SolarWinds Hack Signals Necessity of Federal Breach Notification Law

The Biden administration’s first major cybersecurity challenge- the SolarWinds supply chain attack that was uncovered in December 2020-awaited them on day one.Deputy National Security Advisor Anne Neuberger has been running an interagency process since Inauguration Day to assess the damage and coordinate a response. What we know so far is that the hack has affected at least 200 organizations, including Microsoft, Cisco Systems, and federal agencies including the departments of State, Treasury, Justice, Commerce, and Energy. The hackers, linked to Russia, have had access to these critical technological systems for months, and perhaps years.

And yet, it could have been much worse. When cybersecurity company and SolarWinds customer FireEye discovered that it had been breached, FireEye CEO Kevin Mandia decided to disclose the discovery immediately, despite not being required to do so by law. That kicked off the wider data gathering and sharing necessary to understand the operation. We can’t keep relying on the goodwill of company executives: the United States needs a federal breach notification law- not contingent on the loss of personal data, but as a matter of national security.

Supply chain attacks are especially pernicious, because it’s hard to audit the security of third-party software, and because one infected update can lead to thousands of exposed customers in seconds. The SolarWinds incident was so destructive because SolarWinds is used so widely. Although not a household name, it is among the world’s most popular network management software, and counted at least 425 of the Fortune 500 as customers. In the wake of SolarWinds, many people have called for enhanced supply chain management measures, like required penetration testing for vendors. While these are useful, most organizations do not have the resources to thoroughly vet the potentially thousands of software vendors that today’s corporate systems use. Therefore, the broader focus should not be on preventing any supply chain vulnerability — a virtually impossible task — but on being able to identify breaches and remediate them as quickly as possible.

There is no existing federal law on breach notification in the United States. Each state has its own version, meaning that companies operating nationally have to comply with fifty different statutes that vary in scope and severity. This creates some unnecessary complexity, but the bigger problem is that these statutes are uniformly triggered upon some notion of harm against residents of that state. In Arizona, for example, notice is not required unless the breach is likely to result in “substantial economic loss to affected individuals.” Many states do not require notice at all if the data affected is encrypted. A private company could discover a sophisticated, potentially nation-state attacker in their network, and depending on the assets involved, quite legally tell no one.

It’s easy to understand why companies that have been hacked don’t want to disclose that fact. It’s embarrassing, and executives fear loss of market value and customer trust. Mandia took the opposite view because, as he put it, discovering the SolarWinds hack “validates our intelligence and expertise,” and in fact FireEye sale surpassed projections in the last quarter of 2020. (It’s also worth asking, wouldn’t your customers rather hear it from you than the New York Times?). The fact is, the Russian hacking group’s access to hundreds of systems could have persisted indefinitely had FireEye not taken the initial steps of sharing the observed tactics and techniques of the group, enabling other companies and agencies to identify whether they too had been compromised.

Intelligence sharing is a vital part of our national cybersecurity and remediation efforts. It’s time to codify this behavior through the enactment of required breach disclosure, so that the next time a supply chain attack takes down thousands of victims, the public and private sectors can work together to reduce the critical time between breach and detection. There will always be hacks, but we can control how much damage they cause. A federal breach notification law would be one of the most effective ways to do that.