In the wake of the recently disclosed breach of some federal and private sector networks likely by a Russian intelligence organization, the U.S. government needs to mandate that private sector entities whose networks have been breached notify the government of an incident, executives from Microsoft [MSFT] and FireEye [FEYE] said on Tuesday.
Current information about cyber hacks and breaches is “too often” siloed within the government and the private sector, said Brad Smith, president of Microsoft.
The information “doesn’t come together,” he said. “Because of that need, it is time, not only to talk about, but to find a way to take action to impose in an appropriate manner some kind of notification obligation on entities in the private sector.”
Testifying before the Senate Intelligence Committee, which is examining the recent hack, Smith said that while it’s “not a typical step” for a company to tell Congress to “place a new law on me…I think it’s the only way we’re going to protect the country and I think it’s the only way we’re going to protect the world.”
The notion of government regulation requiring private sector entities to disclose breaches of their networks in some way to the federal government was argued vigorously in Congress a decade ago and found proponents in Sen. Susan Collins (R-Maine) and then Sen. Joe Lieberman (I/D-Conn.), but ultimately Congress and the Obama administration opted for voluntary disclosures incentivized by liability protections. However, companies that have been breached still remain wary of notifying the government and even their customers for fear of costly liabilities and reputational damage.
In the most recent hack, the perpetrators compromised software upgrades developed by network management supplier SolarWinds [SWI] for one of their software platforms that is widely used on government and private sector networks. The U.S. government believes the hackers are based in Russia but formal attribution specifically identifying the group hasn’t been made.
President Joe Biden’s Press Secretary Jen Psaki said on Tuesday that the White House has “asked the intelligence community to do further work to sharpen the attribution” and to better understand the damage, scope and scale of the breach.
“But it will be weeks, not months, before we respond, but I’m not going to get ahead of the conclusion of that process,” she said in response to a reporter’s question during the daily White House press briefing.
Sen. John Cornyn (R-Texas) asked the witnesses at the committee’s hearing about requiring notification coupled with liability protections.
Smith replied that the country can “find a way to move forward this year” on such a regulation, adding that liability protection will make companies “more comfortable” with notifying they’ve been breached.
Kevin Mandia, CEO of FireEye, the company that first discovered the hack, said he agrees but that notification needs to be “confidential or you don’t give organizations the capability to prepare for those liabilities.” The benefit from notifying about a compromise is that it rapidly gets information about the threat out to those that need to know, he said.
Mandia pointed out that there’s a lag between having data about the threat and then having a fuller understanding of the incident months later.
Disclosure, he said, is a legal requirement to inform impacted parties.
“And you don’t know that day one,” Mandia said.
Both Mandia and Smith said that the threat information should be shared with the appropriate government agency. On Monday, SolarWinds CEO Sudhakar Ramakrishna said that there needs to be a single point of contact in government for the private sector to engage to share information about cyber threats.
Currently, SolarWinds has to deal with multiple agencies, which is time consuming for responding to attacks, Ramakrishna said.
Sen. Mark Warner (D-Va.), chairman of the committee, asked at the outset of the hearing “Why shouldn’t we have mandatory reporting systems even if those reporting systems require some liability protection so we can better understand and better mitigate future attacks?” He said that Sen. Collins “was way ahead of all of us on this issue.”