The House Homeland Security and Oversight and Reform committees held a joint public hearing today to discuss the Russia-based hack of government and private sector networks via SolarWinds Orion products. During the hearing, both the private sector witnesses and members of Congress called for better cybersecurity practices, legislation, and increased information sharing.
The House committees heard from top executives of technology companies affected by the attacks, including SolarWinds CEO Sudhakar Ramakrishna, Kevin Thompson, the company’s former CEO, Microsoft President and Chief Legal Officer Brad Smith, and Kevin Mandia, CEO at FireEye – the company who first discovered the breach.
The two committees first began investigating the attacks on Dec. 17, and shortly thereafter were briefed by U.S. intelligence and law enforcement agencies.
“It was the private sector that uncovered this attack – not our own government … it is the private sector to whom the government must turn,” Chairwoman of the Committee on Oversight and Reform Carolyn Maloney, D-N.Y., said. “We must demand better cybersecurity practices from our suppliers, as well as increased information sharing with the private sector.”
“We must address persistent challenges in threat information sharing and find more strategic ways to effectively leverage the unique capabilities of the government and the private sector, and our shared goals of data security,” added Committee on Homeland Security Chairman Bennie G. Thompson, D-Miss.
Smith agreed sharing threat intelligence information is of the utmost importance. However, Smith said the private sector often faces two barriers when it comes to sharing information with the Federal government: confusion of knowing who to share the information with and a legal government contract barrier that limits companies to alerting only affected agencies of a breach.
“The government’s contracts impose restrictions on Microsoft and other government contractors in this kind of situation. That was the specific limitation that we encountered when we wanted to notify different parts of the U.S. government of what we were seeing,” Smith said.
“We found that we could only inform the agency that was the victim itself, and we had to ask them to go talk to another person or individual or part of the government, which they did, but it struck us as a barrier that is not serving the government itself very well,” he said.
A Call for Better Cyber Practices and Legislation
Another topic that both the private sector and members of Congress called for was implementing legislation that requires reporting obligations surrounding cybersecurity breaches.
Thompson said Cedric Richmond, the former chairman of the Cybersecurity Subcommittee, wrote an amendment included in the House-passed National Defense Authorization Act “that would have established a cyber incident notification requirement,” but this amendment failed to pass in the Senate.
“In recent days, I have been encouraged to learn of growing interest in enacting a cyber incident reporting law,” Thompson said. “We look forward to trying again this year and hope we can enact cyber incident notification legislation in short order.”
Smith agreed with Thompson and said, “The time has come to adopt the national law that will impose cyber breach incident reporting obligations. And there are important questions to be considered: to whom should it apply, when should it apply, how should it be administered, to whom should the information go, how should that information be shared. These are all questions for your two committees in the Congress as a whole. But 2021, I believe needs to be the year that Congress acts, and we use this step to strengthen the security of the nation.”
Additionally, Smith called for the United States to strengthen international law and the consequences for violating international law, such as “this kind of indiscriminate and disproportionate attack on the software supply chain.”
“We need to strengthen the international rules of the road,” Smith said. “What happened here is and should be a violation of international norms and international law. It is the kind of act that was reckless. It is the kind of act that needs to have consequences. And those consequences need to be based on global standards.”
Ranking Member of the Committee on Homeland Security John Katko, R-N.Y., said he welcomes “the recent announcement by the administration to begin to hold Russia accountable through sanctions … I hope to confirm and I hope they’re severe.”