In 2019, Russian threat actors began targeting Texas-based business software provider SolarWinds. What started as a dry run to inject malware into SolarWinds’ networks evolved into the boldest software supply chain hack ever, ultimately spreading malicious backdoors to SolarWinds’ blue-chip business customers and marking a miserable milestone in cybersecurity history.
The widespread damage caused by the incident caught the attention of US federal authorities, including the US Securities and Exchange Commission (SEC), which launched an investigation into the publicly traded company.
In October 2023, the SEC filed charges against SolarWinds and, in unprecedented action, its CISO, Timothy G. Brown, for misleading investors by not disclosing “known risks” and failing to accurately represent the company’s cybersecurity measures, among other communications-related offenses.
The charges against SolarWinds and Brown were complex, and the judge overseeing the case dismissed most of them last year. On the eve of the RSA conference this year, SolarWinds and Brown petitioned the court for a summary judgment to dismiss the remaining charges.
The SEC lawsuit, premised on statements made by SolarWinds and Brown, serves as an object lesson for CISOs that what they say or write in the course of their jobs could be fodder for litigation.
“The US Securities and Exchange Commission’s complaint against SolarWinds and one of its cyber professionals, Timothy G. Brown, is a high-profile example of the things we want to avoid,” Mike Serra, senior counsel at Cisco, said in kicking off a panel, “Guarding Your Words: Legal Risks for Cyber Professionals,” at this year’s RSA Conference in San Francisco.
While formal communications can expose CISOs to legal liability, informal and unofficial communications pose an even greater danger.
“So, you should be careful with what you post online,” Tim Brown told CSO. “You should be careful about any information you share about the company you’re working with or its posture. You should be careful with what things are said in public and not expand too much.”
Choose your words carefully
The charges against Brown shook up the CISO community and served as an extreme reminder that words matter. The legal ordeal Brown has gone through “is obviously awful and thankfully rare,” Matt Jones, partner at WilmerHale, said during the RSA panel. But it illustrates how “the legal exposure is rising from just how you talk about things.”
Jones emphasized how outsiders, including regulators, will judge the effectiveness of an organization’s cybersecurity program based on what CISOs say and how they say it. “It’s critical to focus on how you talk about those things because there are many laws and many people who can enforce those laws based on the delta between what you’re saying about your program and where it is.”
“Words matter incredibly in any legal proceeding,” Brown agreed. “The first thing that will happen will be discovery. And in discovery, they will collect all emails, all Teams, all Slacks, all communication mechanisms, and then run queries against that information.”
Speaking with professionalism is not only a good practice in building an effective cybersecurity program, but it can go a long way to warding off legal and regulatory repercussions, according to Scott Jones, senior counsel at Johnson & Johnson. “The seriousness and the impact of your words and all other aspects of how you conduct yourself as a security professional can have impacts not only on substantive cybersecurity, but also what harms might befall your company either through an enforcement action or litigation,” he said.
Jones also cautions against using unnecessary superlatives that can lock CISOs into positions they might not be able to defend during litigation. “It’s never ‘this is the worst’ or ‘what just happened was criminal.’ That’s not how you should describe anything in this area,” he said.
The reverse is also true: Touting how good you are can also cause trouble.
Brown said that something as simple as saying, “I have a very good program,” can be problematic. It’s better to say, “‘My program manages a thousand vulnerabilities every week,’ or whatever it is,” Brown said. “Use numbers, facts that are supported, and adjectives that are appropriate for description.”
One pitfall for any professional is humor, which, stripped from its context and environment, can take on new meanings and be used against CISOs in litigation. Even using memes of dumpster fires, for example, or typing LOL in a message can be used as admissions of guilt or to portray cavalier attitudes toward security, exposing cyber teams to even more liability.
“When we say LOL, 90% of the time you were not actually laughing out loud, but we use these very informal ways of communicating with one another,” WilmerHale’s Jones said. “And that stuff shows up with regularity in cases when you have a significant cyber incident. LOL or dumpster fire is not the best way to talk about it internally because that’s what’s going to show up” in litigation.
Pay attention to the medium
CISOs also need to pay attention to what they say based on the medium in which they are communicating. Pay attention to “how we communicate, who we’re communicating with, what platforms we’re communicating on, and whether it’s oral or written,” Angela Mauceri, corporate director and assistant general counsel for cyber and privacy at Northrop Grumman, said at RSA. “There’s a lasting effect to written communications.”
She added, “To that point, you need to understand the data governance and, more importantly, the data retention policy of those electronic communication platforms, whether it exists for 60 days, 90 days, or six months.”
One way to sidestep communications land mines is to communicate as much as possible in person. “The other thing that I would recommend is establishing a culture of in-person or just face-to-face communications instead of in writing in chats, IM, or Teams,” Mauceri said. “That’s important because that can allow you to emphasize tone when communicating face-to-face with the team.”
Define your role and establish policies
CISOs should consider defining their roles and establishing policies to build guardrails that minimize the risk of potentially actionable communications. “It starts with a clearly defined job description,” Brown told CSO. “One that is discoverable, one that is known. It’s important to understand that people don’t know what a CISO does. And that includes legal folks.”
“That tone must be set right from the start: Here is what I do; here’s what I don’t do,” he said. “For example, legal disclosures. I may be a part of a team that discusses disclosures, but I’m not the one making a final decision.”
Brown reiterated, “It’s important to outline that you’re part of an approval team. You’re not the approver. You’re part of a team that is doing things. You’re part of a team that’s providing input to something. Ultimately, what gets posted on the website goes through marketing review, goes through legal review, comes through to the CISO potentially for some check, but we don’t decide what we’re going to publish or pop it on a site.”
Likewise, CISOs should consider writing policies, procedures, and processes for how their cyber teams should manage and communicate risks. “Establish in writing what is your expectation for teams to identify and do the internal reporting and escalating up the chain in terms of a risk escalation policy,” Northrop Grumman’s Mauceri said. “This is once you identify the risk, assess it, and identify it as a weakness or a vulnerability. The language that you use should be very, very specific.”
She added: “Always assume that this information is discoverable in litigation and audits. It is good to have something that you document when you identify risks and that you are resolving those critical system changes, critical decisions, and vulnerabilities very carefully. Be factual and neutral.”
Understand the law and seek counsel
Understanding some of the finer points of laws and regulations will also help keep CISO communications from veering into damaging directions.
“Don’t be sloppy and call a cyber event an incident if it hasn’t been declared an actual incident,” Mauceri said. “‘Cyber incident’ is a legal term depending on what type of company you are. There is a legal definition of cyber incident in the SEC rules, as well as if you are a defense contractor or dealing with government contracts under the federal or defense acquisition regulations.”
To that end, CISOs should establish good working relationships with their in-house or external legal counsel. “Listen to your counsel,” Brown said. “If you’re dealing with an entity such as the SEC, you already have counsel, either the company counsel or your own counsel. Listen to them. They’re always, or usually, very experienced. They’ve often been in those positions before. They will help and craft messages to be able to communicate appropriately.”
CISOs who lack counsel should contact experienced counsel or volunteer organizations that might help. “My legal team has probably had a call with 10 or so CISOs since [my litigation] began. Many will do it essentially just pro bono as an initial conversation,” Brown said.
Brown stressed that any CISO should have somebody to call for advice if they start feeling uncomfortable. “They should have a few folks they could call either through some of the organizations they’re on or through personal relationships.”
Although CISOs might now feel confused about the risks of exposing themselves to legal liabilities, the rules might become clearer over time.
“We’re young as an industry,” Brown said. “The first CISO was somewhere around 30 years ago. We’re going through a maturity curve. People need to realize that my case and other things around it are a maturity blip. We’ll get through it. We’ll become stronger because of it and continue forward. But have a little patience.”
No Responses