(Bloomberg) — A bipartisan group of senators on Tuesday recommended that the U.S. consider requiring companies to disclose when they have been hacked.
At the first public hearing before Congress since a massive cyber-attack by suspected Russian hackers was disclosed in December, Senate Intelligence Committee Chairman Mark Warner, a Democrat, was joined by Republican Senators Marco Rubio, who is vice chairman of the committee, John Cornyn and Roy Blunt in calling for the measure.
Microsoft Corp. President Brad Smith, who was testifying before the committee, also voiced his support for a mandatory reporting requirement.
“It is time, not only to talk about, but to find a way to take action to impose in an appropriate manner, some kind of notification obligation on entities in the private sector,” said Smith. “I think it is the only way we’re going to protect the country, and I think it is the only way we’re going to protect the world.”
FireEye Inc. Chief Executive Officer Kevin Mandia said he supported a requirement that companies notify an appropriate government agency about being hacked. But he urged that it be confidential, to encourage companies to participate amid liability concerns.
The hearing before Warner’s committee on Tuesday included Sudhakar Ramakrishna, the CEO of SolarWinds Corp. — the Texas-based software firm that the hackers compromised as part of the attack. He told the committee that the tool hackers used to compromise its software “poses a grave risk of automated supply chain attacks” across the software industry.
Several lawmakers criticized Amazon Web Services for not appearing at the hearing despite an invitation. According to SolarWinds, its Orion software platform — which was compromised by the hackers — could be deployed by customers on AWS among other cloud platforms.
“The operation we will be discussing today used their infrastructure, at least in part,” Rubio said. “Apparently they were too busy to discuss that here today.”
Amazon didn’t immediately respond to a request for comment.
The hackers responsible for the incident inserted malicious code into SolarWinds’s software, which was delivered to as many as 18,000 customers through software updates, though fewer are believed to have been targeted with additional hacking.
The White House has confirmed that the hackers leveraged this access to breach more than 100 companies and nine U.S. agencies with follow-on hacking aimed at espionage.
Mandia, of FireEye, said the attackers were “exceptionally hard to detect.” He added that the hackers appeared to be highly concerned with remaining hidden. “The minute you could detect these folks and stopped them breaking through the door, they sort of evaporated like ghosts until their next operation.”
FireEye discovered the hacking campaign while investigating a breach of its own networks. Mandia said in his prepared remarks that the company found an intrusion in late November and determined that a third-party had accessed their network without authorization. FireEye disclosed the cyber-attack in December.
Another witness at the hearing, George Kurtz, the co-founder and CEO of Crowdstrike, the cybersecurity firm hired by SolarWinds for incident response, called for improvements to federal cybersecurity. He said old computer systems and compliance rules “detract from their core security work.”
(Adds new details from hearing beginning in first paragraph.)
For more articles like this, please visit us at bloomberg.com
Subscribe now to stay ahead with the most trusted business news source.
©2021 Bloomberg L.P.
Add Comment