Following the SolarWinds attack, it’s clear there needs to be more information sharing and better public-private sector coordination, lawmakers and tech leaders agreed in a Senate hearing Tuesday. The federal government should consider imposing reporting requirements on entities that fall victim to cyber intrusions, they said.
Testifying at the Senate Intelligence Committee hearing, Microsoft President Brad Smith said it’s time to impose a “notification obligation on entities in the private sector.”
It’s “not a typical step when somebody comes and says, ‘Place a new law on me,'” he told lawmakers. “I think it’s the only way we are going to protect the country.”
Both Committee Chairman Mark Warner (D-Va.) and Vice Chairman Marco Rubio (R-Fla.) agreed that Congress should consider mandating certain types of reporting, potentially with some limited liability protection.
“We must improve the information sharing,” Rubio said. One important question that “everyone has struggled with,” he said, is “who can see the whole field here on this.”
Warner floated the idea of establishing an investigative agency analogous to the National Transportation Safety Board, which could “immediately examine major breaches to see if we have a systemic problem.”
The lawmakers commended cybersecurity firm FireEye for first disclosing in December that they were the victims of a sophisticated, state-sponsored cyber attack. Democrats and Republicans on the committee also expressed their displeasure that Amazon Web Services declined to attend Tuesday’s hearing.
The SolarWinds attack relied in part on AWS infrastructure, Rubio said, but “apparently they were too busy to discuss that with us today.”
It would be “most helpful in the future if they actually attended these hearings,” Warner said of AWS.
Sen. John Cornyn (R-Texas) said that he “shared concern” over AWS’s refusal to participate in the hearing. “I think that’s a big mistake,” he said, adding that it “denies us a more complete picture” of the incident.
The breach, likely the work of Russian hackers, targeted a wide swath of US entities — nine federal government agencies, including the Treasury Department and Department of Commerce, as well as 100 private sector organizations. The attackers infiltrated these organizations in part by inserting malware into the Orion IT monitoring platform, a SolarWinds product.
In addition to hearing from Microsoft’s Smith, lawmakers on Tuesday heard from FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and CrowdStrike President and CEO George Kurtz.
Mandia said he supported the idea of mandatory cyber-intrusion reporting, so long as it remained confidential.
“I like the idea of confidential threat intelligence sharing to whatever agency has the means to push that out,” he said.