Microsoft and FireEye executives have urged Congress to create laws requiring firms to disclose security breaches in the wake of the SolarWinds hack.
According to The Hill, Microsoft president Brad Smith said in written testimony to the Senate Intelligence Committee there is a “need to impose a clear, consistent disclosure obligation on the private sector.” He added that “silence reigns” when companies are hacked.
“This is a recipe for making a formidable problem even worse, and it requires all of us to change,” he added. “We need to replace this silence with a clear, consistent obligation for private sector organizations to disclose when they’re impacted by confirmed significant incidents.”
FireEye CEO Kevin Mandia, whose company discovered the breach, said companies should be able to report breaches that could have national security ramifications without fear of retribution.
“The US government should consider a federal disclosure program for not only sharing threat indicators but for also providing notification of a breach or incident,” he said.
According to White House officials, the SolarWinds breach affected nine federal agencies and 100 private companies. Intelligence officials have said the attacks likely originated in Russia.
Smith added that substantial evidence points to the Russian foreign intelligence agency’s involvement and nowhere else. He and Mandia said companies such as theirs had no legal obligation to disclose breaches, but a “duty nonetheless” to customers, the government, and the public.
“We will not secure this country without that kind of sharing,” said Smith.
Currently, breach notification occurs at the state level, and years of federal efforts to develop laws have netted no changes. This means the full extent of breaches remains unknown.
Mandia added that while the SolarWinds breach was stopped, another will happen, and this highlights the need for stronger breach notification requirements.
“This attacker, maybe their pencil is down for a few months, but the reality is they are going to come back,” Mandia said. “How they break in is always evolving, and all we can do is close the window and close the security gap better next time.”
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Gumtree site code made personal data of users and sellers publicly accessibleNews Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
-
Pizza chain exposed 100,000 employees' Social Security numbersNews Former and current staff at California Pizza Kitchen potentially burned by hackers
-
83% of critical infrastructure companies have experienced breaches in the last three yearsNews Survey finds security practices are weak if not non-existent in critical firms
-
Identity Automation launches credential breach monitoring serviceNews New monitoring solution adds to the firm’s flagship RapidIdentity platform
-
Neiman Marcus data breach hits 4.6 million customersNews The breach took place last year, but details have only now come to light
-
Indiana notifies 750,000 after COVID-19 tracing data accessedNews The state is following up to ensure no information was transferred to bad actors
-
Pearson fined $1 million for downplaying severity of 2018 breachNews The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
-
“Great resignation” sparks concern over insider data leaksNews New research unearths direct correlation between employees leaving and data theft
