SEC’s SolarWinds Probe Could Expose Undisclosed Security Breaches: Report
Joseph F. Kovar
‘We don’t live in a world where you can’t report. If I as an MSP am breached, I report it right away so that if there are issues, customers can deal with them,’ says Ed Tatsch, president of ETS Networks.
An investigation by the U.S. Securities and Exchange Commission into the SolarWinds hack could leave U.S. businesses that did not report breaches of their systems vulnerable to having their lack of openness exposed.
Reuters Friday reported that the SEC is asking companies to turn over records related to a data breach or ransomware attack as far back as October 2019 if they downloaded the software from SolarWinds that was at the heart of the attack.
Reuters, citing six unnamed sources, said businesses were afraid the requests for information would reveal multiple cyberincidents outside the SolarWinds attack, including security incidents those companies may never have intended to reveal.
While disclosing previously undisclosed attacks is voluntary, businesses that fail to disclose breaches could face investigations and fines, Reuters said.
SolarWinds’ Orion platform is used by the part of Austin, Texas-based SolarWinds that manages IT solutions for enterprise customers in private enterprise as well as government.
That platform late last year fell prey to a targeted, nation-state attack that let loose a cascade of security breaches into sensitive government networks. Targets included the Department of Homeland Security and U.S. Treasury. SolarWinds Orion is a network monitoring platform used by technologically sophisticated government agencies, including the NSA.
Roughly 100 private sector organizations were also compromised through a poisoned update to the SolarWinds Orion platform in a colossal campaign carried out by the Russian foreign intelligence service (SVR).
Nearly 18,000 organizations downloaded versions of Orion between March and June 2020 where Russian hackers had injected malicious code, although the SVR only took advantage of the access they had gained in select cases.
SolarWinds, in response to a CRN request for more information on the Reuters report, declined to discuss the issue. However, a company spokesperson, in an emailed reply, wrote, “Our top priority since learning of this unprecedented attack by a foreign government has been working closely with our customers to understand what occurred and remedy any issues. We are also collaborating with government agencies in a transparent way.”
The SEC did not respond to a CRN request for further information.
Several MSPs told CRN that businesses are right to be nervous when being told by the SEC to disclose previously undisclosed security breaches.
Most customers would not want to be called out on the issue, said Mike Clemmons, president of Bytecafe Consulting, an Indianapolis, Ind.-based MSP.
“It would be a PR nightmare,” Clemmons told CRN. “Being outed like that, and then having to tell their customers and investors, would be difficult. Businesses should have said something at the time they were breached. Now after the fact, it wouldn’t look so good.”
Ed Tatsch, president of ETS Networks, an Arden, N.C.-based MSP, said companies’ that are breached should always report the incident.
“What’s the problem?” Tatsch said. “They should have already been reported.”
When a business first gets breached in a cybersecurity attack, its first move should be to hire a PR company to spin the issue in a fashion that is best for that business, Tatsch said.
“We don’t live in a world where you can’t report,” he said. “If I as an MSP am breached, I report it right away so that if there are issues, customers can deal with them.”
Tatsch said he liked how Colonial Pipeline in May handled the ransomware attack that temporarily stopped the flow of gasoline in the U.S. Southeast.
“It’s sad that they had to pay the ransom,” he said. “But they weighed the costs. And they reported the breach. They didn’t try to hide it.”
The threat environment is changing quickly, and businesses need to change just as fast to keep up, Tatsch said.
“We’re moving at 90 miles per hour towards GDPR [Europe’s General Data Protection Regulation] in this country,” he said. “We might as well fess up to this. Cybersecurity issues won’t go away because we don’t want to talk about them. We all have to talk about breaches as they come up.”
Anoush D’Orville, CEO of Advisory, a New York-based MSP, told CRN that security breaches are governed by contract, and it’s always in the best interest of all parties to remediate things as soon as possible.
“It’s like someone not paying taxes who then gets audited,” he said. “If I were those companies, I’d be worried. Breaches are often reported only long after they come to light. I would imagine it’s very unpleasant to bring to light. But does the federal government have the power to make the breaches known?”