Consensus is growing around a series of recommendations that the federal government can implement in order to help safeguard both the public and private sectors against major cyberattacks. In the wake of the SolarWinds breach, the Senate Intelligence Committee turned to industry for recommendations on how to ensure that kind of incident doesn’t happen again.
“While many aspects of this compromise are unique, the SolarWinds hack has also highlighted a number of lingering issues that we’ve ignored for too long. This presents us an opportunity for reflection and action,” Committee Chairman Mark Warner (D-Va.) said during a Feb. 24 hearing. “A lot of people are offering solutions, including mandatory reporting requirements … and significantly improving threat information sharing between the government and the private sector.”
These aren’t new suggestions; the Cyberspace Solarium Commission advocated for both of these in its March 2020 report. Sen. Susan Collins (R-Maine) has been calling for mandatory reporting on cyber incidents since at least 2012, when she introduced the Cybersecurity Act of 2012. But while that bill did not pass, experts are starting to come around to her point of view.
“I think the time has come to go in that direction. I think Senator Collins was either ahead of her time or the rest of us were behind our time,” Brad Smith, president of Microsoft, said during the hearing. “We should notify a part of the U.S. government that would be responsible for aggregating threat intelligence and making sure that it is put to good use to protect the country, and for that matter, people outside the country. I think we need to decide upon whom that duty should fall; it should certainly fall on those of us in the tech sector who are in the business of providing enterprise and other services. I think it’s not a bad idea to consider some kind of liability protection that will make people more comfortable with doing this. This is about moving information fast to the right place so it can be put to good use.”
One question that needs to be resolved, however, is which agency should be notified? Warner noted that the FBI is not in the business of information sharing, and that while the Cybersecurity and Infrastructure Security Agency’s “skills continue to be upgraded,” a different model altogether might be needed.
As to what those alternate models might look like, Warner pointed to the Treasury Department’s Financial Crimes Enforcement Network and the National Transportation Safety Board – which has often been held up as the model for the Cyberspace Solarium’s proposed “Bureau of Cyber Statistics” – while FireEye’s CEO Kevin Mandia pointed out information sharing in the credit card industry.
“It’s similar to those operating agreements for all the folks who accept credit card use, the visa operating agreements,” Mandia said. “You literally have 24 hours to start sharing information regardless, once you know. And it’s not based on all the things that you may have lost. You’ve got to get the intel into the hands of the folks that can start safeguarding the nation far faster than what we’re doing today.”
The industry executives, who also included George Kurtz, president and CEO of CrowdStrike, and Sudhakar Ramakrishna, who became CEO of SolarWinds in December, all qualified that such a mandatory reporting requirement should be confidential, in order to allow companies to explore liability protections.
Mandia also suggested special consideration should be given to what he referred to as “first responders,” which he defined as anyone involved in investigating an unlawful or unauthorized entry. He suggested that information sharing should be reciprocal, so that any information the government receives about that breach would also be shared with industry first responders.
“Right now, the unfortunate reality is a lot of times we share a threat intel, it’s just a public disclosure,” he said. “And it makes people wary to do so. And we slow down the process.”
Aside from mandating information sharing and overseeing dissemination to the relevant parties, Mandia said the two things government can do that the private sector can’t is determining who is responsible for an incident, and impose repercussions. The government is in the best place, he said, to get attribution right. And there can be no repercussions if there’s no attribution.
“We’ve got to have some kind of public doctrine,” Mandia said. “We’ve got to communicate where’s the red line. I know we think it’s a tough thing to define. And we admire the problem. But we’ve got to come up with what’s tolerable, not tolerable, [and] communicate it so we don’t see gradual escalation. But to impose risk and repercussions is the purview of the government.”