Russia and China have the United States reeling from two devastating cyberattacks in under six months. The mammoth SolarWinds breach—attributed to Russia and affecting at least nine U.S. government agencies, 100 private companies, and further victims yet to be identified—and a sweeping compromise of Microsoft’s e-mail servers by a Chinese hacking group, have heightened attention on a glaring reality: the United States is woefully unprepared to counter cyberattacks that steal personal, corporate, and even government information. Subsequent revelations that a separate Chinese State hacking campaign compromised government, defense industry, and financial targets and stole intellectual property only highlights the ongoing open season on U.S. data. Last week’s cyber executive order will require federal contractors to report cyber incidents to affected agencies and the Cybersecurity and Infrastructure Security Agency (CISA) – a welcome step in the right direction. But federal contractors aren’t the only ones vulnerable to cyber threats, and foreign adversaries are surely watching with interest the impact of recent cybercriminal attacks on critical infrastructure, like the Colonial Pipeline.
The United States can’t address cyber threats from sophisticated nation State actors like Russia and China if it doesn’t know about them. But right now, the country is operating in the dark: There’s no broad requirement for private companies to report breaches to the federal government, but rather a patchwork of state regulations focused on personal data, with different disclosure requirements and timelines for reporting. With both national security and economic competitiveness at stake, it’s time for Congress to require companies to report to the federal government when they’ve been hacked.
Part of the problem is the nature of the beast: cybersecurity is an uncertain tango between the private sector that builds technology platforms and the government that is charged with executing U.S. foreign policy and assessing nation State threats. For companies, spending on security is an easy budget cut when seeking short-term profits because a lack thereof often isn’t noticed until after it is exploited.
Corporate optics and financial incentives also work against the very disclosure of cyberattacks. A recent industry study found that companies’ share prices fell an average of 3.5 percent 14 market days after they disclosed a breach.
Even more concerning is that this cyber-silence perpetuates a cycle of intellectual property theft from China. In instance after instance, federal prosecutors have sought to try foreign hackers for stealing proprietary information but struggled to find U.S. plaintiffs. One NPR and PBS investigation found that the $57 billion the U.S. economy loses annually due to technology theft and corporate espionage originating from China is partly the result of pilfered companies actually choosing to stay silent. Their aim is to avoid hurting profits being made in China and to prevent shareholder blowback. Of course, international cybercrime prosecutions are notoriously difficult given the likelihood that defendants will never be tried. But not even indicting attackers sends a message of impunity. The upshot is that foreign cybercrime goes unpunished. Valuable intellectual property is stolen, U.S. competitiveness is damaged, and attacks continue.
This status quo need not be. In Europe, privacy legislation requires companies to report personal data breaches to authorities within 72 hours. In Australia, companies covered by its Privacy Act must notify affected individuals and the Australian government if serious harm is likely to ensue. Brazil’s new data protection law and upcoming amendments to Japan’s data privacy law also require swift breach notifications. Most of these laws target only personal data, but to address national security concerns, a far broader scope is needed. In the United States, disparate state regulations and a requirement for defense and now federal IT contractors to report breaches provide only a limited awareness picture.
In the case of SolarWinds, the public’s very knowledge of the attack was the result of the voluntary decision of one cybersecurity company. FireEye CEO Kevin Mandia testified to Congress that they had not been legally obligated to disclose the breaches publicly. And Microsoft President Brad Smith noted “without [FireEye’s] transparency, we would likely still be unaware” of the SolarWinds breach. This transparency is laudable but optional. And many companies impacted have still yet to come forward. When oversights directly implicate national security and economic competitiveness, such hesitancy is unacceptable.
Some lawmakers are moving to close the reporting gap. Last month, top intelligence officials and Senate Intelligence Committee members, including Chairman Mark Warner (D-VA), expressed interest and support for the idea. A recent announcement from Representative Michael McCaul (R-Texas) that he and Representative Jim Langevin (D-RI) are working on bipartisan legislation requiring companies to notify CISA, the government’s nascent cyber agency, about breaches like SolarWinds is welcome. Such notices should entail the sharing of actionable threat and incident information with CISA, possibly in a discreet fashion, and could include mechanisms to disclose breaches to affected entities.
Mandatory breach notification legislation has been on the table before, though – a 2017 bill never passed, and the issue reportedly “fell out” of the 2021 annual defense budget. Details on which such legislation could hit snags include the extent of company liability protections, questions about which government entity should be notified, and which companies will be required to report. The recent series of high-profile attacks has generated renewed awareness of U.S. vulnerabilities and, hopefully, the momentum to see practical legislation enacted.
The private sector too has called for overarching data privacy legislation, of which breach notifications—at least for personal data—could be a key part. The CEOs of some 50 major U.S. companies that are members of the Business Roundtable have come out in support of a comprehensive federal data privacy law.
From bug bounties to ransomware to the specter of quantum-era threats, cybersecurity can seem an unsolvable problem. When it comes to securing U.S. networks from financial opportunists and foreign adversaries alike, a simple and immediate measure could reduce the risk of yet another repeat scenario — if Washington is still capable of action on common-sense solutions. The United States needs to require its companies to report hacks.