CEOs, Senators discuss mandating cyber-attack disclosures

At a hearing regarding the SolarWinds breach, Senators stress the importance of information sharing -- and call out AWS for refusing to attend the hearing

Following the SolarWinds attack, it's clear there needs to be more information sharing and better public-private sector coordination, lawmakers and tech leaders agreed in a Senate hearing Tuesday. The federal government should consider imposing reporting requirements on entities that fall victim to cyber intrusions, they said. 

Testifying at the Senate Intelligence Committee hearing, Microsoft President Brad Smith said it's time to impose a "notification obligation on entities in the private sector." 

It's "not a typical step when somebody comes and says, 'Place a new law on me,'" he told lawmakers. "I think it's the only way we are going to protect the country."  

Both Committee Chairman Mark Warner (D-Va.) and Vice Chairman Marco Rubio (R-Fla.) agreed that Congress should consider mandating certain types of reporting, potentially with some limited liability protection. 

"We must improve the information sharing," Rubio said. One important question that "everyone has struggled with," he said, is "who can see the whole field here on this."

Warner floated the idea of establishing an investigative agency analogous to the National Transportation Safety Board, which could "immediately examine major breaches to see if we have a systemic problem."

The lawmakers commended cybersecurity firm FireEye for first disclosing in December that they were the victims of a sophisticated, state-sponsored cyber attack. Democrats and Republicans on the committee also expressed their displeasure that Amazon Web Services declined to attend Tuesday's hearing. 

The SolarWinds attack relied in part on AWS infrastructure, Rubio said, but "apparently they were too busy to discuss that with us today." 

It would be "most helpful in the future if they actually attended these hearings," Warner said of AWS. 

Sen. John Cornyn (R-Texas) said that he "shared concern" over AWS's refusal to participate in the hearing. "I think that's a big mistake," he said, adding that it "denies us a more complete picture" of the incident.

The breach, likely the work of Russian hackers, targeted a wide swath of US entities -- nine federal government agencies, including the Treasury Department and Department of Commerce, as well as 100 private sector organizations. The attackers infiltrated these organizations in part by inserting malware into the Orion IT monitoring platform, a SolarWinds product

In addition to hearing from Microsoft's Smith, lawmakers on Tuesday heard from FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and CrowdStrike President and CEO George Kurtz.

Mandia said he supported the idea of mandatory cyber-intrusion reporting, so long as it remained confidential. 

"I like the idea of confidential threat intelligence sharing to whatever agency has the means to push that out," he said.

In addition to collecting information from private entities, the CEOs who testified Tuesday said that government agencies should be better at sharing information with each other. 

Once Microsoft learned of the SolarWinds incident, Smith said, the company wanted to share the information it had across the federal government. However, its contracts prohibited it from sharing the information with any agencies other than its direct customers. That protocol "does not strike me as the type of practice that makes a lot of sense for the future," he said. 

SolarWinds CEO Sudhakar Ramakrishna added that it would be more efficient for private organizations to communicate directly with one government agency that could share the information appropriately. 

"We feel like we have to communicate with multiple agencies, and sometimes that doesn't help us from a speed and agility perspective," he said. 

In addition to improving information sharing, the executives stressed the need for the industry to focus on the protection of software build systems. The attackers compromised SolarWinds by modifying the build process. That sort of attack "poses a grave risk to automated supply chain attacks... since the software processes SolarWinds uses are common across the industry," Ramakrishna said.