SolarWinds Talks ‘Transparent Communication’ with U.S. Government – But It’s Still Getting Sued by SEC

SolarWinds says becoming the face of the Sunburst attack has led to more transparent communication with government agencies and enterprise customers.

SolarWinds’ Chip Daniels

“We’re willing to share lessons learned to make everybody better together,” said Chip Daniels, head of government affairs at SolarWinds.

“This is a threat that’s not one party against another party. This is a threat to our entire society. And to begin to counter this threat, it requires the cooperation of public and private. But it also requires the cooperation of private and private. So we’re having to collaborate with competitors in this space. Because, if you’ve to defend one, you’ve got to defend everybody.”

The Sunburst supply chain cyberattack made headlines around the world in 2020. Hackers inserted malicious code, Sunburst, into SolarWinds’ Orion software updates sent to nearly 18,000 customers. This led to security breaches at numerous U.S. government agencies. Those include the Treasury Department, the National Telecommunications and Information Administration (NTIA) and the Department of Homeland Security (DHS). The attacker also breached SolarWinds’ corporate clients.

Daniels said one of the biggest challenges to emerge from the attack was a lack of transparency into the federal government’s supply chain.

“There were many U.S. federal agencies, customers of ours, that had no idea how much SolarWinds they had deployed in their networks. And on the flip side, we didn’t know how many of our products were ultimately deployed, let’s say with the U.S. Army. Because it went through different channel members in between. So we really had to both sit back and say, ‘OK, how exposed are we?’ And that’s the major lesson learned for the entire industry. That’s the real vulnerability in the supply chain – when you don’t know the extent of the supply chain. So that’s the first major lesson; we need to understand what’s on our networks. From both sides.”

‘Forthright and Transparent’

Daniels spent 28 years in the U.S. Army before Joining SolarWinds. He was working Congressional Affairs for the Army on Jan. 6, 2021. He decided that day to quit.

“It was not a good day. It was a very surreal day,” he said.

He contacted a friend, who was general counsel at SolarWinds at the time. Daniels admitted he hadn’t heard of the Sunburst attack, but was surprised the firm didn’t have a government affairs team to deal with the aftermath.

“So, I started offering him some advice as a friend — and next thing you know, here I am,” said Daniels.

“I wouldn’t have joined the company if we weren’t so forthright and transparent,” he said. “I did an interview with Sudhakar [Ramakrishna, SolarWinds CEO] very early on and I watched his Congressional testimony. He approached this crisis the exact same way that I would advise senior leaders in the army. Don’t be deceptive, don’t be dismissive, and don’t be defensive. Because you’re just going to invite criticism.”

Penalties Preventing Firms From Coming Forward?

Daniels said SolarWinds receives praise for how it continues to handle the situation, post-attack, on Capitol Hill.

“I meet with somebody for the first time, they’ll say, ‘I just want to tell you, you guys are the gold standard on how you should respond to a cyber incident,'” noted Daniels.

However, SolarWinds has called for better information sharing from the government and reduced penalties for companies that voluntarily report incidents.

“We’re seen as the gold standard [for] how transparent we are. We’re also still being sued by the Securities and Exchange Commission (SEC) in the United States,” said Daniels.

“Government is not monolithic. The U.S. federal government is so expansive that what happens in one agency has little effect on another one. So, Jenny Easterly, [director of the Cybersecurity and Infrastructure Security Agency (CISA)], or Chris Inglis, the national cyber director, talk about the need for public private partnership. But when the enforcement agencies are still leveraging penalties against you, are we creating the environment that would facilitate for future victims to come forward? Or are we creating an environment where they say, ‘I’m only going to tell the government what we’re legally required to tell them.’

“So companies like us are saying that there has to be an incentive to report,” said Daniels.

Where Does The Data Go?

Another question that Daniels raised is where the attack information goes once its reported.

“We would like to better understand when we report to CISA, where does that information go within the government? With whom is it shared? Because different agencies have different interests, and they’re not always aligned. An enforcement agency does not have the same incentive as a national defender, or the intel agency doesn’t have the same interest as a national defender. An intel agency might want to watch the threat actor in your environment for a period of time to see what they’re doing, to learn about techniques and practices. Our company wants to get them out of our environment immediately. So we want to know what information is going to what federal agency for what purpose.”

Moving forward, Daniels stressed that SolarWinds is meeting government guidelines.

“In 2023 we want to communicate clearly that we’re moving that direction. And we’re the safest thing out there for you to buy because we’re already in compliance.”