The News: As a result of recent cybersecurity breaches, a group of bipartisan lawmakers has been announced. Rep. Michael McCaul (R-Texas) and Sen. Jim Langevin (D-R.I.) are working on legislation that will require companies to notify the federal government in the event of a security breach. Read more at SCMedia.
Bipartisan Lawmakers Work Toward Disclosure Bill for Cybersecurity Breaches
Analyst Take: In the wake of the SolarWinds security breach, which impacted numerous federal agencies, lawmakers are beginning to understand that a system of self-policing as it relates to companies experiencing breaches is perhaps not the most reliable route to taking swift action to mitigate damage as a result of the breach.
Today, but a few weeks after lawmakers appeared at a joint meeting of the House Oversight and Homeland Security Committee and advised they are working on legislation to require reporting, we’ve added the Microsoft Server Exchange hack to the list of very big, very troubling breaches that have occurred in recent times.
Espionage, R&D Information and Data Grabs the Motive Behind Attacks
Both the SolarWinds and the Microsoft Exchange Server attacks were orchestrated by nation state threat actors either for purposes of espionage or massive data grabs from both the federal government and private companies — or both.
We’ve also seen news in recent months of hackers targeting vaccine data by way of global phishing campaigns with China, Russia, North Korea, and Iran all suspected of efforts to steal COVID-19 vaccine information.
Federal investigators believe the SolarWinds attack was the work of Russia’s Foreign Intelligence Service who have a track record of targeting government entities. Following the initial discovery of the SolarWinds hack, however, it is also believed there was a second SolarWinds hack that further compromised government systems, allegedly perpetrated by the Chinese. Reuters reported that the hackers breached the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, which exposed thousands of federal employees’ records. Separate groups of hackers targeting the same software product vulnerabilities is not unusual, and in fact, to be expected.
The Microsoft Exchange Server attack is believed to be the work of a state-sponsored group from China called Hafnium, targeting zero-day vulnerabilities in the Exchange server that hackers had been quietly exploiting. Microsoft was believed to be advised of the bugs in early January by a security expert. Microsoft released patches to address the vulnerabilities on March 2nd which left a wide of opportunity for the vulnerabilities to be exploited — and they were.
Lag Time in Discovery and Reporting Security Breaches is Problematic
In the cases of both the SolarWinds and Microsoft Exchange Server hacks, the security breaches were discovered not by the companies themselves, but by cybersecurity experts who discovered them and immediately issued alerts.
To illustrate the scope of the problem, and the reason lawmakers are exploring security breach reporting requirements is simple: The names we know as a result of two of the biggest security breaches of the last year are SolarWinds and Microsoft. There are thousands of other organizations affected by these breaches, including government entitles and companies of all sizes.
We know the identity of some of the government entities, but there is much less information available on the American companies who have been in some way compromised as a result of these or other security breaches.
Thus, the pressing need for businesses or breach responders to disclose breaches to the U.S. government in some way and within a certain time period after discovering the incident.
Security Executives Testify, Say Federal Guidance Needed
In the aftermath of the SolarWinds attack, executives from FireEye, the cybersecurity company who discovered and reported the attack, along with Microsoft executives, told members of Congress that while they came forward voluntarily and reported on details of the attack, there was no requirement for them to do so. There are also nuances involved that impede reporting and damage control that revolve around privacy requirements in vendor contracts with federal agencies and notification as a result is convoluted and clumsy.
Therein lies the rub, and an undeniable chasm in our national security posture.
FireEye CEO Kevin Mandia told lawmakers that state laws alone don’t provide sufficient protection. For instance, state laws around data breaches require the notification to consumers of a breach of personally identifiable information, if no PII is compromised, there is no duty to report.
The good news from all of this is that while Congress has tried and failed to pass federal breach notification laws in the past, the high profile nature of both the SolarWinds and Microsoft Exchange Server hacks, both of whom targeted not only government agencies but also organizations the world over, should hopefully serve to compel greater interest in enacting mandatory cybersecurity reporting legislation.
From a federal government standpoint, outdated systems and procedures, along with a shortage of tech skills and cybersecurity strategy expertise no doubt play a role. There is a call by tech executives to put the Cybersecurity & Infrastructure Security Agency (CISA) in charge of security the computer networks of the entire federal government outside the military, which is handled by the U.S. Cyber Command. Of note, Chris Krebs served as the Director of CISA from November 2018 to November 2020. It was his responsibility to oversee the security of the November 2020 presidential election and after calling the 2020 vote “the most secure in American history” was summarily dismissed by then President Trump. Following his dismissal, Krebs teamed up with Alex Stamos, former Facebook chief security officer to form a new cybersecurity consulting firm. Their first client: SolarWinds. In an interview with the Financial Times, who broke the story of Krebs’ hiring, Krebs said that it could take years before all of the compromised systems can be made entirely secure again.
While that shouldn’t be surprising to anyone immersed in the business of cybersecurity, it’s entirely possible that for many organizations, security isn’t yet a boardroom, foundational, critical business strategy action item. That needs to change. Cybersecurity threats threaten every aspect of an organization, whether publicly traded, private, government entity. Outdated infrastructure, a lack of internal expertise, lack of knowledge around the risks that both hardware and software pose throughout the organization, and also a lack of understanding around technology solutions available all play a role here. That’s part of the reason our team is excited about Confidential Computing, which is technology still in nascent stages, but which will provide protection that organizations need in some really innovative ways. More on that in a soon-to-be-published research brief.
My partner, Daniel Newman, and I covered these recent attacks, the impact on organizations from a financial standpoint as well as from a leadership standpoint, and it was the first of several conversations we’ll have on the topic of security and Confidential Computing. If that’s of interest, you can check out that conversation here:
This work by lawmakers toward a disclosure bill for cybersecurity breaches helps everyone involved — hopefully this time around it will make it into law.
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.