3 min Security

SolarWinds CISO: cyber laws need to be clearer globally

SolarWinds CISO: cyber laws need to be clearer globally

The 2020 supply chain attack on SolarWinds is one of the most notorious cyber incidents of all time. Tim Brown, CISO at the company, was indicted for allegedly concealing security problems at SolarWinds. Having survived legal jeopardy, he argues that cyber laws worldwide need to be clearer.

This he states to the Financial Times. According to Brown, the fact that cyber legislation is still “in flux” across the globe is a source of stress for security leaders. “Very few security people would ever do something that wasn’t right, but you just have to tell us what’s right in order to do it,” he said.

Last October, the SEC sued SolarWinds and Tim Brown as being principally responsible for allegedly withholding information. A federal court dismissed the complaint from the U.S. regulator SEC against Brown personally. He allegedly hid from shareholders the security dangers his company faced. However, the court did flag one statement by SolarWinds as fraudulent. SolarWinds says it will challenge this conviction.

Spotlight on CISO role

Although Brown has had to deal with a year of legal violence, he sees a positive side to it. He points to the maturity of legislation around other topics, while cyber perils have only been around for two to three decades. “We’re just kind of catching up on the maturity of that model,” Brown says. The lawsuit, he says, has put the spotlight on the role of the CISO, causing boards to have vital conversations about cybersecurity.

Who is ultimately responsible? Brown argues not, and the court decision supports this suggestion. Because internal communications at SolarWinds came under a magnifying glass, lawyers feared negative consequences within other organizations. What if CISOs no longer feel they can raise issues internally? After all, problematic IT issues should be able to be discussed to resolve them as quickly as possible, rather than always having to share the dirty laundry with regulators and shareholders.

The latter seems to be the main takeaway from the SEC lawsuit against SolarWinds. Brown sees an opportunity for legislation to make the rules clearer from now on. Gradually, these laws are also being realized, albeit after plenty of delays usually. Within Europe, the benchmark is the EU Cyber Resilience Act. This holds software makers in particular responsible as organizations for the security of their products. For example, they must verify that open-source components are secure.

Improvement is certainly already happening. For example, Techzine recently spoke with Mirko Boehm of The Linux Foundation, who argues that the clear (yet annoying) rules of the Cyber Resilience Act are better than uncertainty about responsibility.

Also read: ‘Regulations are no fun, but uncertainty even less so’’