Democrats and Republicans of the Senate Intelligence Committee, as well as key private-sector victims of a massive hacking campaign that compromised several federal agencies, were united on the need for mandatory reporting of cybersecurity incidents during a hearing on the breaches.
The committee heard Tuesday from leaders of network management company SolarWinds, cybersecurity firm FireEye, and tech giant Microsoft—all of which were victims of the campaign—as well as the CEO of CrowdStrike, which is working with SolarWinds on the company’s investigation of the hack.
Intelligence Committee Chairman Mark Warner, D-Va., praised the witnesses for coming forward while expressing disappointment, along with a number of Republican senators, that a representative from Amazon Web Services declined a request to provide testimony.
Warner suggested, and Microsoft President Brad Smith agreed, that other companies could have been similarly involved but are opting not to publicly disclose anything.
“When a large enterprise like Amazon is invited, they ought to be participating,” Warner said. “There are other brand-name, known IT and software and cloud services that may have been vulnerable to this kind of incident as well.”
Warner said if it weren’t for FireEye’s voluntary reporting of the intrusion, officials might still be in the dark.
Responding to a question from Sen. Martin Heinrich, D-N.M, about limitations on information sharing in contracts between agencies and their vendors, Smith said there is an opportunity to reform the 2015 Cybersecurity Information Sharing Act so that details can flow freely across the government.
On the private-sector side, companies have largely resisted sharing information about cybersecurity incidents due to a fear of liability, as SolarWinds CEO Sudhakar Ramakrishna said Monday hacking campaign fuels calls information sharing mandate
