Warner, Cornyn Say It’s Time for Cyber Notification Legislation
Senate Intelligence Committee Chairman Mark Warner, D-Va., and Sen. John Cornyn, R-Texas, suggested Tuesday it might be time for legislation on mandatory notification requirements for cyberattacks. Microsoft and FireEye executives agreed with the suggestion, which would include liability protection, during a hearing on the SolarWinds breach (see 2102180043).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Cornyn referenced legislation previously floated by him, Sen. Susan Collins, R-Maine, and then-Sen. Joe Lieberman, I-Conn. Cyber victims should be obligated to share what they know with the appropriate authorities, said Cornyn. He likened it to phone companies having similar liability-protected disclosure obligations to intelligence agencies.
“The time has come,” said Microsoft President Brad Smith, saying Collins was ahead of her time. Notification should be confidential, said FireEye CEO Kevin Mandia.
Collins agreed with Warner and Cornyn. She noted the legislation with Lieberman was defeated on the Senate floor in 2012 due to a lobbying effort from a “large business group,” which itself was hacked while fighting the bill. She said Amazon has an obligation to voluntarily cooperate with the committee, and if it doesn’t, leadership should consider other options. If Congress moves forward with a proposal, there needs to be feedback from industry about reporting obligations to customers, said Sen. Roy Blunt, R-Mo.: “We can work on that.”
Warner made the suggestion in his opening remarks, asking why there shouldn’t be mandatory reporting requirements. He noted Amazon, whose infrastructure was breached in the attack, declined to testify. Ranking member Marco Rubio, R-Fla., suggested the company was “too busy” to participate. Amazon didn’t comment.
Rubio and Warner credited FireEye, which investigated its own network in November and detected the breach. Had it not detected this in December, the U.S. could still “be in the dark,” said Warner. Rubio described the attack as the “largest cyber supply chain operation.”
There's great risk of automated supply chain attacks through many software development companies because SolarWinds’ software processes are common across the industry, said SolarWinds CEO Sudhakar Ramakrishna. The company published its findings so other software developers can understand the breach, he noted. The evidence from the attack is most consistent with behaviors “we’ve seen out of Russia,” said Mandia.
The intruder took advantage of systemic weaknesses in Windows authentication architecture, “allowing it to move laterally within the network as well as between the networks and the cloud” and use false credentials to bypass multifactor authentication, said CrowdStrike CEO George Kurtz. The attacker modified the build process, not source code, said Mandia. The build process is the last step before code becomes “production” for buyers and customers, he explained. He noted the attacker did a dry run in October 2019 with an innocuous implant. The malware “slept” for 11 days after it was installed, making it harder to detect, he said: It could shut down programs from CrowdStrike, FireEye and Microsoft.
Warner asked if the U.S. needs something like the National Transportation Safety Board or another public-private entity that can “immediately examine major breaches to see if we have a systemic problem.” It’s likely that a foreign adversary’s A-team can breach most companies, but that’s not an excuse to “do nothing,” he said.