boyle: Right. Yeah.

Jake Bernstein: You won't.

Kip Boyle: You'll have to go to a completely different line of work.

Jake Bernstein: Yeah, it's true.

Kip Boyle: So, don't do that. Don't do that. Okay. So, I think that is my message for listeners is, do not participate in the cybersecurity theater. It is clear to me that whereas people in the past who participated in cybersecurity theater got away with it for the most part, I don't think that's going to be true in the future. I think these actions are being brought by the FTC, the SEC are showing are demonstrable that this isn't going to be tolerated anymore.

Jake Bernstein: The DOJ, when they went after Joe Sullivan, I think you're right. I think that that is the lesson here is that this is important enough... Look, there's times where it is just about dollars and cents, right? Do you want to sacrifice your career, your reputation for someone else's dollars and cents? I don't think for someone else's don't think you should. But you know what? Don't do it. There's also going to be situations where life, it is actual life and death. We have a whole episode on Killware. We have a whole episode where we talk about the ways that cyber attacks can actually cause the loss of life.

Kip Boyle: People to die.

Jake Bernstein: People to die. That's even worse. That becomes even more devastating. So, I think that is, this whole episode can be boiled down to don't lie.

Kip Boyle: Well, good. On that note, I think this is the wrap-up of this episode of the Cyber Risk Management Podcast. So, what do we do today? We closely examined the SEC's complaint against the SolarWinds Corporation and Timothy G. Brown, because we're trying to see what we can learn from this, even though this is an unsettled matter, and I think we did learn from it already, no matter how this thing turns out. We'll see you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cyber security hurdle that's keeping you from growing your business profitably, then please visit us at CR-Map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.