Application security, Breach, Data Security

SolarWinds CEO expresses regret for ‘blame the intern’ defense during Orion hack investigation

Share
SolarWinds CEO Sudhakar Ramakrishna testifies during a Senate Intelligence Committee hearing on Capitol Hill on February 23, 2021 in Washington, DC. (Drew Angerer/Getty Images)

The CEO of SolarWinds expressed regret for the way executives appeared to pin the blame on an intern for poor cybersecurity practices following the breach of its Orion management software last year.

Speaking at the 2021 RSA Conference, Sudhakar Ramakrishna, who joined the company in January after his predecessor Kevin Thompson stepped down in December 2020, said the comments made by him and former CEO Kevin Thompson in a congressional hearing were “not appropriate.”

The acknowledgement came in response to a question from an interviewer about whether the comments might make younger security professionals reluctant to work at SolarWinds if there was a perception that executives might throw them under the bus in the wake of a bad security breach.

“What happened at the congressional hearings, where we attributed [problems] to an intern was not appropriate, was not what we are about and is not what we are about,” said Ramakrishna. “We have learned from that and I want to reset it here by saying that we are a very safe environment and we want to attract and retain the best talent.”

At the hearing, which took place in February, lawmakers grilled company executives past and present over why an update server for the company utilized the weak password “SolarWinds123” and how it was left publicly exposed on a GitHub server for years. The answer from Thompson pinned the blame squarely on mistakes from an unnamed intern.

"They violated our password policies and they posted that password…on their own private Github account," Thompson answered. "As soon as it was identified and brought to the attention of my security team, they took that down.”

Ramakrishna, who was at the same hearing, backed up Thompson’s assertion at the time.

Thompson, who was CEO during the period when the Orion hack started and who left right before it was publicly disclosed, is one of several SolarWinds executives who were found to have sold millions of dollars in company stock the month before the revelation, and is a named defendant in a class action lawsuit brought by SolarWinds stockholders that alleges the company deceived investors for years about their cybersecurity risks and practices.

Following the hearing, SolarWinds was pilloried by the cybersecurity community for seeming to follow a well-worn trope in industry, where executives deflect from their own high-level budgetary and operational failures by casting the blame of a low-level intern or employee. It was viewed as especially egregious after third-party forensic examiners later determined that the password leak likely played no role in the attack.

Ramakrishna appeared to acknowledge that the incident may have impacted the way that potential job candidates view the company’s brand and pledged to do better in the future.

“I have long held a belief system and an attitude that you never flog failures. You want your employees – including interns – to make mistakes and learn from those mistakes, and together we become better. Obviously you don’t want to make the same mistake over and over again [but] you want to improve,” said Ramakrishna.

The company still employs the same CISO, Tim Brown, that it had in place before the incident and Ramakrishna said he doesn’t blame Brown for the compromise and said if he were to hire a top security executive from scratch, he’d look for someone with Brown’s decades of experience.

“I do not like to flog failures, so to speak, and it’s not even clear that this failure is one person’s fault,” said Ramakrishna. “When a nation state attacks you, it is impossible for one person to be able to thwart that entire attack or take full responsibility for it. I also felt as I got to know Tim Brown, that he’s a highly competent and highly committed individual.”

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.
Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.