At a joint hearing of the House Oversight and Homeland Security Committee about the SolarWinds-related espionage campaign, Rep. Michael McCaul, R-Texas, said that he and Rep. Jim Langevin, D-R.I., are working on legislation to require companies to notify the federal government after similar breaches.
The Friday House hearing was the second hearing of the week on the topic, with the Senate Intelligence Committee holding a similar hearing on Tuesday. It was the House's first public opportunity to interrogate key figures in companies tied to the attack, which involved malicious update in SolarWinds Orion IT management platform to breach a number of federal agencies and companies, including Microsoft and the security firm FireEye.
Like the senate hearing, a common suggestion for policy repeated by both lawmakers and witnesses was the need to require businesses or breach responders to disclose grievous breaches to the government in some form.
McCaul said that he was working with Langevin along those lines.
"Mr. Langevin and I are working on mandatory notifications of breaches [or] any cyber intrusions," he said.
"This can be done by taking sources and methods and company names out to protect them. As you have a duty to shareholders they would just simply send threat information itself" to Cybersecurity and Infrastructure Security Agency, he explained.
While McCaul had no further detail on what the proposal would be, much of the hearing was devoted to how these kinds of laws might work. One issue that frequently arose was how to balance the liability protection against the duty to protect consumers. Another issue was who the notifications would go to, be it law enforcement, intelligence or a more neutral agency like CISA.
Another issue is which companies would be most appropriate. As FireEye CEO Kevin Mandia testified, casting too broad a net could actually be counterproductive.
"A lot of disclosure creates fear, uncertainty; and it's unnecessary," he said. "Most organizations when they have a breach lacked the expertise to get a full scope of 'what did we lose and what should we do about;' they can't do it. And they're just going to scare the heck out of everybody by saying
'hey we had a breach.'"
Rep. Katie Porter pressed Microsoft President Brad Smith over whether whistleblower protections would be an appropriate way to encourage notification of government. Smith replied that putting a notification rule in place would be a better solution.
The hearing was also the first public venue for either chamber to hear from Kevin Thompson, the chief executive of SolarWinds at the time of the breach.Thompson and current SolarWinds CEO Sudhakar Ramakrishna shot back at lawmakers who grilled them about reports of a lax security culture at the firm, including guarding update servers with the leaked password "solarwinds123" and not hiring a chief information security officer until after the breach.
On the password leak, Thompson said it was not a company-wide issue, but rather an intern who violated company password policy.
"So that related to a mistake that an intern made. They violated our password policies and they posted that password on their own private GitHub account," said Thompson. "As soon as it was identified and brought to the attention of my security team, they took that down."
Porter said she had a stronger password to block her kids from watching too many videos on YouTube.
Regarding the lack of chief information security officer, Ramakrishna and Thompson both said that prior to having a position by that name, they had a vice president of security who handled a similar set of duties.
Representatives frequently asked about whether base standards for cybersecurity needed to be improved in general, and whether legislation might play a role.
"I'm not convinced compliance in any standards regulation or legislation would stop Russian Foreign Intelligence Service from successfully breaching the organization," said Mandia.