Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Congress Addresses Private Sector Sharing Data Breach Info with Government

February 25, 2021

The Washington Post (sub.req.) reported on February 24 that companies responding to a massive Russian hack urged Congress to update laws on how the private sector shares information about cybersecurity breaches with the government.

“It is time not only to talk about, but to find a way to take action, to impose in an appropriate manner some kind of notification obligation on entities in the private sector,” Microsoft president Brad Smith told members of the Senate Intelligence Committee. “I think it’s the only way we’re going to protect the country and I think it’s the only way we’re going to protect the world.”

As I have said before, we are still finding more government and private sector victims who were compromised during the months-long SolarWinds hacking campaign discovered in December 2020. The full scope of the Russian hack is still unknown in part because private companies have no legal obligation to come forward with the information.

As the White House prepares to sanction Russia for the attack and other malicious cyberactivity, committee members from both parties expressed interest in adopting reporting requirements, which have failed in the past due to industry lobbying and Republican wariness over regulation.

“There’s got to be a way for folks who are responding to breaches to share data quickly to protect the nation, protect industries,” said FireEye CEO Kevin Mandia. He said notification requirements should fall on “first responders,” or anyone responsible for figuring out the cause of unauthorized or unlawful access to their or another company’s network.

Congress passed the Cybersecurity Information Sharing Act in 2015 to make it easier for companies to share threats. But witnesses said that the law would need to permit industry to share more intelligence without fear of being punished for reporting.

“Notification needs to be confidential or you don’t give organizations the capability to prepare for those liabilities,” Mandia said. “You get speed from that if it’s confidential because you can have threat data today …[now] we’re getting the intel three months to five months too late.”

Congress also wants answers from Amazon and could be looking at other software companies. Intelligence Committee chair Mark Warner (D-Va.), vice chair Marco Rubio (R-Fla.) and other members criticized Amazon for not sending a representative of Amazon Web Services to the hearing.

“Apparently they were too busy to discuss that with us here today and I hope they’ll reconsider that in the future,” said Rubio, who noted that hackers used Amazon’s infrastructure for some of the campaign.

If Amazon does not voluntarily cooperate, a subpoena might be issued. “I think they have an obligation to cooperate with this inquiry, and I hope they will voluntarily do so,” Sen. Susan Collins (R-Maine). “If they don’t, I think we should look at next steps.”

No doubt others beside Amazon were involved in the massive Russian hacking campaign, which compromised at least nine federal agencies and 100 companies. Warner said the committee would be ensuring the participation of other IT and software services in its investigation.

Executives at the hearing said that their own investigations also strongly pointed to Russia. “We’ve seen substantial evidence that points to the Russian foreign intelligence agency and we have found no evidence that leads us anywhere else,” said Smith.

Witnesses did not fully rule out motives beyond espionage for the hackers. Although the operation was initially framed as an espionage operation, the White House has started to suggest a widened scope of “indiscriminate” and “disruptive” hacking could merit sanctions.

Smith said, “This was an act of recklessness, in my opinion,” he said, because it infected thousands of systems that the Russians had no interest in to give them access to only a few. “It was done in a very indiscriminate way.”

Our own espionage apparently isn’t indiscriminate and disruptive – and therein lies all the difference. Hmmm.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson