Senate lawmakers signal openness to mandatory breach reporting - and liability protections
Advisen
Senate lawmakers signal openness to mandatory breach reporting - and liability protections
By Erin Ayers, Advisen
Technology executives called for improved public-private partnering on sharing threat intelligence in the wake of the massive SolarWinds hack during a U.S. Senate Intelligence Committee hearing this week, stating that a nationwide strategy is needed.
Executives from Microsoft, SolarWinds, FireEye, and Crowdstrike testified before lawmakers, explaining the breach and emphasizing the need for a “national strategy” to better inform organizations of cyber threats.
The risk of future attacks and the insidious nature of the SolarWinds hack were a key focus of the hearing, with lawmakers seeking solutions on avoiding similar – or much more damaging – events.
“The reality is, the hackers responsible have gained access to thousands of companies and the ability to carry out far more destructive operations if they wanted to. This intrusion had the possibility of being exponentially worse,” said Sen. Mark Warner (D-VA), during the hearing.
Both Warner and Committee Vice Chair Marco Rubio suggested that if FireEye had not reported the event, it may have gone undetected. The solution, Warner suggested, might be mandatory breach reporting, possibly with some level of liability protection.
Warner also floated the idea of “common norms in cyberspace” such as those that exist for military conflict. He also suggested the idea of having a centralized agency, like the National Transportation Safety Board, to receive the information.
Microsoft president Brad Smith said the SolarWinds hack was the work of “very sophisticated adversary” of the U.S. and advised a focus on strengthening supply chains as well as coordinating threat intelligence sharing.
“That information too often exists in siloes, in the government, in different companies. It doesn’t come together,” said Smith. He supported an obligation to notify, even while acknowledging the challenges the private sector faces.
“I think it’s the only way we’re going to protect the company. It’s the only way we’re going to protect the world,” Smith said.
Lawmakers also questioned why high-powered cybersecurity firms and federal cyber officials could have missed the hack. The breach, which involved the installation of malware in a trusted SolarWinds update, was very well hidden.
“This has been a multi-decade campaign” for the threat actors, Kevin Mandia, CEO of FireEye, told the Committee. Detecting the breach was the work of “thousands of hours of humans investigating.”
“You wonder why people missed it. This was not the first place you look. It was the last place you look for an intrusion,” Mandia said, adding, “Imagine a secret door into your house and the first thing when you come through that secret door is all your keys are right there, they grab them, and they can get into any locks you have in your house.”
SolarWinds follows multiple other supply-chain cyberattacks, according to George Kurtz, president and CEO of Crowdstrike, signaling a need to bolster vendor cybersecurity.
“It demonstrates that cybersecurity is an ecosystem issue, where organizations impact one another, either for better or worse,” Kurtz said in testimony. “In the private sector context, risk decisions should be reviewed and accepted up to the board-level.”
