Mandatory breach reporting bill on deck, lawmakers say

Key industry leaders welcomed the prospect of a first-ever national cybersecurity breach reporting law for private companies, as floated by members of Congress from both parties at a hearing on Friday to look at the fallout from a massive hack linked to vulnerabilities in SolarWinds' IT management software.

Rep. Michael McCaul (R-Texas) announced that he and Rep. Jim Langevin (D-R.I.), both members of the House Homeland Security Committee are working on a bill that would establish the Cybersecurity and Information Security Agency as a kind of 911 for breach notification. McCaul said his legislation is designed to protect companies from repercussions in the market by removing sources and methods and company names out of reporting.

"It would just simply send a threat information itself to CISA so that they could deal both industrywide and federal government wide and state, the threat information they would need to address it on a larger scale," McCaul said at a joint hearing of the House Committee on Oversight and Reform and the House Homeland Security Committee on Feb. 26.

Microsoft President Brad Smith supported notification legislation at the hearing and noted that there are victims of the hack who have not identified themselves to the public as having been hit.

"Some of the largest companies in our industry, that are well-known to have been involved in this that still have not spoken publicly about what they know," Smith said. "There's no indication that they even informed customers. And I'm worried that…to some degree some other companies, some of our competitors even, just didn't look very hard."

The hack has affected about 100 private firms and at least nine federal agencies, but it appears from testimony at the hearing that the hackers were particular about what they were looking for.

According to information shared by Langevin in his questioning, about 77 individual email accounts were accessed in the hack, which has been said by federal officials to have been likely perpetrated by Russian intelligence. That number, Langevin observed is quite small when compared to the total number of accounts across the thousands of organizations that installed compromised SolarWinds' code.

"I think that was indicative of the stealthy practices that this actor tends to deploy, namely, to take great care to be very discreet," Smith said.

“The damage assessment's going to be based on the content of the emails," FireEye CEO Kevin Mandia said. "How that information is intended to be used -- we don’t know. That's the problem. We have to get our arms around all the content, and all the potential use and misuse of all that content."

SolarWinds CEO Sudhakar Ramakrishna, said it is closer to understanding how the malware was injected into company updates for its Orion IT management software product.

They're focused on three possibilities, he said. One is the password spraying; the next, credential theft, and the third is through a vulnerability in third party software used by the company in their on-premise infrastructure.

"Just like other companies on this witness stand, we use a lot of third-party software as well, and we are looking at it in those three dimensions at this point. We are evaluating several petabytes of data to be able to sift through this in the hopes that we can pinpoint patient zero in this context," Ramakrishna.

Lawmakers also honed in on a claim from SolarWinds that one possible vector of compromise was the use of an insecure password -- SolarWinds123 – to provide access to company servers.

"I've got a stronger password than SolarWinds123 to stop my kids from watching too much YouTube on their iPad. You and your company were supposed to be preventing the Russians from reading Defense Department emails," Rep. Katie Porter (D-Calif.) said to Ramakrishna.

"Do you agree that companies like yours should be held liable when they don't follow best practices, yes or no," Porter added. Ramakrishna didn't answer directly, but the issue of liability has proven a sticking point for breach notification legislation in the past.

As far as how hackers got into U.S. federal government networks, witnesses told lawmakers that once hackers were in a network, they were able to take advantage of lapses in basic cybersecurity practices. It’s likely they were able to access Justice Department accounts using methods like stealing passwords, Smith said.

Some lawmakers also asked focused questions about cloud migration and threat hunting, the practice of looking for cyber threats in a network proactively.

The ability for CISA he ability to conduct threat hunting on federal agency networks, as provided by the 2021 NDAA, is "exactly the right thing to do," Mandia said.

Rep. Gerry Connolly (D-Va.) asked how the federal government can support private companies that threat hunt on federal networks.

The most important step will be centralized cyber breach reporting, Smith told him, as well as sharing information back out to the private sector. The area will need more legislation, he said.

One hurdle Congress will also need to address is the ways that agencies restrict contractors from sharing their cybersecurity information about what they are seeing with other parts of the federal government.

"One of the specific things that we had to do in December was go to each agency, tell them that we had identified that they were a victim of this and then we had to say, 'you need to go over to this person in the other part of the government to let them know. Please do that, we cannot do that for you,'" Smith explained.