A Thursday Night Jolt

Thursday evening, scrolling on my phone before calling it a night, I stopped cold. A headline I’ve waited five long years to read finally appeared:

The SEC dismissed all charges against Tim Brown, CISO of SolarWinds. Case closed. With prejudice.

If you’ve been in this field long enough, you know exactly how heavy that sentence feels. For half a decade, the entire security community watched one of our own get dragged through a regulatory nightmare that should never have been initiated in the first place.

Tim Brown is no rookie. He’s not a “checkbox CISO.” He’s one of the best in the industry, a person I’m proud to call a friend. But for five years he, his family, SolarWinds employees, and frankly every security leader in America lived under the shadow of a case that made no practical sense, no legal sense, and posed a catastrophic precedent for the profession.

Tonight, that weight lifted.

But this victory came at a cost.

How We Got Here: A Timeline of a Mistaken Hunt

December 2020: SolarWinds is compromised in one of the most sophisticated nation-state operations in modern history. Russian intelligence (APT29) inserts malicious code into Orion software updates in a classic software supply-chain attack.

2021–2023: The U.S. government: CISA, NSA, FBI confirm publicly that:

• This was a nation-state attack

• SolarWinds was a victim, not a perpetrator

• The campaign was unprecedented in stealth and complexity

October 2023: Despite this consensus, the SEC files charges against SolarWinds and singles out Tim Brown personally, alleging misleading statements in cybersecurity risk disclosures.

This was the shockwave.