Top executives from Microsoft and FireEye on Tuesday urged Congress to create mandatory breach reporting requirements for companies following the massive Russian hack of the federal government that extended to the private sector.
“We need to impose a clear, consistent disclosure obligation on the private sector,” Microsoft President Brad Smith said in written testimony to the Senate Intelligence Committee, noting that “silence reigns” when companies are hacked.
“This is a recipe for making a formidable problem even worse, and it requires all of us to change,” Smith said. “We need to replace this silence with a clear, consistent obligation for private sector organizations to disclose when they’re impacted by confirmed significant incidents.”
FireEye CEO Kevin Mandia, whose company was credited with shining an early light on what has become known as the SolarWinds breach, said there should be a way for companies to report breaches with potential national security ramifications without fear of legal retribution.
“The U.S. government should consider a federal disclosure program for not only sharing threat indicators but for also providing notification of a breach or incident,” Mandia said in written testimony.
The discovery of the SolarWinds breach was due in large part to FireEye’s disclosure that it had been breached by a sophisticated hacking group in December. The hackers used vulnerabilities in software from IT group SolarWinds to compromise up to 18,000 customers of SolarWinds, with FireEye and Microsoft among those breached.
A White House official said last week that nine federal agencies and 100 private sector entities were confirmed to have been compromised in the months-long operation, which U.S. intelligence officials have described as “likely” Russian in origin.
While none of the industry leaders Tuesday would say definitively that Russia was behind the attack, it seemed to many a foregone conclusion.
“At this stage we have found substantial evidence that points to the Russian foreign intelligence agency, and we have found no evidence that leads us anywhere else,” Smith said. “There is not a lot of suspense at this moment in terms of who we are talking about.”
Mandia and Smith also said that their companies were not legally required to publicly disclose that they had been breached.
“We had no legal obligation to report, but I think we had a duty nonetheless: first of all to each customer; secondly to the U.S. government; and third of all to the public,” Smith testified. “We will not secure this country without that kind of sharing.”
Most U.S. states have some form of victim breach notification requirements on the books, but the federal government has failed to put one in place despite years of efforts. As a result, the full scope of the SolarWinds breach has not yet become clear, as many companies compromised have chosen not to come forward, potentially further endangering customers.
“We are totally waiting on willing participants, we could still be uninformed because other major enterprises could be victims as well but have not chosen to come forward,” Senate Intelligence Committee Chairman Mark Warner (D-Va.) said Tuesday.
Warner pressed for putting in place breach notification requirements multiple times during the hearing, particularly as many companies remain silent.
“There is a growing sense that we need some level of at least information sharing on a mandatory basis,” Warner said, suggesting the creation of a “new player” at the federal level to lead this effort.
He stressed that while he may be “open” to some liability protections for companies that report breaches, he would not support any protections excusing “sloppy behavior.”
“We’re going to need to think about a different model, and I challenge all of you to come forward with that,” Warner told the witnesses. “I think there is a great deal of bipartisan appetite. I think we realize how serious we were and we potentially dodged a much more serious bullet.”
Republican members of the committee also dug into the issue of mandatory reporting requirements.
“We know from the White House’s report and our own briefings that the hackers did gain access to at least nine federal agency networks, yet the United States government learned of this attack through FireEye,” Sen. Susan Collins (Maine) said.
“There should be this exchange of information that is not occurring now on either side,” she noted in regards to sharing of threat intelligence between the government and private sector.
Mandia underlined that while the SolarWinds breach had been discovered and halted, inevitably another similar breach would occur, highlighting the need for tougher breach notification requirements.
“This attacker, maybe their pencil is down for a few months, but the reality is they are going to come back,” Mandia said. “How they break in is always evolving, and all we can do is close the window and close the security gap better next time.”