While it’s not especially a concern for SolarWinds itself, Congress could improve cybersecurity by passing regulations that would protect companies from being punished if they report incidents to the government, the company’s CEO Sudhakar Ramakrishna said.
Ramakrishna is set to appear before multiple Congressional committees this week in the wake of a compromise at the Texas-based network management company that played a significant role in widespread breaches of its customers, including several government agencies and major private companies. Ramakrishna joined SolarWinds as CEO after the incident was revealed.
During a virtual event Monday with the Center for Strategic and International Studies’ Suzanne Spaulding, he said creating liability protections or incentives for information sharing is one of three things he’d ask Congress to address.
“A lot of victims, as you mentioned … are hesitant to come out about exfiltration of data or attacks or information,” he said. “That could be because of liability concerns and other potential punitive concerns. So providing regulation and helping them and giving them comfort to step forward and step quickly and step in a timely fashion with information will, I believe, help us all be more safe and secure.”
Spaulding, a Cyberspace Solarium Commission member and former leader of the Department of Homeland Security’s cyber directorate, noted that Congress already provided some liability protections in the Cybersecurity Information Sharing Act of 2015, but suggested those might need to be broader.
“What the Solarium determined is that we need to go beyond simply sharing threat indicators, for example, and pushing information back and forth at each other, to get to a place where we share understanding where we share insights, where we are collaborating to understand what's happening and, and how to respond and recover.”
solarwinds recommends liability protections sharing information about incidents
