| Hi, this is Alyza on Bloomberg's cybersecurity team. Calls are growing for American companies to be more transparent about cybersecurity after suspected Russian hackers penetrated computer networks in the U.S. government and private sector. We still don't know the scope of the attack, which compromised software by the Texas-based firm SolarWinds Corp., pushing malicious code to as many as 18,000 of its customers in updates.
But how many of those companies were targeted for follow-on attacks by the hackers is still being investigated. The White House says it has identified nine federal agencies and about 100 private companies that may have been hit, though that number could grow as the inquiry progresses.
One reason we don't know the full extent of the attack is there is currently no federal data breach notification law. I covered two Capitol Hill hearings focused on the cyber-attack last week, and the need for such a law was a common theme among lawmakers of both parties and the technology executives who testified. They called for a federal requirement that companies notify the government of significant breaches. Part of their reasoning was that the suspected Russian hackers were only discovered after the cybersecurity firm FireEye Inc. found that it had been breached, and voluntarily disclosed the incident in December. Without the breach disclosure, the hackers could still be roaming government and private-sector computer networks undetected. It's an example that demonstrates the long-argued point that private sector breach disclosure can be critical to U.S. national security. In addition to the debate over whether companies should be required to disclose cyberattacks to the government, there are also increasing calls for publicly traded companies to be more forthcoming with investors about the cybersecurity risks that they're taking on. The cyber risk analysis firm SecurityScorecard released a report Tuesday morning evaluating whether companies are heeding the U.S. Securities & Exchange Commission's calls to share information about cyber risks that could affect stock prices or companies' reputation and value. "Too often, cyber-related disclosure language is boilerplate in a way that could not assist an investor in assessing a company's cyber-risk profile or management of those risks," the report found. "Gaining investor confidence will depend on companies' willingness to move beyond identifying systemic cyber-risks to articulating which proven strategies and tools they are using to manage them." The report comes more than a year after the Cyberspace Solarium Commission—a bipartisan group created by Congress to develop recommendations for the U.S. to prevent future cyberattacks—pushed for increased corporate accountability on cybersecurity. The commission recommended specifying security metrics that publicly traded companies should track, and requiring that they keep records of their cyber-risk assessments. At the Senate Intelligence Committee hearing last week, Chairman Mark Warner asked technology executives: "Why shouldn't we have mandatory reporting systems, even if those reporting systems require some liability protection so we can better understand and better litigate future attacks?" Executives were receptive to the idea. Brad Smith, president of Microsoft Corp., said an obligation for private sector companies to disclose breaches will be critical step moving forward: "I think it is the only way we're going to protect the country," he said. "And I think it is the only way we're going to protect the world." —Alyza Sebenius | 
Post a Comment