Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Congress Addresses Private Sector Sharing Data Breach Info with Government

February 25, 2021

The Washington Post (sub.req.) reported on February 24 that companies responding to a massive Russian hack urged Congress to update laws on how the private sector shares information about cybersecurity breaches with the government.

“It is time not only to talk about, but to find a way to take action, to impose in an appropriate manner some kind of notification obligation on entities in the private sector,” Microsoft president Brad Smith told members of the Senate Intelligence Committee. “I think it’s the only way we’re going to protect the country and I think it’s the only way we’re going to protect the world.”

As I have said before, we are still finding more government and private sector victims who were compromised during the months-long SolarWinds hacking campaign discovered in December 2020. The full scope of the Russian hack is still unknown in part because private companies have no legal obligation to come forward with the information.

As the White House prepares to sanction Russia for the attack and other malicious cyberactivity, committee members from both parties expressed interest in adopting reporting requirements, which have failed in the past due to industry lobbying and Republican wariness over regulation.

“There’s got to be a way for folks who are responding to breaches to share data quickly to protect the nation, protect industries,” said FireEye CEO Kevin Mandia. He said notification requirements should fall on “first responders,” or anyone responsible for figuring out the cause of unauthorized or unlawful access to their or another company’s network.

Congress passed the Cybersecurity Information Sharing Act in 2015 to make it easier for companies to share threats. But witnesses said that the law would need to permit industry to share more intelligence without fear of being punished for reporting.

“Notification needs to be confidential or you don’t give organizations the capability to prepare for those liabilities,” Mandia said. “You get speed from that if it’s confidential because you can have threat data today …[now] we’re getting the intel three months to five months too late.”

Congress also wants answers from Amazon and could be looking at other software companies. Intelligence Committee chair Mark Warner (D-Va.), vice chair Marco Rubio (R-Fla.) and other members criticized Amazon for not sending a representative of Amazon Web Services to the hearing.

“Apparently they were too busy to discuss that with us here today and I hope they’ll reconsider that in the future,” said Rubio, who noted that hackers used Amazon’s infrastructure for some of the campaign.

If Amazon does not voluntarily cooperate, a subpoena might be issued. “I think they have an obligation to cooperate with this inquiry, and I hope they will voluntarily do so,” Sen. Susan Collins (R-Maine). “If they don’t, I think we should look at next steps.”

No doubt others beside Amazon were involved in the massive Russian hacking campaign, which compromised at least nine federal agencies and 100 companies. Warner said the committee would be ensuring the participation of other IT and software services in its investigation.

Executives at the hearing said that their own investigations also strongly pointed to Russia. “We’ve seen substantial evidence that points to the Russian foreign intelligence agency and we have found no evidence that leads us anywhere else,” said Smith.

Witnesses did not fully rule out motives beyond espionage for the hackers. Although the operation was initially framed as an espionage operation, the White House has started to suggest a widened scope of “indiscriminate” and “disruptive” hacking could merit sanctions.

Smith said, “This was an act of recklessness, in my opinion,” he said, because it infected thousands of systems that the Russians had no interest in to give them access to only a few. “It was done in a very indiscriminate way.”

Our own espionage apparently isn’t indiscriminate and disruptive – and therein lies all the difference. Hmmm.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Congress Addresses Private Sector Sharing Data Breach Info with Government

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer