A senior Democratic lawmaker said there is a growing appetite for a new federal cybersecurity breach notification law in the wake of a sprawling series of digital intrusions blamed on the Russian government.
The comment, made by Mississippi Representative Bennie Thompson, the chairman of the House’s Homeland Security Committee, comes as cybersecurity executives are facing their second round of congressional questions on Friday over their companies’ roles in the breach centered on Texas software company SolarWinds.
Introducing the witnesses, Thompson said that there was “growing interest in a cybersecurity reporting law” from his colleagues and that he hoped “we can enact cyber incident notification legislation in the short order.”
What such a law might look like was not yet clear.
State and federal rules already compel organizations to notify the public in cases where health information or financial institutions’ data has been compromised, but companies are generally free to keep quiet about more traditional forms of cyberespionage – something Microsoft Corp President Brad Smith said was hobbling the fight against foreign hackers.
“A lot of companies choose to say as little as possible and often that’s nothing,” Smith told lawmakers.
“Silence is not going to make this country stronger. So I think we have to encourage – and I think even mandate – that certain companies do this kind of reporting.”
Testifying alongside Smith on Friday were SolarWinds Chief Executive Sudhakar Ramakrishna and FireEye Inc Chief Executive Kevin Mandia.
Their appearance before the joint hearing of the House Committees on Oversight and Reform and Homeland Security comes three days after the trio testified before U.S. senators over the massive breach, which has ensnared nine American government agencies and more than 100 other organizations.