The Cybersecurity 202: Congress mulls legislation to require companies to report major cyberattacks

Lawmakers have debated the issue for more than a decade without much success in passing legislation. What’s different this time is companies are actively urging Congress to take swift action. They say failure to do so puts national security at risk.

“I don’t think there’s ever been more organizations breached at one time. We’re at a world record right this minute,” says Kevin Mandia, chief executive of cybersecurity firm FireEye. “So obviously we have got to do something differently than what we’re doing … Whatever is currently in place has led us to a situation that’s the worst I’ve ever seen in my career.”

FireEye initially discovered the SolarWinds breach and reported it to the government. The company had no legal obligation to do so, however, raising concerns among lawmakers that the Russian hacking campaign could have gone unnoticed for months longer.

Lawmakers want to avoid that possibility in the future. But ironing out a new law that improves information sharing between the private sector and the government comes with serious challenges. The private sector says it’s critical the government provide a way for it to share data about attacks without having to reveal which customers were affected. Lawmakers worry too much leniency could provide a shield for negligent companies seeking to avoid liability for poor cybersecurity.

Mandia stressed companies such as his need a way to share threat intelligence before having to publicly disclose an attack or its victims. Disclosing a possible attack to the public too early could create confusion and put customers at risk, he argues. But waiting until a company knows all the details of an attack slows down work by law enforcement to help stop the hack from getting worse or affecting more victims.

“One thing that does come up frequently is the importance of being able to protect customer identity before going public with a breach,” says Aaron Cooper, vice president of global policy at BSA Software Alliance, a trade group that represents companies including IBM and Microsoft. “They want to make sure that they’re not required to disclose a vulnerability before it’s patched.”

Mandia, alongside Microsoft President Brad Smith and SolarWinds chief executive Sudhakar Ramakrishna, stressed in two congressional hearings last month that companies need greater protections from liability for the breaches to facilitate sharing information with the government.

So far no one has offered up which specific liabilities a new law should shield companies from. But Mandia says that companies are up against an array of them.

“Shareholder liabilities, market cap liabilities, legal liabilities, constant inspection of your team — there’s basically no upside the minute you disclose a breach,” Mandia says. “Whether that breach put American citizens in harm’s way or customers in harm’s way is immaterial. You still get those liabilities.”

In 2015, Congress passed legislation opening the door for companies to voluntarily share cybersecurity incidents with the federal government.  The law responded to concerns from companies they didn’t have legal authority to share that information with the government, says Suzanne Spaulding, a former Department of Homeland Security official during the Obama administration and senior adviser at the Center for Strategic and International Studies.

“The 2015 law said that you can share information [that could be used to identify malicious activity] without worrying about having any liability for sharing that information, and I think that was always a little bit confused and garbled,” Spaulding says. “[Companies] thought it was a get-out-of-jail-free card —  if you share that information with the government you can’t be held responsible for what happened in the breach.”

Industry dissatisfaction with the law has come across loud and clear in recent debate. 

Smith at last month’s hearing expressed frustration about not being able to notify all government clients at once when the company found out some had their email compromised by the SolarWinds attack.  Mandia pointed to a need for a central clearinghouse for companies to report attack data. 

Cooper says some BSA members also have expressed dissatisfaction with the current system for sharing information about possible attacks.

Spaulding says any new regulations will have to weigh competing policy objectives: using liability to incentivize companies to take reasonable care of their cybersecurity infrastructure and data, and getting companies to report valuable information about attacks to the government.

“How do we maximize our ability to achieve both of those objectives?” is the question, she says.

“We want to give certainty in terms of when customers would need to be notified and when it’s important to report to the government when you have an incident,” says Rep. Jim Langevin (D-R.I.). Langevin is working alongside Rep. Michael McCaul (R-Tex.) to introduce a pair of bills ironing out which incidents require reporting to the government and when a breach needs to be reported to the public. 

The Federal Trade Commission probably would have some role in arbitrating when a company needs to disclose a breach to customers. With the exception of health and financial data, most breach reporting is currently subject to a patchwork of state laws.

Langevin says the urgency created by SolarWinds gives new legislation a better chance at passing than previous attempts.

“I do think the bill has a future. It’s certainly timely and necessary,” Langevin says.

The Biden administration also recently announced it has a team working on addressing industry barriers to sharing incident data with the government.

Even as lawmakers and companies iron out the details of a compromise, they agree on one thing: Something must be done.

“There is no pretty plan. Inaction is not an alternative,” Mandia says. “Even if it’s imperfect, it’s certainly better than staying on our heels, taking the browbeating that we’re getting in cyberspace.”

The school system’s superintendent said that classes were canceled and the FBI is investigating the Friday morning cyberattack, the Buffalo News’s Sandra Tan reports. The attack 

A school official said in a memo that “at this time, no demands have been made; however, the FBI has found out that ransom may be between $100-300K and could be negotiable.” The superintendent, who approved an emergency contract for cybersecurity firm GreyCastle to work on the investigation, wrote in a letter that there is no indication that personal information was exposed in the attack.

The breach comes after a record-breaking year for hackers targeting schools. Attacks on schools increased by 18 percent last year, researchers said last week, hitting schools especially hard amid the pandemic.

A user of a forum specializing in database breaches said they obtained payment data from 24,000 customers after the FBI let a seized domain from WeLeakInfo lapse, Brian Krebs reports. Last year, the Justice Department seized the site, saying it contained searchable records from 10,000 data breaches.

Cybersecurity company Flashpoint said the records contained a vast swath of information including full names, addresses, phone numbers and Internet protocol addresses. The breach comes amid breaches of popular hacking forums and their user data.

Users of digital art marketplace Nifty Gateway said their accounts, which had certificates showing they were the legitimate owners of the art, were stolen and looted, CyberScoop’s Shannon Vavra reports. The hack comes amid a surge in popularity for the art, which has fetched record sums at auction.

The marketplace said in a statement that its platform had not been compromised. It added that a “small number of users” who were affected did not use multi-factor authentication, and that access to their accounts was “obtained via valid account credentials.”

For just $16, the hacker manipulated software that allows businesses to send text messages from a single account to divert Vice reporter Joseph Cox’s text messages away from his number to a different account, Cox reports. Multiple phone carriers are vulnerable to the attack, according to the hacker, who said “it’s basically the wild West.” The hacker’s activities were approved by Cox.

CTIA, a trade association that represents major phone carriers, said that “after being made aware of this potential threat, we worked immediately to investigate it, and took precautionary measures.” The group said carriers have not been able to replicate the hack, and that there are no indications that customers were maliciously affected.

“It’s not hard to see the enormous threat to safety and security this kind of attack poses,” Senate Finance Committee Chairman Ron Wyden (D-Ore.) said in a statement. “The FCC must use its authority to force phone companies to secure their networks from hackers.”

Some Twitter users renewed their calls to move off text message-based two-factor authentication. Democratic Congressional Campaign Committee Chief Technology Officer Erica Joy:

Former CIA counterterrorism analyst Aki Peritz:

• President Biden plans to nominate Christopher Fonzone, a partner in Sidley Austin’s privacy and cybersecurity group, as the Office of the Director of National Intelligence’s general counsel. Biden plans to nominate Leslie Kiernan as the Commerce Department’s top lawyer. Both held positions in the Obama administration.

• Rep. John Katko (R-N.Y.), the top Republican on the House Homeland Security Committee, discusses cybersecurity at an event hosted by Auburn University’s McCrary Institute at 3 p.m. today.
• Homeland Security Secretary Alejandro Mayorkas testifies before the House Homeland Security Committee at 9:30 a.m. on Wednesday.
• Paul Zajac, the head of strategic affairs and cybersecurity at France’s foreign ministry, speaks at a German Marshall Fund of the United States event on cyber norms on Wednesday at 10 a.m.
• Cybersecurity and Infrastructure Security Agency acting director Brandon Wales; Christopher DeRusha, the federal chief information security officer; and Tonya Ugortez, an FBI deputy assistant director for cybersecurity, testify at a Senate hearing on the cyberattack on SolarWinds and other software on Thursday at 10:15 a.m.
• The House Energy and Commerce Committee holds a hearing on infrastructure legislation on March 22 at 11 a.m.