Judge Clears SolarWinds, CISO of Most Charges in SEC Lawsuit Over Russian Cyberattack

SolarWinds on Thursday scored a major victory as a US District Court judge dismissed most of the charges in a Security and Exchange Commission (SEC) lawsuit claiming the security software company hid weaknesses after a Russia-linked cyberattack hit the US government.

During “Sunburst,” a cyberattack spanning nearly two years targeted SolarWinds’ flagship software platform, Orion. The attack struck several US government networks, including the departments of Commerce, Energy, Homeland Security, State, and Treasury. The 2019 attacks were revealed in December 2020.

In his 107-page decision, Manhattan US District Judge Paul Engelmayer dismissed all claims against SolarWinds and its CISO Timothy Brown over his statements about the attack -- saying the charges were based on “hindsight and speculation.”

In an email to InformationWeek, a spokesperson for SolarWinds responded to the case development.

“We are pleased that Judge Engelmayer has largely granted our motion to dismiss the SEC’s claims,” the spokesperson wrote. “We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate.”

Russia has denied responsibility for the attack. But the US government said Russia was likely behind the hacking group known as Nobelium. The SEC filed its case back in October.

Related:SolarWinds, CISO Targeted in SEC Lawsuit

The SEC’s 68-page complaint included specific alleged misstatements by Brown. The SEC alleged SolarWinds failed to disclose that the vulnerability was shared by other customers as well, including two unnamed cybersecurity firms and one unnamed federal agency.

The SEC has not yet responded to requests for comment.

What the Ruling Means for CISOs

After the October lawsuit, SolarWinds shot back, defending its CISO and saying the federal watchdog “lacks competence’ and the lawsuit was “fundamentally flawed.”

Joe Sullivan, security consultant and former Uber CSO who was indicted after a 2016 breach and sentenced to three years of probation, said the ruling is a good sign for CISOs and other IT leaders who are feeling legal heat after cyberattacks.

“It is great to see those moments when a judge takes the time to understand the complexities of cybersecurity,” Sullivan tells InformationWeek in an email interview. “While I wish that all charges against Tim were dismissed, the security executive community will take some solace in the perspectives found in this judicial opinion.”

He adds, “The court recognized that it is really hard to articulate the impact of a security incident while it is unfolding, and with incomplete information, especially when an attack may have been done by a nation-state.”

Gadi Evron, CEO at Knostic, an AI security firm, and former CISO, tells InformationWeek that the ruling will have a far-reaching effect on the CISO community.

“CISOs worldwide have been holding their breath, seeing Tim Brown held accountable -- alone of all the executives -- with little to no evidence. It felt that we’re all under siege, even targeted, and I don’t know one CISO who didn’t consider moving on from the role,” Evron says. “With this ruling, we can breathe again, and explore the evolving role of the CISO and what accountability looks like, without a sword held to our necks. Justice is served, and now we as a community have work to do.”