Fed Breach Disclosure Rule Planned After SolarWinds Hack: Report

An executive order in the wake of the SolarWinds hack will require software vendors and service providers to notify their U.S. government clients if they experience a security breach, according to a Reuters report.

Software vendors and service providers will be required to notify their U.S. government clients if they experience a security breach, according to a Reuters report.

An executive order expected from the Biden administration will update the federal acquisition rules in the wake of the colossal SolarWinds hack to mandate closer collaboration between the private sector and the federal government following an attack. Major software companies like Microsoft and Salesforce that sell to the government would be affected by the executive order, sources told Reuters.

“The federal government needs to be able to investigate and remediate threats to the services it provides the American people early and quickly,” a National Security Council spokesperson told Reuters. “Simply put, you can’t fix what you don’t know about.” The White House didn’t immediately respond to a CRN request for comment.

[Related: SolarWinds Hacked From Inside U.S., 100+ Orgs Compromised]

The executive order is also expected to require vendors to preserve more digital records for probing breaches as well as require working with the FBI and the Homeland Security Department’s Cybersecurity Infrastructure Security Agency, known as CISA, when responding to intrusions, Reuters said. However, no decision has been made on the final content of the executive order, the spokeswoman told Reuters.

Nine federal agencies and roughly 100 private sector companies were compromised through a malicious update to the SolarWinds Orion network monitoring platform, Anne Neuberger, deputy national security advisor for cyber and emerging technology, said Feb. 17. The hackers focused on government agencies that would be of interest to an adversarial nation from a foreign intelligence perspective.

Microsoft lets customers know as soon as the company finds out an adversary has penetrated their network even if the compromise had nothing to do with the company’s service, President Brad Smith said Feb. 26. Microsoft has done this more than 13,000 times over the past 2.5 years after nation-state attacks, including for 60 of its customers that they were compromised by the SolarWinds hackers.

Similarly, FireEye let the intelligence community, law enforcement, and all its government customers know they had been breached before going public with the news on Dec. 8, CEO Kevin Mandia said Feb. 23. SolarWinds told CRN it notified its government and private-sector customers of the attack Dec. 14, a day after The Washington Post broke the news and the company posted a security advisory to its website.

“We look forward to this executive order and support all efforts to encourage collaboration and responsible disclosure of hacks,“ SolarWinds said in a statement. ”We have worked closely with law enforcement and government partners from the outset to quickly and transparently share information.”

First responders should have an obligation to share threat intelligence with government agencies so that information can get into the right people’s hands without having to worry about liabilities or disclosures, Mandia said Feb. 23. He defined first responders as those who are responsible for figuring out what happened when a company besides their own has unauthorized or unlawful access on their network.

“There’s got to be a way for folks who are responding to breaches to share data quickly to protect the nation and protect industries,” Mandia said. “We need to know, if you’re a first responder, you’re obligated to get threat intel into the bucket so we can protect the nation.”

Congress has in the past attempted to establish a national data breach notification law that would require companies who experience hacks to disclose them publicly through government agencies rather than keep them secret, according to Reuters. However, Reuters said those efforts had failed in the face of industry resistance.

Microsoft’s Smith said Feb. 23 that it’s not a bad idea to consider liability protection to help get companies more comfortable with disclosing breaches. Mandia urged lawmakers to pursue confidential threat intelligence sharing rather than public disclosures or notifications to help get information out more quickly even if the victim doesn’t yet know what information they lost in the breach.

However, Sen. Mark Warner, D-Va., said companies that disclose a breach shouldn’t receive a ‘get out of jail free’ card if their behavior was particularly egregious.

“While I am very open to some level of liability protection, I’m not interested in a liability protection that excuses the kind of sloppy behavior, for example, that took place in Equifax, where they didn’t even do the basic cyber hygiene,” Warner said.