Intelligence leaders push for mandatory breach notification law

The leaders of the nation’s intelligence agencies on Wednesday joined bipartisan members of the Senate Intelligence Committee in pushing for measures to encourage the private sector to report breaches and to deter malicious hackers from attacking critical infrastructure.

The discussion came as Congress is under increasing pressure to act after the discovery of both the SolarWinds hack, in which likely Russian hackers compromised nine federal agencies, and new vulnerabilities in a Microsoft email application exploited by a Chinese state-sponsored hacking group to breach thousands of companies. 

“We are troubled in terms of being able to understand the depth and breadth of an intrusion based upon the fact that, for a number of good reasons, some of them obviously legal, that much of the private sector does not share this information readily,” Gen. Paul Nakasone, the director of the National Security Agency and commander of U.S. Cyber Command, testified during the Senate Intelligence Committee’s annual worldwide threats hearing.  

Both Director of National Intelligence Avril Haines and FBI Director Christopher Wray also argued in favor of breach notification legislation, particularly following the SolarWinds hack. The breach was first discovered and reported publicly by cybersecurity group FireEye, not the federal government, something FireEye had no legal requirement to do.  

“The reality is that adversaries try to use U.S. infrastructure for a variety of reasons,” Wray testified. “The private sector controls 90 percent of the infrastructure and an even higher percentage of our PII [personally identifiable information] and innovation. It has the key dots as part of the overall connecting of the dots phenomenon.” 

Wray noted that some type of mandatory breach notification law to encourage the private sector to report cyberattacks would help to “further strengthen the glue between the private sector and the intelligence community and the rest of the government,” which he said would be “the key ingredient to any long-term solution.”

Haines also expressed support for a breach notification bill, asking members of the committee to support potential legislation. 

“Something that would create, as I understand it, an obligation on companies to provide information when there are attacks, much like FireEye did in the context of SolarWinds … that is something that I think would be useful. That is obviously one piece of the puzzle,” Haines testified.  

Support for breach notification legislation has been steadily increasing in both the House and Senate following the SolarWinds breach.  

The bipartisan leaders of both the House Homeland Security and the House Oversight and Reform panels, which are carrying out a joint investigation into the SolarWinds breach, in February expressed their support for the introduction of legislation to enable and encourage the private sector to report breaches. 

Key private sector groups have also been supportive of the idea, including the leaders of FireEye and Microsoft during a previous hearing on the SolarWinds breach held by the Senate Intelligence Committee.

Committee members, including Chairman Mark Warner (D-Va.), on Wednesday pushed for introduction of this legislation, with bipartisan agreement that it could assist intelligence agencies in responding to breaches faster. 

“As we have discussed in a broadly bipartisan way, we have taken the lessons from our SolarWinds hearing, and I think we may have at least a partial response where, with appropriate liability protections, there would be some level of incident reporting to an enterprise that would include public and private together so that we could potentially close some of these gaps,” Warner said. 

“We are looking through a soda straw at some of the threats,” Sen. John Cornyn (R-Texas) said in summing up the current visibility of the federal government into major cyber breaches. 

Beyond breach notification legislation, both the intelligence leaders and senators highlighted concerns that foreign hackers, particularly those in China and Russia, continue to target the U.S. in cyberspace due to a lack of effective deterrence.

“Adversaries also have the capability to undertake destructive attacks of critical infrastructure,” Warner said. “In order to deter these intrusions, we will need to accurately attribute them and hold our adversaries accountable.”

Senate Intelligence Committee ranking member Marco Rubio (R-Fla.) also called for action.

“As a government, we need to have a more explicit deterrence policy that will clearly set expectations for accepted cyber behavior, and delineate very clear responses when those lines are crossed,” Rubio said Wednesday. “Today’s technology environment allows adversaries to wreak havoc, and they often do so at a minimal cost.”

Nakasone stressed that while the federal government was working “every single day” to tackle cyber threats, “our adversaries continue to get better at what they’re doing.”

“I think it’s fair to say that it’s not as effective as we’d like it to be,” Haines added.