Communications Litigation Today was a Warren News publication.
Threat Actors’ ‘Roadmap’

SolarWinds-Like SEC Actions May ‘Chill' Information-Sharing, Warn 21 Ex-Cyber Officials

Nation-state support” permits dangerous actors to mount cyberattacks of “unprecedented scale,” and so it was with the Russian government’s 2020 Sunburst cyberattack against SolarWinds, said 21 former federal cybersecurity officials in an amicus brief Friday (docket 1:23-cv-09518) in U.S. District Court for Southern New York in Manhattan.

The former officials seek "caution" in the court's handling of the SEC’s securities fraud enforcement action against SolarWinds and its chief information security officer arising from that 2020 attack, said their brief. They worry that if a company is required to divulge more information about its security vulnerabilities to satisfy regulators, as the SEC is demanding that SolarWinds should have done in the first place, it would hand bad actors a publicly available "roadmap" for planning even more sophisticated future attacks, it said.

The former officials also fear that the regulatory crackdown on SolarWinds will stifle future sharing of cyberthreat information between companies and government, said the brief. The officials participating in the brief include Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency under President Donald Trump, and Mark Weatherford, deputy undersecretary for cybersecurity in the Department of Homeland Security under President Barack Obama. Also participating were Gus Coldebella, DHS acting general counsel under President George W. Bush, and Kurt Sanger, former deputy general counsel of the U.S. Cyber Command under President Joe Biden.

The SEC alleges that SolarWinds and CISO Timothy Brown “defrauded investors through misstatements, omissions, and schemes that concealed” the company’s “poor cybersecurity practices and its heightened -- and increasing -- cybersecurity risks” (see 2310310041). SolarWinds’ motion to dismiss the SEC complaint blasted the allegations as "absurd" (see 2401290033).

The former officials expressed no position in their amicus brief on the motion to dismiss. Instead, they urged the court to “carefully evaluate” how enforcement actions, like that against SolarWinds, “may disincentivize or chill companies from sharing critical cybersecurity information with the government.”

The former officials caution the court that SEC enforcement actions run the risk of “chilling voluntary disclosure by companies or CISOs,” said their brief. They worry that companies and CISOs “may become more cautious” when considering how their communications regarding cybersecurity threat information, whether directly with the government or with peers through information sharing and analysis centers, “might increase future liability,” it said.

Public disclosure isn’t a “substitute” for “voluntary confidential sharing of more detailed cyber threat information with the agencies tasked with combatting cyber threats,” said the brief. Those agencies “have the right set of technical tools and legal authority to take effective action,” it said.

A “regime that incentivizes” early detailed public disclosure of a company’s “vulnerability information,” such as through filings that the SEC now accuses SolarWinds of withholding from investors and the public, “can actually damage law enforcement investigations,” said the brief. Releasing information detailing a company’s “security posture” can also provide “a roadmap to aid threat actors, and make companies less safe,” it said.

Courts should evaluate actions like this one “while keeping in mind the importance of avoiding action that might chill or otherwise disincentivize the important information-sharing and cooperation” that needs to take place between the private sector and the government, said the brief. Cybersecurity risks “are far easier to evaluate after a risk has already materialized and been eliminated,” it said.

A CISO or company concerned that the preliminary information about a cybersecurity incident or vulnerability it shares confidentially with government or industry “may be treated in hindsight as something that should have been disclosed publicly,” said the brief. It may also make them “think twice before sharing that information in the first place,” it said. As the court evaluates the SolarWinds action, it should “consider the importance of public-private sector sharing of cybersecurity threat information to the nation’s ability to prevent and respond to cyberattacks,” it said.