Firstly, let’s be clear, I am not a Lawyer (IANAL), and I’m sure any of my readers that are could probably find many errors with my summing up of this article - but at my uneducated first glance, this is a REALLY interesting legal case and a potential warning to company executives and the cyber security industry more broadly.
The case revolves around SolarWinds, a US company that provides IT infrastructure management technologies to a broad swathe of organisations, including a number of high profile companies, as well as 3 & 4-letter government agencies. In December 2019, the company disclosed a security breach affecting one of their core products, that went on to enable breaches across their customer base, and has unfortunately become the poster child for supply chain attacks.
https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/
When most cyber security breaches occur, it’s not uncommon to see official press statements reference the victim’s “serious stance” on cyber security and that the attack was “sophisticated”, almost beyond any reasonable ability to have defended against it. This is something I’ve long learnt to be a generous telling of the truth at best, with probably the more poignant example from my back catalogue of incidents being the TalkTalk hack in 2015. In this case, their claim of “sophisticated methods” fell on deaf ears, when the suggestion that the actual method of entry was via an SQL injection attack, a technique first publicly discussed in 1998, nearly 20 years prior - as one colleague at the time often remarked, was a technique pretty much as old as the perpetrators conducting the attack!
Whilst I’m sure I’m not the first security professional to scoff at press statements in the aftermath of a cyber incident, there’s also seemingly been no recourse for such inaccurate statements. That is, until now.
Going back to the SolarWinds case, a plaintiff has filed a lawsuit in a US court that essentially claims the company (or more specifically the Directors of the company) made false claims about their company’s security posture prior to the incident, which in turn could be seen as inflating the company’s share price. At the core of the lawsuit is a claim that even basic “security hygiene” factors were not in place (whether or not this counts as negligence is maybe another story) and so any claims that the company takes “security seriously” are plainly false. Now to be clear, the lawsuit hasn’t been decided upon as yet, only that a motion to dismiss as been denied - meaning there could well be a legal basis for the argument.
I’d argue that the implication here is the potential establishment of a legal precedent of what it means to take “security seriously” - essentially, what does it mean to be “secure”? Is it that you hold ISO27001 status? That you meet a certain NIST CSF Maturity Level? Your CISO holds CISSP? You have deployed a magic security amulet? Or is it that by simply not meeting a MINIMUM basic standard, regardless of any higher tier of accreditation, you cannot state you take it seriously. If so, what is that minimum basic standard?
The formal legal outcome is yet to come, but with the case of the ex-Uber CISO being convicted for attempting to cover up a breach (see my earlier post here), as well as the various legal disputes surrounding the insurance industry and NotPetya, Cyber Security is now a topic for discussion with the grown-ups, no longer confined to armchair pundits.
I’ve previously spoken and written about Cyber Insurance, but one area that this touches on, is just how an Insurance provider determines what your premiums should be. For car insurance, you can make an assessment based on the age and experience of the driver, or how and where the car is stored (even down to your postcode!). But what do you use for cyber insurance? Some may use security score-carding that benchmarks your externally exposed attack surface (which arguably only implies your broader posture) and some look for the presence of specific technologies determined to reduce risk of compromise (e.g. Marsh’s Cyber Catalyst programme - DISCLAIMER: my employer, Darktrace, has multiple products on the list). In my mind, a US judge now has the potential ability to officially set the bar.
So a final question - what does “secure” mean for you?