In SolarWinds Case, US Judge Rejects SEC Oversight of Cybersecurity Controls

SolarWinds still faces some legal action over its infamous 2020 breach, reports NextGov.com. But a U.S. federal judge has dismissed most of the claims from America's Securities and Exchange Commission, which "alleged the company defrauded investors because it deliberately hid knowledge of cyber vulnerabilities in its systems ahead of a major security breach discovered in 2020."

Slashdot reader krakman shares this report from the Washington Post: "The SEC's rationale, under which the statute must be construed to broadly cover all systems public companies use to safeguard their valuable assets, would have sweeping ramifications," [judge] Engelmayer wrote in a 107-page decision. "It could empower the agency to regulate background checks used in hiring nighttime security guards, the selection of padlocks for storage sheds, safety measures at water parks on whose reliability the asset of customer goodwill depended, and the lengths and configurations of passwords required to access company computers," he wrote. The federal judge also dismissed SEC claims that SolarWinds' disclosures after it learned its customers had been affected improperly covered up the gravity of the breach...

In an era when deeply damaging hacking campaigns have become commonplace, the suit alarmed business leaders, some security executives and even former government officials, as expressed in friend-of-the-court briefs asking that it be thrown out. They argued that adding liability for misstatements would discourage hacking victims from sharing what they know with customers, investors and safety authorities. Austin-based SolarWinds said it was pleased that the judge "largely granted our motion to dismiss the SEC's claims," adding in a statement that it was "grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns."
The article notes that as far back as 2018, "an engineer warned in an internal presentation that a hacker could use the company's virtual private network from an unauthorized device and upload malicious code. Brown did not pass that information along to top executives, the judge wrote, and hackers later used that exact technique." Engelmayer did not dismiss the case entirely, allowing the SEC to try to show that SolarWinds and top security executive Timothy Brown committed securities fraud by not warning in a public "security statement" before the hack that it knew it was highly vulnerable to attacks.

The SEC "plausibly alleges that SolarWinds and Brown made sustained public misrepresentations, indeed many amounting to flat falsehoods, in the Security Statement about the adequacy of its access controls," Engelmayer wrote. "Given the centrality of cybersecurity to SolarWinds' business model as a company pitching sophisticated software products to customers for whom computer security was paramount, these misrepresentations were undeniably material."

Sweeping ramifications?

[herberttlbd]

Sounds likes Judge Engelmayer isn't familiar with things like HIPAA and certifications like HITRUST and SOC-2 because most of those listed ramifications are covered by them, SolarWinds had those certifications and would have already been required to follow them.

Re: Sweeping ramifications?

[guruevi]

And this is exactly the problem, with various legal and regulatory frameworks that reduce liability because âoewe did what the government told us to doâ

SolarWinds Orion == CrowdStrike Falcon :== Crapwar

[JakFrost]

In the organization that I still currently work at, we use both sets of products and they are a complete and utter disaster when it comes to patches, updates, and security vulnerabilities. We have constant problems with these two products. You might as well throw in Carbon Black antivirus in there as the shitty trio of products.

I do development and integration work for thise platforms and it is a complete shit show. You should see the crap with self-signed certificates even to this date being pushed on every patch update for the SolarWinds Orion platform that overrides the default https kernel based service offload bound certificates under Microsoft Windows.

In addition, high availability and redundancy features hardly ever work and whenever you try to do an update using the vendors provided update tools, it has a tendency of screwing up halfway through and then you have to manually update the polling engines to get everything updated the same. Can't trust the vendors tools.

Also, the solar winds middleware is completely crab because it keeps locking up the database with all these database locks and when they fix one set of problems they create another set of problems. Like multiple edits on nodes fails most of the time they fix the problem and then it shows up 6 months later after they change something else in their middleware. Their database is at least nicely organized, but there's a bunch of non-normalized fields in there, especially when it comes to the alert table and that f**** everybody up after a node is renamed.

CrowdStrike Falcon Sensor Crap

The CrowdStrike Falcon Sensor CSagent.sys that loads itself into kernel mode is a piece of crap along with all the other hundreds of system service files in the same folder that get loaded up and they are tiny. None of them are digitally signed and none of them have a file info footer on them so you have no clue what the hell they are. They look like virus droppers and act the same way because they all look very inappropriate.

Yeah, the Securities and Exchange Commission should go after both of these companies and their executives along with everybody down the line. Even to the low-level developers should be dragged in front of Congress, and made to answer some really tough questions. Under the penalty of perjury.

Somebody technical should be sitting there on the goddamn bench as an advisor or an expert witness and call these guys out because it'll be full of perjuries so they could get sanctioned and put in jail for the craft they're about answer for.

Rebuilding Servers

We had to rebuild our entire solar winds Orion environment including all the web servers and the polling engines of which we have dozens after they got hacked because we could not trust any of the software that we had. And that took a long time because we couldn't get a clean version from the vendor that we could trust .

This is our Chief monitoring solution for our multi-operating system and multi-Device and network device monitoring and we were out of commission for quite a while to get everything rebuilt.

Fixing Servers After CSagent.sys But checks

And I just spent 12 hours straight at my keyboard working. Getting all of the Windows servers in our environment fixed and online after the crowdstrike Falcon sensor channel system update screwed us and cost the water service to start going down right around midnight. And we were up till about noon the next day and after that we had to take an account of how wide the outage was to our organization which is a major player here in the region that I live.

VMware Lucky

As much as I hate broadcom and what's happened to VMware getting separated from Dell which has also started to suck with all their layoffs and brain drain they had in the last half a decade .

We were very lucky that our environment was running on a VMware vsphere environment and I was able to write a complicated script in Powershell using the VMware PowerCLI and Microsoft's st

Re: SolarWinds Orion == CrowdStrike Falcon :== Cra

[guruevi]

We recovered all Windows Servers by simply rolling back to a prior snapshot. You basically have to apply the same process as a ransomware.

Expect more of this

[gtall]

This judgement is the result of the Supreme Court declaring judges are better able to interpret rules than the Fed. Agencies. And the judges are not going to give up this power willingly, no matter how badly they screw up.

Re:

[Ol Olsoc]

This judgement is the result of the Supreme Court declaring judges are better able to interpret rules than the Fed. Agencies. And the judges are not going to give up this power willingly, no matter how badly they screw up.

Which is why citizens should band together and pool their money and purchase a few supreme justices of their own. Can't play the game unless you have a few in your pocket.

Re:

[fahrbot-bot]

This judgement is the result of the Supreme Court declaring judges are better able to interpret rules than the Fed. Agencies. And the judges are not going to give up this power willingly, no matter how badly they screw up.

Which is why citizens should band together and pool their money and purchase a few supreme justices of their own. Can't play the game unless you have a few in your pocket.

It's going to take a LOT of coin and probably only from the "right" people (wink, wink). I mean John Oliver already offered Justice Clarence Thomas $1M/year and a new $2.4M RV to resign, and he declined. Maybe taking conservative money and pushing conservative politics is just sweeter to Thomas.

John Oliver offers to pay Clarence Thomas $1m a year if he resigns from supreme court [theguardian.com]
John Oliver to Clarence Thomas: Drive Away from SCOTUS in a New, $2.4 Million Motorcoach! [rollingstone.com]

Re:

[ArchieBunker]

Biden just has to send a predator drone to take out a few uncooperative justices. The only consequences being an impeachment vote. Oh but these are not official actions you say? Well the judge who Biden appointed has just ruled the act official.

See the problem now?

Re:

[JBMcB]

This judgement is the result of the Supreme Court declaring judges are better able to interpret rules than the Fed. Agencies. And the judges are not going to give up this power willingly, no matter how badly they screw up.

The corollary to this is that the federal agencies can get the power to regulate stuff if congress explicitly gives it to them. You know, the way it's supposed to work.

A recent supreme Court ruling

[rsilvergun]

Basically just legalized pump and dumb schemes. A YouTuber named Patrick Boyle has a good video on it. The supreme Court has effectively ruled that unless you can directly tie your financial loss to the person defrauding you as in they sold you the worthless stock then it's not a pump and dumb scheme and it's perfectly legal.

The case will be appealed but God only knows what this insane supreme Court is going to do to it.

Now I know a bunch of the right wingers around here are thinking why should I care because I'm a smart investor and I won't fall for pump and dump. But ignoring the fact that age-related cognitive decline can strike any of us these kind of schemes being legalized means less intelligent investors are going to lose huge amounts of money which will negatively impact the economy. Your economy.

Like it or not it is absolutely crucial that we reign in this absolutely bat shit insane court and that means this November Donald Trump cannot be allowed to put more people on it. I don't know what anyone here on this forum thinks they get in exchange for voting for Trump but whatever it is it's not going to be worth the economic collapse that's coming. To say nothing of the $300 to $500 a month he's going to raise your taxes.

Elections have consequences and insane courts continuously allowing large companies and wealthy individuals to defraud people is one of them. And even if you're smart enough to avoid getting defrauded you still have to live in the same country as all those people who are getting ripped off and they're going to cause problems for you

Re:

[Anonymous Coward]

This will work... to a point. Before 1929, the stock market was unregulated. Want to go pump up Fooco and say how great it is, while finding that they might be merging with Barcorp, because insider trading is perfectly okay? Go right ahead in those days. However, the near-collapse of the stock market and banking system showed that regulations are necessary, because if things get too crazy, people will use their mattress for their checking account, or maybe even consider using a cryptocurrency because th

Just another casualty of

[hdyoung]

Loper-bright. The executive branch no longer has any authority to interpret laws or operate in the gray areas. If a power hasn’t explicitly been handed to the executive branch by congress, they now have zero authority. That power has been handed to the legislative and judicial branches of government. But the legislative branch won’t pass a law unless something big is literally about to explode, and the courts move slightly slower than a glacier. And it’s gonna take a full decade or more f

Creeping hysteria in judicial rulings.

[Eunomion]

I may agree that SEC is a stretch for this application, but the reductio ad absurdum reasoning in the opinion is disturbing. Like if someone said, "First you let health inspectors regulate food, then they start telling food handlers how to wash their hands, and pretty soon they're inspecting the houses of the accountants hired by restaurant vendors." Like...what? Occam's Razor needs sharpening at some point in there.