Post-SolarWinds Breach Hearings, Members of Congress Signal Commitment to Crafting Federal Cyberattack Reporting Legislation

Last December Russian-linked hackers breached software vendor SolarWinds. Through deploying a malware-laced update to SolarWinds’ Orion software, the hackers were able to infiltrate multiple government agencies, government networks and U.S.-based companies. The Orion software is commonly used by large organizations to monitor and manage IT resources, including servers, workstations, mobile devices, and internet of things devices.

Microsoft’s President Brad Smith told CBS’ “60 Minutes” that the SolarWinds attack “was the largest and most sophisticated attack the world has ever seen” from a software engineering perspective. Microsoft is a user of the Orion software and confidential sources have indicated that hackers leveraged Microsoft products to attack victims. Microsoft denies these reports, but the U.S. National Security Agency issued a rare cybersecurity advisory in December instructing users of Microsoft’s Azure cloud services to lock down their systems because of a breach.

Microsoft has repeatedly been slammed by Senator Ron Wyden (D-OR) for failing to prevent the breach. Wyden recently stated that the federal government should be cautious about spending more money on Microsoft products before Congress can find out why the software company “didn’t warn the government about the hacking technique that the Russians used, which Microsoft had known about since at least 2017.” Wyden’s comments coupled with pressure from other members of Congress seeking to gain more info on the SolarWinds breach set the stage for contentious House and Senate hearings the week of February 21^st. Microsoft’s Smith testified during the House and Senate hearings and was joined by SolarWinds’ CEO Sudhakar Ramakrishna and FireEye Inc.’s CEO Kevin Mandia. FireEye is a cybertechnology security company and originally discovered the SolarWinds breach in December.

Although bipartisan members of the House and Senate committees expressed general support for creating a national breach notification law, the executives from SolarWinds, Microsoft, and FireEye took the lead in offering specific proposals.

The Senate Intelligence Committee first heard from Smith and Ramakrishna. After learning more about the SolarWinds breach from the two executives, the Committee’s ranking members, Chairman Mark Warner (D-VA) and Vice Chairman Marco Rubio (R-FL), both signaled their support for federal legislation that would require cyberattack victims to report breaches to the federal government. Warner proposed creating a “public-private entity” to facilitate information sharing between the government and private sector after breaches in order to mitigate future attacks. Warner suggested that this entity could have similar investigative powers to the National Transportation Safety Board, which would allow it to “immediately examine major breaches to see if we have a systemic problem.”

In a House hearing on the SolarWinds breach later that same week, members of the Homeland Security Committee also offered their support for expanding breach notification laws. Representative Bennie Thompson (D-MS) noted that past responses to significant breaches have largely failed to anticipate future breaches. To solve this problem, Representative Thompson proposed that the Committee adopt a more forward-looking approach focused on identifying “systemic opportunities to improve our ability to prevent, defend against, mitigate and raise the costs of all malicious cyber activity.” Although bipartisan members of the House and Senate committees expressed general support for creating a national breach notification law, the executives from SolarWinds, Microsoft, and FireEye took the lead in offering specific proposals. Perhaps the most notable recommendation came from Microsoft’s Smith and FireEye’s Mandia who suggested that a future federal breach notification law should make a clear distinction between “notification” and “disclosure” requirements. Regarding this distinction, FireEye’s Mandia noted that a new law should require victims to immediately notify federal authorities about recent breaches, but should not require victims to disclose details about breaches to the public until after additional context has been gathered. In support of this proposal, Mandia suggested that immediately sharing confidential threat intelligence with federal authorities prior to general disclosure to the public would allow for a quicker response to future breaches.

Microsoft’s Smith also noted that Microsoft’s contracts prohibited it from sharing information regarding the breach with any other government agencies besides its direct customers. Smith recommended changing this protocol in the future and suggested that organizations impacted by data breaches should feel empowered to contact potentially impacted parties, instead of hesitant because of potential exposure to legal actions.

The unusualness of these proposals from the private sector was not lost on the executives. Microsoft’s Smith highlighted this fact, noting that “[i]t’s not a typical step when somebody comes and says, ‘Place a new law on me, put it on our customers,’ but I think it’s the only way we are going to protect our country, and it’s the only way we are going to protect the world.” Although no specific pieces of legislation have been proposed yet to create a national breach notification law, the Biden Administration is looking into using executive action to address the security shortcomings that allowed the SolarWinds hackers to access the networks of multiple federal agencies.

Starling Gamble