A bipartisan group of senators on Tuesday recommended that the U.S. consider requiring companies to disclose when they have been hacked.
At the first public hearing before Congress since a massive cyber-attack by suspected Russian hackers was disclosed in December, Senate Intelligence Committee Chairman
There is currently no federal data breach notification law.
“It is time, not only to talk about, but to find a way to take action to impose in an appropriate manner, some kind of notification obligation on entities in the private sector,” said
The hearing before Warner’s committee on Tuesday included
The senators mostly used a light touch in questioning Ramakrishna — who started at SolarWinds in January after the hack was disclosed — about his company’s responsibility in the massive cyber-attack. He said his company is investigating three possible ways the attackers may have used to gain access to the company’s networks but haven’t reached a conclusion.
The senators were much tougher on
“The operation we will be discussing today used their infrastructure, at least in part,”
The hackers responsible for the incident inserted malicious code into SolarWinds’s software, which was delivered to as many as 18,000 customers through software updates, though fewer are believed to have been targeted with additional hacking.
The White House has confirmed that the hackers leveraged this access to breach more than 100 companies and nine U.S. agencies with follow-on hacking aimed at espionage.
Mandia, of FireEye, said the attackers were “exceptionally hard to detect.” He added that the hackers appeared to be highly concerned with remaining hidden. “The minute you could detect these folks and stopped them breaking through the door, they sort of evaporated like ghosts until their next operation.”
FireEye discovered the hacking campaign while investigating a breach of its own networks. Mandia said in his prepared remarks that the company found an intrusion in late November and determined that a third-party had accessed their network without authorization. FireEye disclosed the cyber-attack in December.
Smith told the committee that Microsoft’s threat hunters and engineers analyzed the attack and estimated there were 1,000 developers who worked on the attack. “It is the largest and most sophisticated operation of this sort that we’ve seen,” he said.
Another witness at the hearing,
While a mandatory data breach notification law is one mechanism by which Congress could improve U.S. cybersecurity, the prospects of passing such a law in 2021 are slim given competing Covid-19 relief priorities, according to Dominique Shelton Leipzig, a privacy and cybersecurity attorney at
“Realistically, the chances of getting a federal omnibus privacy and data security law are looking more likely to happen next year,” she said.
Businesses want a federal law since they currently have to comply with differing data breach notification laws in all 50 states, she said. “This is the perfect example where companies are calling out for guidance both on the privacy and data security side,” she said.
(Updates with additional details beginning in second paragraph.)
–With assistance from
To contact the editors responsible for this story:
© 2021 Bloomberg L.P. All rights reserved. Used with permission.