Any sign of two-party agreement between key players qualifies as major news these days at the U.S. Capitol. Legislation that could require private companies to notify the government of breaches to their cybersystems looked possible last week as U.S. intelligence officials appeared before Congress amid the Biden administration's loud response to foreign-based hacks.
Gen. Paul Nakasone, director of the National Security Agency, told the Senate Intelligence Committee: "We are troubled in terms of being able to understand the depth and breadth of an intrusion based on the fact that, for a number of good reasons — some of them obviously legal — that much of the private sector does not share this information readily."
That sounds like a nice way to say the U.S. can't always respond to dangerous break-ins at key public institutions because they can come through privately run cyber networks.
Front and center is the massive hacking of U.S. agencies and corporations via the Texas-based SolarWinds company, which provides network monitoring and troubleshooting for many organizations through a system called Orion. Word of the hack spread in December. U.S. intelligence services say they believe with "high confidence" that Russia's Foreign Intelligence Service carried out the monthslong attack
At first blush it was reported that the breach could have affected more than 250 victim organizations in government and the private sector. But in a White House news conference on Feb. 17 Anne Neuberger, Deputy national security advisor, said more authoritatively that nine federal agencies and about 100 private sector companies had been compromised.
President Joe Biden cited the breach in ordering sanctions against several Russian entities and individuals.
A bipartisan push for a new notification law seems to echo congressional sentiment. Senate Intelligence Committee Chairman Mark Warner (D-Va.) and Sen. Marco Rubio (R-Fla.) released a joint statement in February arguing that the federal response until then had "lacked the leadership and coordination warranted by a significant cyber event." They praised the appointment of Anne Neuberger, deputy national security adviser for cyber and emerging technology, to lead a response.
The breach was first discovered and reported publicly by a private cybersecurity group FireEye.
"The reality is that adversaries try to use U.S. infrastructure for a variety of reasons," FBI Director Christopher Wray testified last week. "The private sector controls 90% of the infrastructure ... It has the key dots as part of the overall connecting of the dots phenomenon."
But those concerned about online privacy have cause to be worried about expanding the NSA's authority. After all, unchecked domestic surveillance years ago blossomed into a major scandal after which legal controls were imposed.
"Like clockwork, advocates of expanded surveillance are trying to exploit an intelligence failure," said Sen. Ron Wyden (D-Ore.), an Intelligence Committee member.
"The federal government failed to catch the SolarWinds hackers in any of the nine federal agencies that were hacked, where it had full legal authority to monitor every bit of activity on its own networks," Wyden said.
The chances for requiring notification of private breaches clearly will depend on details of how federal officials would see fit to follow up.