Cyber Notification Concept Gets Bipartisan House Nod
Cyber notification requirements are a legislative priority, said House Homeland Security Committee Chairman Bennie Thompson, D-Miss., and ranking member John Katko, R-N.Y., Friday during a virtual hearing on the SolarWinds breach. They echoed interest from Senate Intelligence Committee Chairman Mark Warner, D-Va., Sen. Susan Collins, R-Maine, and Sen. John Cornyn, R-Texas, at a hearing earlier in the week (see 2102230064).
Microsoft President Brad Smith and FireEye CEO Kevin Mandia again stated their support, saying details should be ironed out in legislation. Mandia suggested Congress separate breach disclosure from threat intelligence sharing, saying a company should be able to inform the government confidentially without immediately liabilities from public disclosure. “Threat intelligence sharing will defend the nation,” Mandia told members of the House Homeland Security and Oversight committees.
“There will be important details that will need to be discussed, but this is the time to take that kind of action,” Smith said. Many companies say as little as possible, and often nothing, said Smith. Silence isn’t going to make the country stronger, he added, so there should be encouragement and mandates. The Department of Homeland Security Cybersecurity and Infrastructure Security Agency is a strong candidate, said Smith, and the type of information for sharing should be defined. Congress needs to be careful about not telling “firefighters to stop fighting the fire so they can fill out forms” for government officials, he said.
It’s not often you hear the private sector saying it needs more mandates, so that highlights the importance of notification, said Katko. He added that he, Thompson and others will “work very hard to try to make this a reality.” He noted information-sharing made the U.S. stronger after the Sept. 11, 2001, attacks but a company sharing its information with a federal agency potentially exposes it to scrutiny.
Thompson was encouraged by support for cyber incident reporting legislation. He said an amendment by then-House Cybersecurity Subcommittee Chairman Cedric Richmond, D-La., for the House-passed National Defense Authorization Act would have established cyber incident notification requirements but ultimately failed to be included. “I look forward to trying again this year,” he said.
A SolarWinds security adviser in 2017 issued a briefing to the company listing breach vulnerabilities and suggestions to bolster security, said Rep. Clay Higgins, R-La. He asked ex-SolarWinds CEO Kevin Thompson if the company received the briefing and took the recommended actions. Thompson announced his departure in August and left Dec. 31. Thompson confirmed a briefing was provided to senior IT leadership but said it was about security posture “in general” and what could be done to make the company a leader. The company invested in this beforehand, said Thompson: “We spent more than the average technology company of our size over the last four years on security.”
Legislation needs to be considered, said House Oversight Committee Chair Carolyn Maloney, D-N.Y., noting it’s unclear whether the perpetrators are still in the system. Del. Eleanor Holmes Norton, D-D.C., suggested the company is still being breached and the investigation needs to wrap up.
Sunburst, the hacker’s implant, isn’t “an ongoing threat” for SolarWinds’ Orion software, testified SolarWinds CEO Sudhakar Ramakrishna. He added the implant hasn’t been found in any of the 70 non-Orion products. Sharing information as fast as possible is important because speed and agility are key, he said. Reps. James Langevin, D-R.I., and Michael McCaul, R-Texas, credited SolarWinds and Microsoft for briefing their offices last week.
House Oversight Committee ranking member James Comer, R-Ky., described the incident as the “largest cyberattack in history,” saying it took months of planning and “extreme patience.” About 1,000 people were involved, and the likely culprit was Russia, he added. Others also pointed to Russia, noting it hasn’t been confirmed.