Incoming Senate Intelligence Chair Mark R. Warner (D-Va.) says Congress will consider whether to require companies – or even government agencies – to disclose when they have been breached. 

“I think there will be a reexamination around a national breach legislation,” Warner said in an interview.  “I think there will also be a reexamination of what qualifies to fall into mandatory reporting.” 

Warner is already planning hearings so members can grapple with the “thorny questions” raised by the sweeping Russian hacking campaign that compromised at least eight government agencies and a huge swath of private-sector companies that were clients of network-management company SolarWinds. 

The debate over federal breach notification laws has boiled over in the aftermath of other major hacks, including the 2015 Office of Personnel Management breach and the 2017 Equifax breach. Each time the private sector fiercely lobbied against proposed legislation, experts say. 

But SolarWinds, with more reach at home and abroad, could finally be the push Congress needs to legislate change, Warner tells me. The SolarWinds attack could have gone unnoticed for months longer if cybersecurity firm FireEye hadn't voluntarily disclosed its breach, and the effects of the breach are still unfolding, putting a new spotlight on the issue. 

I think the level of questions that are going to be asked out of this are going to be broader than what came out of the OPM hack or what came out of the Equifax hack, he said.

U.S. federal law requires a private company to disclose a hack to the Securities and Exchange Commission only if it meets a certain threshold for material damage to a company. Congress will have to figure out what a new threshold should look like. (States offer a patchwork of their own disclosure laws.) 

Warner also raised concerns about the federal government's authority to respond to attacks like SolarWinds once they're discovered. 

The SolarWinds attack has highlighted that the U.S. government needs to be thinking about how to beat adversaries once they've infiltrated systems, not just preventive measures, he said. 

“I'm not sure that simply better cyber hygiene would protect us,” Warner says. The bad guys, if they put their A-team on, can pretty much get into anything.”  

Current restrictions, such as the U.S. government's inability to deploy National Security Agency talent when attacks are within the United States, only emboldens the bad guys, he says.

There may be a whole set of other questions around powers and authorities that will be really hard questions to grapple with, he says.

Also on the table: More money for the Cybersecurity and Infrastructure Security Agency.

President-elect Joe Biden has pledged to tackle the SolarWinds fallout, and his plan boosts resources at the agency that oversees implementing information security for nonclassified agencies. 

Biden on Thursday called for $690 million for CISA to improve security monitoring and incident response at the agency as a part of a roughly $10 billion dollars in cybersecurity funding in his first coronavirus relief package.

President-elect Joe Biden revealed his $1.9 trillion emergency relief plan on Jan. 14, which included aid to American families, businesses and communities. (The Washington Post)

Experts say there are other ideas on the table for Congress to explore.

One idea that experts have also floated is the idea of a National Transportation Safety Board-type body to investigate hacking incidents. That would make sure that government officials could do a full public investigation instead of details being shrouded by lawsuits, says David Forscey, managing director at Aspen Cybersecurity Group.

A National Bureau of Cybersecurity Statistics, recommended by the Cyberspace Solarium Commission, could also serve as a mechanism to mandate breach reporting, says Trey Herr, director at the Atlantic Council's Cyber Statecraft Initiative.

Warner is also looking a self-regulatory organizations like those overseen by the SEC as a potential model for a cybersecurity regulator.

Legislative changes won't be immediate.

With the scope of SolarWinds still unraveling, Warner says it will be important to get lawmakers up to speed on the hack before diving into changes.

“We have got to bring members of Congress's knowledge levels up. We've got to have a consensus from our government entities.”

The keys

Amazon Ring exposes users location data — again.

The now fixed security flaw would have allowed unauthorized individuals to access the location data and addresses of users of the surveillance camera's neighborhood watch app, Zack Whittaker at TechCrunch reports

A similar bug in the Neighbors app last year allowed journalists at Gizmodo to locate thousands of the company's users across the United States. Before that, Ring users reported a slew of hacking, some of which resulted in threats. The company now faces a class-action law suit for the hacks, Zack reports. 

“At Ring, we take customer privacy and security extremely seriously. We fixed this issue soon after we became aware of it. We have not identified any evidence of this information being accessed or used maliciously,” said Ring spokesperson Yassi Shahmiri. (Amazon CEO Jeff Bezos owns The Washington Post.)

The Commerce Department finalized a rule blocking U.S. purchases of communications technology from adversaries including China, Russia and Iran.

The rules, which also apply to North Korea, Cuba and Venezuela, won't go into effect for 60 days, leaving their enforcement up to the Biden administration, Bob Davis at The Wall Street Journal reports.

While Biden has also expressed interest in taking strong measures against Chinese technology that poses a national security risks, it's unclear to what extent he will keep up Trump's aggressive policies. The proposal gives Commerce 180 days to decide if it will give companies a waiver for purchases.

Pandemic unemployment insurance for gig workers became one of the biggest targets for financial fraud cybercrime in 2020, researchers say. 

The widely used program, Pandemic Unemployment Assistance, became one of the most widely discussed topics on secret hacker forums, cybersecurity firm Recorded Future found, Benjamin Freed at CyberScoop reports. Despite increased actions by states to uncover and prosecute scam, the activity continues to rise, Recorded Future found.

“To be able to conduct this fraud, you don’t need to have a high skill set,” Parker Crucq, a senior threat intelligence analyst at Recorded Future, told CyberScoop.  

Hackers benefited from widely available personal information up for sale on hacker forums to execute the scam, he says.

Daybook

Secure log off