On Tuesday, the Senate Select Intelligence Committee took the first crack at coming up with a national response to the massive SolarWinds breach, which compromised 100 private companies, nine federal agencies, and is widely believed to have originated from Russian intelligence services.
While the hearing was just the beginning of a national conversation that will continue with a joint House hearing on Friday, lawmakers and witnesses highlighted some key issues that cybersecurity experts said will help open the door to reforms and possibly change the culture for an industry that has too often remained tight-lipped in the case of a breach.
"From a disclosure perspective, nobody likes to talk about bad things," said Kate Kuehn, senior vice president at vArmour, a cybersecurity software company. "We need to take the stigma of negativity out of breaches. It's a bad enough situation to begin with. We need to make it safe for companies to disclose without the backlash."
The tone and tenor of the Senate hearing suggested this stigma could be lifting, she added.
Brad Smith, president of Microsoft, which was one of the most prominent victims of the hack, highlighted the importance of sharing information during the hearing and commended fellow witness, Kevin Mandia of FireEye, for his company's role in exposing the cyberattack.
“Without this transparency, we would likely still be unaware of this campaign," he said in his prepared remarks. "In some respect, this is one of the most powerful lessons for all of us. Without this type of transparency, we will fall short in strengthening cybersecurity.”
Making Reporting Mainstream
Right now, companies only have to come forward when hackers have gained access to sensitive personal information, leaving disclosure of most breaches up to the discretion of the company.
Kuehn said the industry needs to treat hacks the way disasters are treated in the airline industry, where companies work closely with federal regulators to determine the cause.
Other cybersecurity experts have also emphasized the importance of close, public-private partnerships.
“The hearing demonstrated the crucial importance of public-private partnerships and the need for a better approach to defending our federal systems," said Bill Wright, director for federal government affairs at Splunk, a security software company.
Wright said the Biden administration was already on the right track with the appointment of Anne Neuberger, a veteran in cybersecurity, as Deputy National Security Advisor for Cyber and Emerging Technology. He also commended the administration's creation of a new "National Cyber Director," who will be responsible for U.S. cyber policy across the government and private sector.
He anticipates that Biden will pass an executive order to help streamline data-sharing between private companies and the government.
"Today, some of the most important data needed to detect advanced threats goes unused or is underleveraged,” he said.
Detection vs. Defense
There is a basic tension in cybersecurity that the SolarWinds hack has heightened, which is the tug-and-pull between emphasizing detecting and eradicating a threat or putting up stronger and stronger defenses to stop a breach in the first place. Both are currently being developed in the industry, but which should be the priority has been a debate in the wake of SolarWinds.
"Some experts have suggested a solution to preventing massive breaches in the future — rip and replace the computer networks used by the federal government and other systems that we deem to be a security threat," Lior Div, CEO of Cybereason, a cyber defense platform. "That simply isn't going to fix the problem. We could spend $250 billion or $250 trillion, and it will only incrementally help. What matters is how the money is spent."
Div said a more attainable solution is developing systems to quickly detect malicious activity and then respond accordingly.
"We need to change the way cyber conflict is fought," she said. "The goal isn't to block and prevent all attacks — an operation like SolarWinds demonstrates that's not always possible."
Wright, for his part, argued that getting government agencies off of "vulnerable, legacy IT systems" — more of a rip and replace approach — should be a top priority.
In either case, the nature of government support and regulation has to change, said Kuehn.
"It became a recurrent theme to me that too many are suffering in silence, and we need to have more regulation and support of organizations from a federal perspective."
She also pointed out that the open, collaborative approach exemplified by the Senate hearing needs to continue if a cultural-shift is going to happen in the industry. The House hearing on Friday could present a challenge to that.
"I think you're going to see a lot more of a political agenda," she said.