The Criminalization of Cybersecurity

On October 30, 2023, the U.S. Securities and Exchange Commission (SEC) formally charged SolarWinds and its CISO, Timothy G. Brown, with fraud and internal control failures. The SEC alleges that SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known cybersecurity risks and vulnerabilities.

The charges against Brown come almost exactly one year after former Uber CSO Joe Sullivan was found guilty of obstructing an FTC investigation into a data breach and nearly six months after Sullivan was sentenced to three years of probation. Brown is now the second security executive to be charged with a federal crime related to a data breach, following Sullivan’s 2020 indictment. Meanwhile, at least 10 CEOs or CFOs were indicted for accounting fraud or on other charges in the aftermath of the corporate scandals of the early 2000s.

Many in the cybersecurity industry (myself included) are now trying to understand the implications of these cases against security leaders, especially in the context of the latest SEC cybersecurity rules. I can’t help but wonder if the indictment of Brown, coming so quickly on the heels of Sullivan’s sentencing and the new SEC rules, signals a coming crackdown and potentially more indictments of CISOs. If so, the scrutiny seems at least somewhat misguided.

A major concern is that these legal actions will follow the law of unintended consequences and ultimately undermine the United States’ cybersecurity posture. I worry that the rising possibility of facing criminal charges for misrepresenting their organizations’ cybersecurity risks will prompt CISOs to prioritize minimizing their own legal risk ahead of practicing true cybersecurity and demonstrating the selfless cyber leadership that’s long been a hallmark of the CISO role.

The men and women who’ve stepped up to the CISO position in organizations across America play an essential role in national security, even within the private sector, and they’re keenly aware of this responsibility. After all, they witness and battle against U.S. adversaries targeting their organizations in cyberattacks nearly every day.

Many of these CISOs–including ExtraHop Chief Information Security and Risk Officer Mark Bowling–entered cybersecurity through the armed forces, so national security remains near and dear to their heart. And even those who haven’t served in the military are driven by an unwavering sense of mission and a strong code of integrity.

The world needs these CISOs now more than ever. We can’t afford to see them opt into early retirement or consulting roles to avoid personal liability and risk. The country, the economy, and the integrity of the U.S. capital markets will be worse off without them. We also can’t afford to see the CISO talent pipeline shrink because up-and-coming cybersecurity leaders are unwilling to take on the personal risk that increasingly seems required of the role.

That said, CISOs are not ones to shy from a challenge, and we didn’t see CEOs and CFOs leaving the private sector in droves following the enactment of Sarbanes-Oxley in 2001.

Where there is willful malfeasance, negligence, or intent to make misleading statements about an organization’s cybersecurity posture, executives should be held accountable. However, I’m concerned about the prospect of CISOs facing criminal charges related to data breaches when there was no such intent.

Indeed, many CISOs have pointed out that they raise organizational cyber risks and vulnerabilities to their executive teams and boards of directors and that they take every measure to mitigate those risks and address those vulnerabilities, but they can’t entirely eliminate risk for a wide variety of reasons, ranging from budget and staffing limitations to the fact that they’re often being targeted by highly sophisticated nation-state actors. This is what makes charging a CISO for a crime related to a data breach different from charging a CEO or CFO with accounting or securities fraud.

There is so much to unpack related to this case against Timothy Brown and so many questions on my mind. Are we going to see a flurry of CISO indictments from federal prosecutors related to recent data breaches? Should the CISOs of Clorox, MGM, Okta, and other companies that have experienced breaches over the past few years be lawyering up? Will these newest criminal charges change CISOs’ behavior, decision making, and approach to cybersecurity? Will all of this–the charges against Brown, the sentencing of Sullivan, the SEC scrutiny–end up weakening cybersecurity systemically?

For insightful takes on these questions, look to Jamil Farschi, Andrew Heighington, Stuart Mitchell, and Donald McFarlane. To share your perspective, check out the discussion on the ExtraHop customer community.