SEC Strikes to Get International Testimony in SolarWinds Fraud Case

Federal regulators want to obtain oral testimony from a former SolarWinds engineer who documented concerns over a network vulnerability tied to VPN access and unmanaged devices.

See Also: OnDemand | Where Did the Hackers Go? They Ran(somware): Insights into Ransomware Recovery

The U.S. Securities and Change Fee wants to get help from the Czech Republic’s Ministry of Justice in securing testimony from Robert Krajcir, who used to work at SolarWinds and resides within the Czech Republic. The SEC mentioned it provided to depose Krajcir voluntarily in Germany or on the U.S. Embassy in Prague, however Krajcir – who’s represented by SolarWinds’ authorized counsel – has declined these choices.

District Choose Paul Engelmayer has ordered SolarWinds and Brown to answer the SEC’s request for overseas judicial help by Friday, with any reply from the SEC due by Nov. 15. If Choose Engelmayer permits the SEC to proceed with its request, the company will ask the Czech Ministry of Justice to reply inside 60 days in order that the SEC can collect testimony from Krajcir effectively prematurely of an anticipated 2025 trial date (see: Why SEC, SolarWinds Eye Settlement Talks in Cyber Fraud Case).

The SEC mentioned SolarWinds and CISO Tim Brown dedicated securities fraud by publicly mispresenting the corporate’s cybersecurity practices between October 2018 and December 2020. Testimony from Krajcir is significant for providing perception into community entry management and VPN vulnerabilities that undermine SolarWinds’ safety claims. SolarWinds declined to remark, whereas Brown and Krajcir did not reply to inquiries from Data Safety Media Group.

The SEC mentioned SolarWinds publicly claimed solely important entry rights had been granted to workers and contractors. Nevertheless, the SEC alleges SolarWinds allowed broad entry privileges throughout its community, contradicting its public statements. Since Brown knew of systemic safety vulnerabilities, the SEC mentioned inconsistencies between SolarWinds’ statements and its inner safety posture misled buyers (see: Judge Dismisses Most SEC Fraud Claims Against SolarWinds).

Why the SEC Desires Krajcir to Take the Stand

Regulators need Krajcir to testify a couple of specific vulnerability he discovered associated to SolarWinds’ VPN entry, which enabled unmanaged units to connect with the community. The SEC mentioned Krajcir referred to this as a “safety hole” that went unresolved regardless of a number of makes an attempt to deal with it with SolarWinds’ administration. Krajcir’s suggestions had been met with reluctance or resistance, the SEC alleges.

The SEC mentioned Krajcir’s perspective on community administration and cybersecurity practices throughout his employment at SolarWinds are distinctive and unobtainable from different sources. The Czech Republic and U.S. are each signatories to a authorized framework that permits U.S. courts to hunt proof from folks dwelling overseas, and the SEC mentioned its request is routine and aligns with worldwide cooperation agreements.

In emails from summer season 2018, Krajcir famous that anybody with Energetic Listing credentials might entry SolarWinds’ company WiFi and VPN from any gadget, together with private or unmanaged units that weren’t a part of the corporate’s area. Krajcir mentioned units connecting by way of VPN might bypass safety checks, probably downloading dangerous content material or spreading malware with out detection.

To mitigate these vulnerabilities, Krajcir steered utilizing certificates to authenticate units connecting to the VPN and lowering person privileges to forestall them from putting in unauthorized software program. Regardless of his efforts, Krajcir’s emails from summer season 2018 point out that his suggestions had been both delayed or not absolutely carried out, which the SEC mentioned displays a disregard for safety dangers on the managerial degree.

A presentation Krajcir created in August 2018 famous an absence of restrictions on unmanaged units, an lack of ability to watch what units are related to the community, and an absence of choices to implement person id verification. Krajcir mentioned unmanaged units had the identical degree of entry as company units, permitting them to entry vital programs and probably introduce malware into the core community.

How SolarWinds Responded to Krajcir’s Findings

Krajcir’s e-mail exchanges had been met with restricted motion and skepticism, with one colleague questioning the necessity for such strict safety controls, expressing concern over the practicality of Krajcir’s proposed machine authentication measures. Different responses questioned the enforcement of certificate-based authentication, particularly round whether or not customers would be capable to export certificates from their machines.

The SEC argues that Krajcir’s emails and presentation point out that SolarWinds was conscious of however failed to deal with substantial safety vulnerabilities, even because it publicly assured buyers of safe operations. Krajcir’s perspective as a community engineer liable for cybersecurity would supply vital insights into the discrepancy between SolarWinds’ inner practices and public representations, the SEC argues (see: SEC Alleges SolarWinds, CISO Tim Brown Defrauded Investors).

Particularly, the SEC mentioned SolarWinds’ safety assertion emphasizes role-based entry and community safety controls, however Krajcir’s emails reveal unmanaged units with Energetic Listing credentials might entry the community with out adequate restrictions. SolarWinds additionally mentioned it engages in strong community monitoring, whereas Krajcir mentioned the corporate was unable to trace unmanaged units on company Wi-Fi.

The SEC mentioned its case is strengthened by proof suggesting SolarWinds publicly overrepresented its cybersecurity capabilities whereas internally grappling with vital safety controls that had been both absent or inadequately enforced. The SEC mentioned SolarWinds’ safety assertion constructed belief with clients and buyers by suggesting a well-protected atmosphere, however inner paperwork reveal a special actuality.