The SolarWinds Incident May Be the Start of New Data Breach Notification Law in the US
A malware attack perpetrated by Russian operatives against company systems may prompt new federal regulations.
At the time we are publishing this article lawmakers and top U.S. cybersecurity officials are having issues figuring out how many American companies and federal agencies have been affected.
Right now, this is unknown data, a blind spot that can be used by hackers in different types of cyberattacks.
The issue stems from the absence of a federal breach notification law that requires companies and federal agencies to notify the U.S. government if they have been hacked, but it looks like a change is coming.
The SolarWinds attack
While learning more about the SolarWinds hack, the congressional committees and lawmakers in both Chambers showed willingness to consider the idea of creating a law.
Just last week, lawmakers brought together top tech company executives and also the CEO of SolarWinds, an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure.
Allegedly, Russian forces were behind the SolarWinds hack, but nothing was proven yet. The attackers injected malware into some routine software updates, as these were being rolled out to as many as 18,000 government entities and Fortune 500 companies, all clients of SolarWinds.
Top U.S. government officials declared Russian intelligence services were behind the attack and at least nine federal agencies and more than 100 companies were exposed to the breach.
The big problem
Without a law in place and clear guidance when it comes to cybersecurity issues companies don’t know what to do when they are hacked. Furthermore, they also face a legal barrier caused by the contracts with federal agencies that
“restrict a company like Microsoft from sharing with others in the federal government when a particular agency has been hacked in this way.”
House Homeland Security Chairman Bennie Thompson, D-Miss., warned that in the absence of specific and correct federal law requiring information sharing, the tech companies are unable to discuss breaches and attacks with members of Congress or the Cybersecurity and Infrastructure Security Agency also known as CISA.
This is not the first attempt that Congress is making to pass a federal breach notification law before. One of the most recent situations of this nature when Rep. Cedric L. Richmond asked the Department of Homeland Security to establish a cyber incident reporting program overseen by the CISA, the measure was successful in obtaining bipartisan approval, but it failed to pass the Senate, thus failing to become a law after the U.S. Chamber of Commerce objected and called for its rejection, saying it did not go through “regular order” in committees and that it would be forcing companies to report breaches “undercuts public-private cybersecurity collaboration” and voluntary sharing of information.
What changed?
Following the SolarWinds attack, Congress became interested in enacting a federal law requiring breach notifications.
Rep. Michael McCaul, R-Texas, who previously served as chairman of the House Homeland Security Committee, declared he was working with Rep. Jim Langevin, D-R.I., one of the members of the Cyberspace Solarium Commission, on a draft law that would require notifications of cyber intrusions as well as solutions to standardize intelligence-sharing efforts between “critical infrastructure” operators and the government.