IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft and FireEye push for corporate breach reporting rules

The two companies believe companies should be able to report breaches without legal retribution

Microsoft and FireEye executives have urged Congress to create laws requiring firms to disclose security breaches in the wake of the SolarWinds hack.

According to The Hill, Microsoft president Brad Smith said in written testimony to the Senate Intelligence Committee there is a “need to impose a clear, consistent disclosure obligation on the private sector.” He added that “silence reigns” when companies are hacked.

“This is a recipe for making a formidable problem even worse, and it requires all of us to change,” he added. “We need to replace this silence with a clear, consistent obligation for private sector organizations to disclose when they’re impacted by confirmed significant incidents.”

FireEye CEO Kevin Mandia, whose company discovered the breach, said companies should be able to report breaches that could have national security ramifications without fear of retribution.

“The US government should consider a federal disclosure program for not only sharing threat indicators but for also providing notification of a breach or incident,” he said.

According to White House officials, the SolarWinds breach affected nine federal agencies and 100 private companies. Intelligence officials have said the attacks likely originated in Russia.

Related Resource

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

cost of a data breach report 2020 - whitepaper from IBMDownload now

Smith added that substantial evidence points to the Russian foreign intelligence agency’s involvement and nowhere else. He and Mandia said companies such as theirs had no legal obligation to disclose breaches, but a “duty nonetheless” to customers, the government, and the public.

“We will not secure this country without that kind of sharing,” said Smith.

Currently, breach notification occurs at the state level, and years of federal efforts to develop laws have netted no changes. This means the full extent of breaches remains unknown.

Mandia added that while the SolarWinds breach was stopped, another will happen, and this highlights the need for stronger breach notification requirements.

“This attacker, maybe their pencil is down for a few months, but the reality is they are going to come back,” Mandia said. “How they break in is always evolving, and all we can do is close the window and close the security gap better next time.”

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Microsoft identifies sophisticated Hive ransomware variant written in Rust
Security

Microsoft identifies sophisticated Hive ransomware variant written in Rust

6 Jul 2022
Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
ransomware

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

17 Jun 2022

Most Popular

Universities are fighting a cyber security war on multiple fronts
cyber security

Universities are fighting a cyber security war on multiple fronts

4 Jul 2022
Hackers claim to steal personal data of over a billion people in China
data breaches

Hackers claim to steal personal data of over a billion people in China

4 Jul 2022
Latest LockBit ransomware strain 'strikingly similar' to BlackMatter
ransomware

Latest LockBit ransomware strain 'strikingly similar' to BlackMatter

4 Jul 2022