Search
Close this search box.
Request a quote

U.S. tech execs, lawmakers suggest hack reporting requirement

pexels-mikhail-nilov-6963105

U.S. tech execs, lawmakers suggest hack reporting requirement

Microsoft’s CEO said before Congress that it is time to impose a cyberattack ‘notification obligation on entities in the private sector.’

Senators and tech leaders are calling for the U.S. to require companies to disclose when they’ve experienced a data breach.

(Bloomberg) — A bipartisan group of senators on Tuesday, Feb 23, recommended that the U.S. consider requiring companies to disclose when they have been hacked.

At the first public hearing before Congress since a massive cyberattack by suspected Russian hackers was disclosed in December, Senate Intelligence Committee Chairman Mark Warner (D-Va.) was joined by the vice-chairman of the committee, Senator Marco Rubio (R-Fla.), in calling for the measure. Several others, including Senator Angus King, an independent from Maine, also voiced their support, as did several of the tech executives who were testifying.

There is currently no federal data breach notification law.

“It is time not only to talk about but to find a way to take action to impose in an appropriate manner some kind of notification obligation on entities in the private sector,” said Microsoft Corp. President Brad Smith. “I think it is the only way we’re going to protect the country, and I think it is the only way we’re going to protect the world.”

FireEye Inc. Chief Executive Officer Kevin Mandia said he supported a requirement that companies notify an appropriate government agency about being hacked. But he urged that it be confidential to encourage companies to participate amid liability concerns.

Tech executives speak out

The hearing before Warner’s committee on Tuesday included Sudhakar Ramakrishna, the CEO of SolarWinds Corp., the Texas-based software firm that the hackers compromised as part of the attack. He told the committee that the tool hackers used to compromise the company’s software “poses a grave risk of automated supply chain attacks” across the software industry.

The senators mostly used a light touch in questioning Ramakrishna — who started at SolarWinds in January after the hack was disclosed — about his company’s responsibility in the massive cyberattack. He said his company is investigating three possible ways the attackers may have used to gain access to the company’s networks but haven’t reached a conclusion.

The senators were much tougher on Amazon Web Services for not appearing at the hearing despite an invitation. According to SolarWinds, its Orion software platform, which was compromised by the hackers, could be deployed by customers on AWS among other cloud platforms.

“The operation we will be discussing today used their infrastructure, at least in part,” Rubio said. “Apparently, they were too busy to discuss that here today.”

Amazon.com Inc. didn’t immediately respond to a request for comment.

The hackers responsible for the incident inserted malicious code into SolarWinds’s software, which was delivered to as many as 18,000 customers through software updates, though fewer are believed to have been targeted with additional hacking.

The White House has confirmed that the hackers leveraged this access to breach more than 100 companies and nine U.S. agencies with follow-on hacking aimed at espionage.

Mandia, of FireEye, said the attackers were “exceptionally hard to detect.” He added that the hackers appeared to be highly concerned with remaining hidden. “The minute you could detect these folks and stopped them breaking through the door, they sort of evaporated like ghosts until their next operation.”

FireEye discovered the hacking campaign while investigating a breach of its own networks. Mandia said in his prepared remarks that the company found an intrusion in late November and determined that a third-party had accessed their network without authorization. FireEye disclosed the cyberattack in December.

Smith told the committee that Microsoft’s threat hunters and engineers analyzed the attack and estimated there were 1,000 developers who worked on the attack. “It is the largest and most sophisticated operation of this sort that we’ve seen,” he said.

Another witness at the hearing, George Kurtz, the co-founder and CEO of Crowdstrike, the cybersecurity firm hired by SolarWinds for incident response, called for improvements to federal cybersecurity. He said old computer systems and compliance rules “detract from their core security work.”

While a mandatory data breach notification law is one mechanism by which Congress could improve U.S. cybersecurity, the prospects of passing such a law in 2021 are slim given competing COVID-19 relief priorities, according to Dominique Shelton Leipzig, a privacy and cybersecurity attorney at Perkins Coie LLP.

“Realistically, the chances of getting a federal omnibus privacy and data security law are looking more likely to happen next year,” she said.

Businesses want a federal law since they currently have to comply with differing data breach notification laws in all 50 states, she said. “This is the perfect example where companies are calling out for guidance both on the privacy and data security side,” she said.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related posts
Commercial P&C Insurance

Commercial Office Space Set for a Strong Comeback

The sustained increase in demand for office space across the nation since late 2022 suggests that the market has moved past its lowest point, according to insights from the real estate technology platform, VTS. Demand for office space began to rise in late 2022 and continued into early 2023. Since then, the office market has experienced a period of stability and growth, supported by favorable economic factors, indicating a market rebound. This conclusion is drawn from the VTS Office Demand Index (VODI), which tracks unique new tenant tour requests for office properties in key U.S. markets. The VODI serves as an early indicator of future office leasing activity. According to the index, demand for office space has grown consistently over the past 12 months, closing the second quarter with a 17% year-over-year increase and a 34% rise from the VODI’s lowest point in December 2022. A significant shift in office-based employment patterns further supports the belief that demand for office space has stabilized. After reaching its peak in August 2022, office-based employment declined by 3.9% in early 2024. However, this trend has since stabilized, and employment growth has remained steady. Additionally, a recent decrease in work-from-home rates has fueled the renewed demand for office space. “They say you can only recognize a market bottom after it has passed, and the office space market is no exception. Following what we now see as the bottom, the national demand has gradually increased, though it remains susceptible to economic challenges,” said Nick Romito, CEO of VTS. “However, the growth observed in VODI over the past 18 months, coupled with positive trends in the office-using workforce, suggests that the market has reset, and the worst is behind us.” It’s important to note that this national trend does not impact all local markets equally. Cities like Los Angeles and New York City have seen healthy growth in office space demand, while markets such as San Francisco and Washington, D.C., have experienced prolonged stagnation. In Los Angeles, office space demand surged in the second quarter, briefly surpassing pre-COVID levels, driven by an increase in the average size of office spaces sought by tenants. New York City followed a similar overall pattern, though with some softness in the second quarter. Conversely, San Francisco’s demand for office space remains unpredictable, largely due to its tech-focused workforce, which continues to favor remote work more than other industries. “Markets heavily dependent on the tech sector, like San Francisco and Seattle, are on a markedly different post-COVID recovery path compared to more diversified markets like Los Angeles and New York City. It may take some time before we see office demand in San Francisco and Seattle return to pre-COVID levels,” added Ryan Masiello, Chief Strategy Officer at VTS.

Read More
Cyber Liability

Global IT Outage Puts Business Interruption Insurance in the Spotlight

In July, a global IT outage had a significant impact on business interruption insurance policies, overshadowing the effects on cyber insurance coverages. “This incident wasn’t a result of a malicious attack, which is why typical cyber insurance policies may not have been activated,” explained Peter McMurtrie, a partner in West Monroe’s insurance sector, in an interview with PropertyCasualty360.com. “Where coverage was applicable, factors like deductible amounts, waiting periods, and coverage limits played a critical role in determining the extent of exposure,” McMurtrie noted. “Standard policies for small businesses were less likely to offer coverage, while more complex policies for mid-sized companies and Fortune 500 corporations may have included broader triggers for non-malicious outages caused by third-party software issues.” The outage was triggered by a software update on July 19, 2024, by cybersecurity firm CrowdStrike, which affected organizations worldwide using Microsoft Windows. This interruption had far-reaching consequences, including disrupting hospital systems, media outlets, financial institutions, delaying thousands of flights, and halting daily business operations. McMurtrie emphasized that while the initial impact of the outage was similar for both large and small businesses, the ability to recover operations and whether insurance covered the loss of business income varied. “Larger companies are more likely to have advanced disaster recovery plans that ensure service redundancy following unexpected outages,” he added. “Their insurance programs also tend to cover a wider range of incidents.” According to Microsoft, the CrowdStrike update error affected over 8.5 million Windows devices globally. The incident highlighted the interconnected nature of our global ecosystem, including cloud providers, software platforms, security services, and their clients. “It’s a stark reminder of the importance of prioritizing safe deployment and disaster recovery across the tech industry,” the company said in a blog post. McMurtrie pointed out that the outage’s widespread impact was largely due to its effect on organizations that are critical to societal infrastructure—sectors like agriculture, airlines, banking, energy, government, healthcare, manufacturing, and retail. “Insurance companies base their risk appetite on their ability to understand and price risks appropriately. This becomes increasingly challenging with emerging threats,” he said. “However, I anticipate that insurers will respond by clarifying policy language, refining risk selection criteria, and possibly developing new products specifically designed for this evolving exposure.”

Read More
Categories
Try your instant quote
Click here to proceed