Top U.S. national security officials on Tuesday explained some ideal elements to a potential national data breach reporting law, describing the idea as one pathway to stopping massive security incidents like the SolarWinds hack.
A national data breach reporting law would need to be clear and concise for companies to follow it, and generally not be a huge burden, said Tonya Ugoretz, deputy assistant director of the FBI. It also might function as an alternative to government surveillance of private sector networks, a controversial idea previously suggested as a means of detecting cyber-espionage.
Such a law should be focused on receiving reports about only especially sensitive breaches, such as those which jeopardize national security and critical infrastructure or that compromise U.S. government information, Ugoretz said during a prerecorded segment that aired at the virtual 2021 RSA Conference.
However, Ugoretz and Adam Hickey, the deputy assistant attorney general and the Justice Department’s National Security Division, stopped short of endorsing any particular proposals, given that the White House still hasn’t publicly signaled its wishes.
Debate over how to address victims reporting major cyberattacks to the federal government has become more urgent since last year’s breach at the federal contractor SolarWinds, which affected nine federal agencies and prominent tech companies via a supply chain attack that exploited SolarWinds software updates. U.S. officials have blamed the breach on Russian intelligence.
Already, the Biden administration via an executive order last week initiated plans for requiring government contractors to report cyber incidents. Going a step further to address the private sector more broadly would require congressional action, and ideas are circulating on Capitol Hill about what such a law would look like.
Some in Congress have suggested intelligence agencies need to have greater insight into what’s happening on private sector networks, since the SolarWinds attackers used private sector U.S. infrastructure as a partial means of carrying out the hack.
“One alternative to that — if you don’t like the idea of more surveillance — is reporting that is voluntary, in the sense that you choose what you put on the form that you fill out,” Hickey said. “Now the regulation may require it, but the point is, you’re filling it out. Someone’s not watching your network.”
Ugoretz said the idea would be to keep the burden on private sector companies low.
“I don’t think we’re looking at a threshold where every single incident and intrusion would need to be reported,” she said. “What we’re most concerned about from the federal government perspective are incidents where there’s a national security or public safety concern, so things like U.S. government information that’s been threatened or U.S. critical infrastructure.”
Furthermore, any new law needs to be easy to follow, Ugoretz said. Already, companies must contend with a patchwork of state data breach notification laws.
The irony of the renewed demand for a national law stemming from the SolarWinds hack is that FireEye demonstrated the best-case scenario in voluntarily reporting that it was compromised, alerting the federal government to the broader threat, Hickey and Ugoretz said.
“That was model behavior and it was entirely voluntary, and it’s in the public good,” Hickey said. “Sometimes you want legislation that creates those incentives so that what is purely voluntary today is encouraged in the future or potentially required, and that’s a choice obviously for the administration and Congress to make.”