SolarWinds CEO offers to commit staffers to government cyber agencies

Sudhakar Ramakrishna, the CEO of SolarWinds, has used a panel appearance at the annual RSA Conference in San Francisco, California, to call for increased cooperation and collaboration between government and industry on cyber security intelligence sharing, and offered to commit staffers to work closely alongside US government’s Cybersecurity and Infrastructure Security Agency (CISA), the equivalent US body to the UK’s National Cyber Security Centre (NCSC).

In an appearance alongside CISA director Jen Easterly and Mandiant founder Kevin Mandia, who as former CEO of the now-separated FireEye was intimately involved in uncovering the SolarWinds attack, Ramakrishna proposed that software companies support CISA’s work more actively by dedicating employees to the agency.

“The only way our industry will be able to effectively respond to the evolving threat landscape is through a true partnership between the public and private sectors,” said Ramakrishna.

“Today, we are calling on the entire software industry to join us in this effort and encourage every software or technology company in the US to commit one full-time employee to work under the guidance and direction of CISA to support both threat intelligence and information sharing.

“SolarWinds has made this commitment and my hope is other companies will join us in this endeavour.”

This is not the first time Ramakrishna has called for more collaboration across industry, and with public sector bodies and security agencies, on such issues.

Speaking in 2021 at the NCSC’s virtual CyberUK event, he floated the idea of forming a consortium of businesses to take collective action to defend themselves against nation-state advanced persistent threat (APT) groups, such as Russia’s Cozy Bear and others.

He proposed a model of mutual responsibility and accountability in the industry and said that size alone was not an indicator of a company’s ability to defend itself adequately from cyber attack, as SolarWinds’ own example demonstrated.

Ramakrishna went on to say that such a group could maximise cyber information sharing and collaboration to build a model of collective protection that benefits all.

“If all of us commit to sharing that information with the public sector and the public sector, in turn, it provides specific recommendations and continues to improve those recommendations and finds a way of not only building accountability, but providing regulation to help enforce it,” he said. “Then we can all get to a level of standardisation that hitherto has been very ad hoc.”

Since the devastating Russia-orchestrated cyber attacks in 2019, which exploited a tainted update of SolarWinds’ Orion platform to compromise key downstream customers – including US government agencies – Ramakrishna has received praise from across the industry for his commitment to transparency in the wake of the attack.

Speaking to Computer Weekly in September 2021, Ramakrishna said he believed honesty was a key element of an IT organisation’s response to any issue – not just cyber security-related – that materially affects a customer.

“We talk about building trust with customers, earning their trust, and so on,” he said. “But the way I like to think of it is the way you earn trust is by being transparent with them, what’s working, what’s not, what are you doing about it, etc.

“If I have to trust you, then I have to believe that you’re being transparent with me about the state of affairs, so that was foundational to who we are, who I am and how I operate.”

This article was updated on 13 June to more accurately reflect the nature of SolarWinds' proposals.