After two major hearings on Solarigate, one domestic policy proposal grabbed the spotlight: requiring organizations to alert the government to major cyber incidents in the interest of national security. Experts say the idea has merit – if only legislators can balance the promise with the potential liability and burden placed upon industry.
The SolarWinds affair, where an actor believed to be Russia used malicious updates in the SolarWinds IT platform and other vectors to hack several government agencies and private firms, came to light when FireEye publicly came forward as a victim.
But what if they had opted not to do so? There is currently no law that requires FireEye or any company to alert the government publicly or privately. Many believe there should be.
"This issue has been looked at before. And I think there's a lot more momentum now," said Christian Auty, a partner in Bryan Cave Leighton Paisner's privacy and security practice.
Indeed, lawmakers from both chambers and both parties suggest some form of legislation. Witnesses from FireEye, Microsoft, CrowdStrike, and SolarWinds all agreed it was a sturdy idea. But several problems are immediately evident – liability, anonymity, breadth and trust. SC Media spoke to legal, government and security experts to understand the obstacles and potential solutions.
Progress toward a bill
Rep. Michael McCaul, R-Texas, said in the February House hearing that he and Sen. Jim Langevin, D-R.I., were already working on a disclosure bill.
“Mr. Langevin and I are working on mandatory notifications of breaches [or] any cyber intrusions,” he said. “This can be done by taking sources and methods and company names out to protect them. As you have a duty to shareholders they would just simply send threat information itself" to the Cybersecurity and Infrastructure Security Agency," he explained.
Langevin's office told SC Media there would actually likely be two notification bills, corresponding to two recommendations of the Cybersecurity Solarium report. One would focus narrowly on national security-related incidents, providing the kind of specific intelligence CISA could use to head off nation-state campaigns in progress. The other would require general notification of breaches to the Federal Trade Commission for assistance conforming to regulations and privacy laws.
The former would be the latest iteration of the kind of federal incident notification lawmakers hope would stifle the next SolarWinds scale attack. But it would not be the first. Another bill intended to smooth disclosure of such breaches to the federal government came in 2012, introduced by Susan Collins, R-Maine, and then-Sen. Joe Lieberman, I-Conn.
That effort ultimately failed. But recent events could inspire alternative solutions, Auty said, to encourage organizations to come forward without providing full liability protection. McCaul specifically mentioned anonymous reporting in fact. But organizations might not find those solutions sufficient on their own.
"There will still be concerns on the part of the company that no, this is going to get traced back to me," said Auty. "And when it does, I'm going to have contractual and other liabilities. Anonymous reporting is valuable as a partial solution, but functionally anonymous reporting may not be possible in all situations."
Identifying a clearinghouse
Lawmakers may run up against industry skepticism of how the government uses data, said Tobias Whitney, vice president for energy at Fortress, a firm that facilitates industry information sharing solutions. This is more likely if legislation requires notification of a law enforcement agency or a regulator, versus CISA or Homeland Security, which may be seen as a more neutral arbitrator.
Even CISA lacks the level of trust with industries held by sector-specific Information Sharing and Analysis Centers, Whitney said.
"Right now I'm not sure if industry perceives CISA to have the capacity as a hub."
The perception from industry — and quite likely the reality, per Whitney — is that sector-specific groups are better situated to understand the context of any data that is being shared. ISACs are also traditionally better at getting usable information back into their members' hands than the government. Whitney suggests that maybe the best solution would be to mandate reporting not to Washington but to those industry groups who would forward along information as appropriate.
"Maybe CISA is not necessarily entire wheel. Maybe they're more of a spoke, providing conductivity across the wheel, ensuring that there's horizontal communication happening to the other sectors," he said.
Using ISACs as the first clearinghouses for information might solve another problem raised at the hearing: Not all organizations are capable of understanding the nuance of whether their specific cyber incident rises to a level of national security calamity. Given the number of cyber incidents each year, someone needs to filter the signal from the noise for this to be a useful tool. ISACs could be that filter.
The filtering problem is the flip side of another problem raised at the hearing – limiting businesses' regulatory burden. Reporting carries a business cost. If some of the data is worthless, that cost was spent for little reason.
Brad Smith, President at Microsoft, suggested at the hearing that it would make the most sense to limit reporting requirements to targeted industries and infrastructures. Big tech firms, like his, he said, would be a no-brainer.
Kevin Mandia, chief executive of FireEye, added at the hearing that a requirement for "first responders" to report would also be useful. First responders — contractors doing incident response or analyzing telemetric data — have a good understanding of what activity could signify a nation-state.
Mandia also suggested that everyone may benefit from small and medium-sized businesses being exempt from reporting. Companies without large defensive capability might not know what they are looking at during a breach, and may cause more panic than benefit by coming forward.
But Kiersten Todt, managing director of the small business cybersecurity advocacy group the Cyber Readiness Institute, pushed back on that argument.
"No entity should not be encouraged or asked or regulated, to share information when they've been breached," she told SC Media. With increasingly interconnected supply chains, excluding the most vulnerable targets would introduce blind spots that could reverberate across industries.
Todt, a veteran of several government homeland security and cybersecurity advisory posts, argued that the risk of causing panic only exists if companies go forward to the press – not if companies report anonymously and secretly to the government.
She suggests investment in the infrastructure to help small businesses assess networks to better identify breaches. That could come in the form of government help or industry groups.
"You may say small businesses don't need that extra burden. I agree that they don't need an extra burden. But we need to make it an opportunity for them to be a part of the global infrastructure," she said, adding that proper support would also promote universal buy-in.
"I don't think that any company would learn about a nation state and want to hold it close to their chest," she said.
