Microsoft President Brad Smith participates in a panel discussion with United States President Donald Trump and industry executives on reopening the country, at the White House State Dining Room in Washington, DC on April 29. May 2020.
Mandel Ngan | AFP | fake images
The massive hacking of government systems by a software contractor would have been unknown to the public were it not for a company’s decision to be transparent about a breach of its systems, Microsoft president Brad Smith told the lawmakers at a hearing Tuesday.
“The fact that we are here today, discussing this attack, analyzing what went wrong and identifying ways to mitigate future risk, occurs only because my fellow witness, Kevin Mandia, and his colleagues at FireEye, decided to be open and transparent about what that they found on their own systems, and to invite us at Microsoft to work with them to investigate the attack, “Smith told the Senate Select Committee on Intelligence, based on his prepared remarks.
“Without this transparency, we would probably not be aware of this campaign. In a sense, this is one of the most powerful lessons for all of us. Without this kind of transparency, we will not be able to strengthen cybersecurity.”
Smith’s testimony highlights how many cybersecurity incidents can go undisclosed. Smith told lawmakers that private sector companies should be required to be transparent about major violations of their systems. He compared the “patchwork” of disclosure requirements in the United States with more consistent obligations in places like the European Union.
FireEye revealed in a regulatory filing in December that it had been hacked by what it believed to be a state-sponsored actor primarily seeking information related to its government clients. The company said the attack was unusually advanced, employing “a novel combination of techniques that we or our partners have not witnessed in the past.”
Soon after, Reuters reported that hackers possibly linked to Russia accessed email systems in the US Treasury and Commerce departments through SolarWinds software updates. The Department of Defense, the Department of State and the Department of Homeland Security were also affected, The New York Times later reported. Reuters reported, citing sources, that the SolarWinds attack was related to the FireEye incident.
A few days later, Reuters reported that Microsoft was also hacked. Later, US agencies shared that Russian actors were likely the source of the attack. Smith said in his written testimony that Microsoft does not dispute that assessment, while saying, “Microsoft cannot make a final attribution based on the data we have seen.”
Smith told Congress that Microsoft notified 60 customers, primarily in the US, that they were compromised in connection with the attack. But he warned lawmakers that there are certainly more victims who have yet to be identified. A White House cybersecurity adviser estimated last week that nine government agencies and about 100 private companies were affected by the attack. Smith told Congress that Microsoft identified more government and private sector victims outside of the US who were affected.
Smith proposed that, in addition to requiring more disclosures from private companies, the government should provide “a faster and more comprehensive exchange” with the security community.
“A private sector disclosure obligation will foster greater visibility, which in turn can strengthen a national coordination strategy with the private sector that can increase responsiveness and agility,” Smith said in his written comments. “The government is in a unique position to facilitate a more complete view and appropriate exchange of material and factual indicators on an incident.”
But Mandia, CEO of FireEye, told CNBC’s Eamon Javers in an interview before Tuesday’s hearing that disclosure is “a very complex issue.”
“The reason it is a complex issue is because of all the liabilities that companies face when they make a disclosure,” Mandia said. “They have shareholder judgments, they have a lot of business impact considerations. Nor do they want to unnecessarily create a lot of fear, uncertainty and doubt.
Intelligence Committee Chairman Mark Warner, D-Virginia, said in his opening remarks Tuesday that it might be worth considering higher disclosure requirements, even if it means creating liability protection for companies that meet those reporting obligations. divulgation.
– CNBC’s Jessica Bursztynsky contributed to this report.
Subscribe to CNBC on YouTube.
WATCH: How the massive SolarWinds hack happened