Lawmakers Discuss Mandating Cyberattack Disclosures
Microsoft President Brad Smith spoke with senators on the potential benefits of a law to require the reporting of cyberattacks.
During a hearing on the SolarWinds breach, which led to hackers compromising several government and business networks, the Senate Intelligence Committee raised the potential benefits of Congress mandating a notification requirement for victims of cyberattacks.
Both ranking members of the Senate Intelligence Committee – Chairman Mark Warner and Vice Chairman Marco Rubio – stated that Congress should consider enacting such a law. “We must improve the information sharing, of that there is no doubt, between the federal government and private sector,” Rubio said.
While testifying at the hearing, Microsoft President Brad Smith agreed that the government should impose a “notification obligation on entities in the private sector.”
He acknowledged that a company asking to be regulated more tightly was unusual but told lawmakers: “I think it’s the only way we are going to protect the country.”
However, both Smith and FireEye CEO Kevin Mandia suggested that any future law of this kind draw a distinction between “notification” and “disclosure”, requiring victims to notify authorities after suffering cyberattacks likely to affect other consumers or companies, but not requiring the to disclose these incidents to the public until later, once more information has come to light.
“You can have threat data today and have your arms around the incident three months from now,” Mandia said.
The historic SolarWinds breach was discovered in December by FireEye. The firm found that hackers, suspected of being Russian agents, hid malicious software inside security updates that SolarWinds sent out to as many as 18,000 of its client organisations between March and June, including the US Department of Homeland Security. Other government agencies and an unknown number of private companies were also affected.
Also testifying at the hearing on Tuesday were SolarWinds CEO Sudhakar Ramakrishna and CrowdStrike President and CEO George Kurtz. Ramakrishna did not provide new information on how many of SolarWinds’ clients were affected by the breach.