Is Cybersecurity Ready for the SolarWinds Prosecution?
In this episode for ConversingLabs, Tarah Wheeler, CEO of Red Queen Dynamics, discusses the SEC’s prosecution of SolarWinds, and what new disclosure rules mean for the cybersecurity industry at-large.
[ See related Webinar: The Cyber CFO | CISO Accountability in the New Era of SSCS ]
EPISODE TRANSCRIPT
Paul Roberts: Welcome to the ConversingLabs podcast. I'm really thrilled to be here with Tarah Wheeler. Tarah is an information security executive social scientist in the area of international conflict.
She's an author, a poker player, and the CEO of cybersecurity compliance company Red Queen Dynamics. Tarah serves also as a Senior Fellow for Global Cyber Policy at the Council on Foreign Relations, and elected to membership in 2023. She works with the Electronic Frontier Foundation (EFF) as an advisory board member ,and she was an inaugural contributing cybersecurity expert for The Washington Post, and a Foreign Policy contributor on cyber warfare.
Tarah, welcome. We are thrilled to have you on ConversingLabs. One of the reasons that we reached out to you is you wrote a really good piece for yje Council of Foreign Relations on the SEC case against SolarWinds and their CSO, CISO, both named in that suit. And the piece was, are we ready for the SolarWinds prosecution basically? And that's just such a relevant topic. So I want to have you on the show and talk about it in more detail. Before we do that, though, for folks who don't know, tell us a little bit about Red Queen Dynamics, the company that you founded and run.
Tarah Wheeler: Absolutely. We are a SAS compliance tool for small businesses to report up to their MSPs, their VCSOs, their IT service providers, what's going on inside them with cybersecurity, with compliance, cyber insurance, vendor assessment, your NIST, CIS, CMMC, all those great acronyms and everything like that.
We make it a lot like QuickBooks for cyber compliance. So you go talk to your accountant for help with your taxes, but you need that software to help you record what's going on. We make it simple and easy for somebody to use inside that small business without making it crazy technical.
And it's meaningful to me to do that because in the words of Wendy Nather, we have just continued to propagate that security poverty line again and again, where small businesses don't have the same kinds of access to the compliance tools they need. Even though they have the exact same requirements now as a large business would, especially if they're a non-banking financial institution.
I'm going to say a whole bunch of long words, Paul, probably throughout this podcast, but the real issue here is that I get up in the morning, I get pissed off and then I make more software. That's all the problem. Yeah.
Paul Roberts: That is good.
Tarah Wheeler: And it's a joy and a pleasure.
Paul Roberts: Yeah. Anger and passion are just as great a motivator as dreams of a utopian future. So absolutely lean into that.
Tarah Wheeler: Anger is the other side of love, right? Like, I wouldn't care this much and get this mad if I didn't love helping people out with this problem so much. So yeah, exactly.
Paul Roberts: Amen. One of the things that you alluded to and one of the things that's one of your areas of passion and interest are the security challenges facing small- and mid-size businesses, SMBs.
I've heard you speak at conferences about this. Talk a little bit about the situation that SMBs find themselves in with regard to cyber risk and cybersecurity, and how you try and help them ,and maybe how we as an industry could do more to help them.
Tarah Wheeler: I spend a little tiny bit of my time in that slice over in international policymaking when it comes to cybersecurity and sometimes policymakers, they paint with a broad brush. They slap a regulation over it and hope it works like that guy having to slap that tape over the leak in a tank, right? That famous meme at this point. And the problem is that when you declare that a regulation applies to everybody inside the United States without regard to firm size, what you're doing is ensuring that the same regulation applies to Google and Microsoft as it does to the guy that runs the used car lot in Washington. So that's the real problem that we've got here is on a national basis, regulations that are difficult for small businesses to even understand, much less comply with are being applied to them.
And we're seeing the impacts right now of the potential of that kind of very broad policy brush with policymakers right now who are considering a national TikTok ban, right? I think it passed the House. It might even pass the Senate. And I remember for CFR, I'd also written an article about how Montana by itself couldn't ban TikTok.
The Montana legislature passed a measure to ban TikTok. And I was like that's not how the internet works. No. Montana is not a concept on the internet, your IP address is, right? Yes. So this is where the challenge really lies, is this broad strokes painting with regulations and small businesses end up suffering.
What's a guy with four employees going to do? Hire a GRC team? And engage one of us extremely expensive security consultants for what, 700 an hour? What's with the actions here?
Paul Roberts: Yeah, it's interesting. As we're talking, I know that the Senate passed the Ukraine funding bill and I know in the House version of that bill did include the TikTok ban, that was one of the concessions that was made.
It's really interesting because as we're talking, I was like, actually, that TikTok ban may have actually just passed through Congress and be on its way to President Biden, but I don't know. But yes, there's definitely a school of thought these days, which is, we need more regulation, we need more controls over software security and data privacy and data security.
Tarah Wheeler: Ah, let me stop you really quick. Six minutes ago, Biden signed it into law six minutes ago.
Paul Roberts: Okay. So that TikTok ban is now the law of the land.
Tarah Wheeler: I know. We're here. This is happening. This is, and there's elements of national security involved. I just wanted to stop you to say look, this is happening all the time as we are all trying to deal with everything. I'm still trying to deal with like the tax bill for Q2 and like looking at that right now, and this is coming at me, right?
Every small business owner has the same exact emotion, like more?
Paul Roberts: Right, even though there's a strong argument to be made that there needs to be more regulation around cybersecurity, but often, as you said, the impact of that on small-, mid-size businesses that aren't in the business of cybersecurity is overlooked.
And I think that was behind the piece that you wrote around the SEC's case against SolarWinds, not that SolarWinds is an SMB, but that case was really about these new rules around materiality and cyber incidents that companies that are publicly traded and governed by the SEC need to consider materiality with cyber breaches and basically that they can't look the other way anymore. But your piece really said, are we really ready for the implications of this if this is to become the new standard? Talk a little bit about that.
Tarah Wheeler: I'm more than happy to. Oh, by the way folks, I'm not a journalist, I'm a tech policy person, and a person who does this kind of work on an everyday basis and my day job is nitty gritty of cybersecurity, but I'm here to tell you that I made a mistake in that article.
I said that the CEO and CISO of SolarWinds were getting prosecuted. And also. What happened? How does the CISO get prosecuted for SolarWinds and nobody in their chain gets prosecuted at the same time? Was this person operating as a rogue agent? I don't think so. And so one of the things I said in the article was, I thought I had been the CISO and the CEO.
I made a mistake in the article. And, Like minutes after it goes live I got an angry email from the PR firm hired by SolarWinds to correct it that the CEO wasn't who was under prosecution, it was the entire company. And I was like, bro, this is not better. I'll fix it, but this is not better, you know that right? So, that's really the challenge is I looked at it and I was like we're not even ready for handling how we message around this kind of thing and that's because does it make any sense to claim that somebody who is, you know being paid by a leadership structure limited by that leadership structure told that they can and can't do by that leadership structure, informed about what acceptable risk is by the board, that person in the middle at L2 of a large company is the only one getting prosecuted by name in a situation like that.
This, there's a lot of arguments to say that there, there may be people who are acting in a way that may be problematic. But how on Earth, to this day, was Joe Sullivan prosecuted and Travis Kalanick wasn't at Uber? How, to this day, do we see that? We're not ready for the implications of this because people don't understand enough about the CISO role and about cybersecurity in an organization to say that we can prosecute that person by themselves.
There's a lot more I want to say, but let me just pause here and say, are you still surprised about Joe getting prosecuted and not Travis?
Paul Roberts: From what I understand about the way that decisions get made within enterprises or, software producers or software consumers around cybersecurity, of course. Yeah, because you know that there is no buck-stops-here when it comes to decisions around cyber risk, right?
There are chains of command, and often it is either the most senior levels of the organization —whether that's a CEO or the board of directors who are making decisions about how much to invest in defense, how much to invest in remediation, what to do. So yes, absolutely. And in fact, if I recall, the CISO at SolarWinds, who was named by the SEC, was actually not the acting CISO at the time of the SolarWinds breach.
That role had changed, and so it was just the acting CISO at the time that the SEC decided to bring charges. Which is even more problematic. It's it wasn't me, it was this other person. Whole bunch of problems with that, yeah.
Tarah Wheeler: And not only is that the case, but let's dig a little bit further into this concept of materiality. Because the idea is that the people at SolarWinds getting prosecuted made statements that were materially incorrect. Until now, we haven't had to cope with the concept of materiality in cybersecurity we do in finance because hiding relevant information about the finances of a company is considered to be a crime, right?
That's what this is becoming. And this is what led to, for instance, in 2002, the Sarbanes Oxley Act, which started to really codify the idea that there needed to be compliance in finance that explained what are material statements.
If you say that your profits are going to go up in Q2, but you know that they're going to go down, then you've made a materially false statement, and that's the kind of thing you get in really big trouble for in finance. In cybersecurity, one of the problems is we didn't really have the tooling in finance to explain what that was and what it would mean.
We're pretty sure we know what's going to happen, but there was no real tooling to explain it. In cybersecurity, we have almost the exact opposite problem. There is so much telemetry, so much information about what's going on inside a company, that the problem is the interpretation of the massive quantities of data, and then at that leadership level, explaining it up to the board and going, this is what risk is, this is where, this is. The typical risk equation in an executive situation, which I've been in a lot, which is: What's the probability of the impact time or what's the probability something's going to happen times the impact if it does? That equals your risk for the year, and you spend money based on your risk calculation.
The problem here is it's very likely that the CISO made every material statement relevant, and it was either deliberately misunderstood or the person in charge of making cybersecurity statements, the CISO, was not able to get that information across... was not good enough at analogies or whatever was needed to get that information across that eventually they ended up getting in legal trouble for their leadership not understanding them.
Raise your hands if you've ever been in legal trouble from your leadership not understanding what you said about cybersecurity. I have been right. Yeah, it's awful, right? Yeah, so this is hard. It's an incredibly difficult thing to deal with.
Paul Roberts: Glassy eyes at the board meeting, I don't even know what you're talking about, right.
Tarah Wheeler: And you're sitting there and every cybersecurity professional has this feeling and you're getting more and more frustrated as you're like, look I am telling you right now and then you open your mouth and you say what the problem is. We've got four-year-old firewalls and this increases our chance of etc.
And you're looking at these people and it's like you're telling them that they should probably replace the motor pool of Fords. They're like, how bad could it be to wait another year or two? And you're like existential, and they're like we don't believe you — you look like a nerd, get out. That's what we're not ready for.
Paul Roberts: A few of the criticisms around the SEC's new policy regarding materiality. One is just the time to disclose. I think organizations have four days to disclose. The pushback from that and I think there were a lot of comments on the proposed rule before it was finalized is that, companies are going to be better safe than sorry. They're going to disclose things that aren't really material just out of fear of being wrong, and there's going to be a lot of noise.
What are your thoughts on that? Again, that four day window and what burden that is going to place again, we're talking about publicly traded companies here. So these do tend to be larger organizations, but still what burden that places on them?
Tarah Wheeler: United Healthcare engaged in bullshit compliance. Because they are in compliance with the rule that the SEC set. They disclosed that they had an event. They did so according to the letter of the law. They did everything they were supposed to do.
They didn't disclose because it wasn't relevant. It wasn't a relevant cybersecurity disclosure that they paid the ransom. They didn't disclose that it didn't fix the problem because this is, none of this is covered under the SEC. So what you're getting right there with, we know we've had a breach just letting everybody know this is what's going on.
And until we still have not gotten an indication of the measure of the breach beyond probably pretty much everybody might've lost some data in our system. So sorry. And that is in. That is in compliance with the SEC regulation. Paul, like with the Equifax breach, very probably you and I both have data in that breach.
And we don't know it yet, and they're still in compliance. Yeah, I think my healthcare last year was like United Healthcare or something like that. Me and half the other, the rest of the country, right? The challenge we're having here is that, complying with that law is not the same thing as doing the right thing. And the even more of a problem is that this law itself may have created some perverse incentives for companies to disclose before they know what's going on, but to do the absolute minimum quantity of disclosure at the same time in order to remain in compliance with the law. That almost frees them from having to make a meaningful disclosure, because they already did what they were legally supposed to do. So why would they disclose more?
Paul Roberts: What's the fix for that? If you were given the authority to rewrite these rules, make it work for companies, how would you do that?
Tarah Wheeler: Meaningful U. S. consumer privacy legislation, which is not what is happening right now in the legislation. It's just a meaningless TikTok ban that's not solving the problem. The problem we are having here is that there is no law protecting consumers and their data privacy and as a result, there is no way for me to sue the shit out of a company that damages my privacy, which is what is happening right now. There's no private right of action, which also means there's no class action in a situation like this, unless it is brought by a government agency. Sure, United Healthcare is going to get sued by the FTC, and then they're going to face what, a couple hundred million dollar fine? Which means that the loss of my private personal health care is worth what?
A buck-75?
Paul Roberts: Yeah. No. And we've seen that with so many breaches, Equifax, you've mentioned Equifax. So many where, you look back on, OK what was the cost of this, organization and what happened to their stock price?
And you're like, ah, they just shrugged it off, and didn't clearly, you would hope that they learn internally in terms of, reform internal practices and stuff. But actually, it's totally up to them. It's not like anybody's going in and saying after this incident we want to make sure that you fixed what caused it, yeah, maybe not.
Tarah Wheeler: Absolutely, I completely agree.
Paul Roberts: In your piece, you liken the new SEC guidelines to Sarbanes Oxley: Early 2000s, really important financial reforms post dot-com bust and so on. One thing I've always thought about is what one of the really hard things with cybersecurity is that there just wasn't reliable data in the way that there is on things like traffic accidents or medical mishaps or something like that. There wasn't really reliable data on cybersecurity incidents because companies were under no obligation to report them really.
And that's changing a little bit now. Do we benefit? Just the fact that companies are now on notice, if something's happened, better safe than sorry, you got to disclose it.
Tarah Wheeler: No. No. No, and let me explain why. I love the question, but it starts with the premise that the data's not available. And the problem is that inside companies the data is absolutely available, it goes back to what we were saying. There's a ton of telemetry, data lakes, threat intelligence feeds, information coming up to leadership from the security function inside companies. The problem is not lack of data, the problem is lack of a human interpretive function that translates it into financial risk. That's what's happening inside companies. Now as a whole, the concept of what's happening with individual companies and then building that into a data set of incidents internationally or at least nationally. So we've got a government function that is supposed to begin to address this, which is the Cyber Safety Review Board. And I'm writing a piece about that right now.
Paul Roberts: You just testified on this actually Tarah.
Tarah Wheeler: I did. Yeah, I did. That was in front of the Department of Homeland Security Committee in January. And the thing that I conveyed then that I'm still going to convey even after the recent Microsoft report is first of all, the recent Microsoft report by the CSRB was light years better than the previous three that had happened, which could very much be boiled down to don't use SMS based two-factor authentication and patch your shit, right? I didn't say it exactly like that in front of the Senate, but I said pretty close to that in front of the Senate. Which you could boil those things down, which, that's great that's what happened, but it's not meaningful information. We already all knew that, right? What happened in the Microsoft report is we actually got the CSRB to make a recommendation that involves the rotation of certificates on a much more rapid basis and to examine the security flaws at every level of leadership that led up to the flaw not being discovered.
That's really important, they're doing better, and I want to throw that out there. There's still a flaw, which is that the recommendation was made just to Microsoft without a baseline understanding of how often everybody should rotate certificates and keys. And that's where the real problem lies is that we don't have underlying standards that are based on data that are founded in a clear understanding of real world incidents. What I want to see is companies that rotate their keys at least once a month — let's encrypt across the board and have that process automated, experience 97% less breaches related to an encryption or key processing or unauthorized breaches using old keys. That is the kind of numbers I want and that you want, and that we should be demanding from the CSRB.
Paul Roberts: Right. In other words, the CSRB might might do well to function much more like the FTC. And actually that was what you were testifying in Congress is do we need to give this organization more of a stick and less of a carrot to actually compel organizations to do what we say. And the FTC just came out, I think yesterday and said basically you can't use non-compete agreements anymore, right? Just to the whole economy, just stop it, you're not allowed to do that anymore. Imagine if you could do that for something cyber-related. You're doing this, stop it. That's not allowed anymore.
Tarah Wheeler: That law's gonna get challenged.
Paul Roberts: Yeah.
Tarah Wheeler: That law's gonna get challenged, but it's probably gonna succeed. It's just that it's going to get challenged because there's a lot of companies that have individual civil contractual agreements with employees and that this law invalidates a chunk of those agreements. And so I think it's going to get challenged and we're going to see what will happen with it. But I didn't argue that the FTC should have control, what I said was this board needs to have subpoena power. The people who are on it need to be full time on it and they need to not have conflict. Right now the 15 people that are on the CSRB all have full time outside jobs running government agencies or companies and they do this as a part time volunteers thing which is admirable, but it also means a whole lot of conflict of interest So, there's a recusal process that is getting better on this board. And look, we got to start the process of institution building somewhere. And so I'm going to remain as the loyal opposition on this one and continuing to critique until we see the improvements that need to get made to provide the data we need.
Paul Roberts: And that subpoena power is the stick I was talking about of saying, we're going to have you come in and talk to us about, this incident or what happened. Just like other powerful committees can do.
Tarah Wheeler: Congress invited an executive from United Health and Change Health to come and speak to a committee, and that company declined the invitation.
Paul Roberts: Sorry.
Tarah Wheeler: And that's because these committees, they don't have the relevant power or they didn't have a subpoena issued. I think they could, but what we see in this moment is inviting somebody to come to Congress and talk about their cybersecurity flaws doesn't work. You have to subpoena them to make them show up and answer questions.
Paul Roberts: We've been doing it for 30 years, right? Yeah, it hasn't really made that much of a difference.
Tarah Wheeler: Exactly.
Paul Roberts: One of the things that's key in the new SEC laws is this concept of materiality. And I wonder if you could, for the folks who are listening, give us your take on how they should understand, because it seems like it's a shift in concept in some ways.
Tarah Wheeler: I think materiality is super interesting. When SOCs came into play, what happened was it created an entire sub-industry in finance for compliance, right? And dear every friend of mine in cybersecurity, the materiality element that needs to be included in your 8K's for publicly traded companies involving cybersecurity statements now, you thought we had a lot of compliance before it out, here comes a whole nother industry. It's going to be related to this. And the idea of materiality is that if you make a statement that there are more penalties, for making knowingly false statements than for not disclosing stuff that could be material. But, what's happening is now cybersecurity needs to begin to include things they previously would have excluded in terms of the potential for a material harm to a company. And this elevates that role because previous to Sarbanes Oxley, compliance and finance didn't have quite as high a position in the corporate structure as it does now. So you would more get like the head accountant as opposed to the elevation of the CFO and compliance rules inside organizations. Outside of the finance world, like there would be a CFO that was required in companies in a way that was more prevalent after Sarbanes Oxley. So I think you're going to see the elevation of the cybersecurity role more and more into the leadership suite as opposed to one or two levels below it. And I've got bad news for my fellow engineers, that role is going to be less and less about somebody who came up through the trenches, SOC analyst, red team, whatever. It's going to be less and less about that. It's going to be people who've been running GRC teams.
Paul Roberts: Interesting approach to the cyber risk problem, right?
Tarah Wheeler: No, a more narrow one. That's the problem, because now what's going to matter is the perspective around risk and compliance. That's going to elevate that function and it's going to be more around the potential costs and risks in cybersecurity, while probably not elevating as much those of us who are technical engineers who are explaining the guts and pieces of a problem. It's going to be about people who can explain what the risk factors are to abort. It's going to make that problem even worse.
Paul Roberts: And the financial downside of that risk.
Tarah Wheeler: Yeah. So learn to translate financial downside for the things that you're describing for CVEs. Put a dollar sign on a CVE.
Paul Roberts: Podcasts coming soon on that. Do you have time for one more question, Tarah?
Tarah Wheeler: Absolutely, go to town.
Paul Roberts: It's a kind of natural last question. Certainly this is a topic of intense interest to CISOs right now, folks who are in a lead cybersecurity role. What would your advice to those CISOs be about what they should understand about these new SEC guidelines and what they should be doing differently?
Tarah Wheeler: Never take a role again in a publicly traded company unless you were included in the officer's and director's insurance. Don't ever do it again. Your legal bills and your personal liability should be being covered by the company from this point on. Don't ever take another role in a publicly traded company unless you are covered by the company's insurance that handles liability for you personally and your legal fees. It's the start to a bunch of solutions.
Paul Roberts: Were CISOs not included in that?
Tarah Wheeler: No, almost none of them are included in that. And the reason why is it wasn't as important, they weren't at that level.
Paul Roberts: Yeah, sub C-suite. Really interesting.
Tarah Wheeler: Yeah, this is the difference between being called something that's a "cute" chief title, Chief Digital Awesomeness. There's people who are called chief something inside an organization and it's almost like the honorarium of calling somebody who's a lieutenant a captain if they're running a ship in the Navy. But the truth is that the people who are covered under that officer's insurance in a publicly traded company, they're the ones who matter to that company. They're the ones who are at that leadership level. Get covered under it, don't take a role without that again.
Paul Roberts: And from a process standpoint or staffing standpoint, any suggestions?
Tarah Wheeler: Staffing standpoint, that is a hard one. It's going to elevate the requirement for certificates and for certifications and security. People are going to be more and more willing to hire like a bunch of people with cyber certs mounted on my wall behind me. People are going to be more willing to hire, it's going to elevate the role of certifications and credentialing.
Paul Roberts: Tarah, is there anything I didn't ask you that you wanted to say before we break?
Tarah Wheeler: I think you did a really good job, Paul. You gave me a chance to go off on my angry soapbox. I feel like the one thing that I do want to really elevate for your audience is the fact that Congress is paying attention to this means that there's hope, it means that they're starting to understand that there's an issue here. And sometimes a bad start is better than no start at all. Let's get the work of institution building going. It's why I still can criticize the CSRB, but I'm deeply grateful that they exist and that they're starting the process and they're iterating for better. Every single time they do one of these reports, they get better and better, and we all just want to see this get better. And I love being in an industry with people at every level. We don't care if you're running a GRC team for a giant company, or you're just the person resetting passwords inside a little business. We can make this better and it's okay to start bad and iterate over time. That's the only way this is going to work, and we all learn together.
Paul Roberts: Tarah Wheeler, Red Queen Dynamics, thank you so much for coming on ConversingLabs podcast. We loved having you. If you're not following Tarah online, you should be, and we'll link to your social media incarnations. Thanks so much for coming on, we'll have you on again.