Microsoft President Brad Smith takes part in a panel discussion with US President Donald Trump and industry executives on the country’s reopening, in the State Dining Room of the White House in Washington, DC, May 29, 2020.
Mandel Ngan | AFP | Getty Images
The massive hacking of government systems through a software vendor would have remained unknown to the public had it not been for a company’s decision to be transparent about a breach of its systems, Microsoft President Brad Smith told the lawmakers at a hearing Tuesday.
“The fact that we are here today to discuss this attack, dissect what went wrong and identify ways to mitigate future risks, is only happening because my fellow witness, Kevin Mandia, and his colleagues at FireEye , chose to be open and transparent to what they found in their own systems, and to invite us at Microsoft to work with them to investigate the attack, ”Smith told the Senate Special Committee on Intelligence , according to his prepared remarks.
“Without this transparency, we probably still wouldn’t know about this campaign. In some ways, it’s one of the most powerful lessons for all of us. Without this kind of transparency, we won’t be able to strengthen cybersecurity. . “
Smith’s testimony highlights the number of cybersecurity incidents that may not be disclosed. Smith plans to tell lawmakers that private sector companies should be required to be transparent about material breaches in their systems. He compared the “patchwork” of disclosure requirements in the United States to more consistent obligations in countries like the European Union.
FireEye revealed in a regulatory filing in December that it was hacked by what it believed to be a state-sponsored actor who primarily sought information relating to its government clients. The company said the attack was unusually advanced, using “a new combination of techniques that we or our partners have not seen in the past.”
Shortly thereafter, Reuters reported that hackers potentially linked to Russia had accessed the mail systems of the departments of commerce and the US Treasury through software updates from SolarWinds. The Department of Defense, State Department and Department of Homeland Security were also affected, the New York Times later reported. Reuters reported, citing sources, that the SolarWinds attack was linked to the FireEye incident.
Days later, Reuters reported that Microsoft was also hacked. US agencies later shared that Russian actors were likely the source of the attack. Smith said in his written testimony that Microsoft does not dispute this assessment, saying, “Microsoft is unable to make a final attribution based on the data that we have seen.”
Smith will tell Congress that Microsoft has notified 60 customers, mostly in the United States, that they were compromised in the attack. But he was planning to warn lawmakers that there are certainly more victims who have yet to be identified. A White House cybersecurity adviser estimated last week that nine government agencies and around 100 private companies were affected by the attack. Smith was planning to tell Congress that Microsoft has identified other government and private sector victims outside the United States who have been affected.
Smith will propose that in addition to requiring more disclosures from private companies, the government should provide “faster and more comprehensive sharing” with the security community.
“A private sector disclosure requirement will promote greater visibility, which in turn can strengthen a national coordination strategy with the private sector that can increase responsiveness and agility,” Smith said in his written remarks. “The government is in a unique position to facilitate a fuller view and appropriate exchange of indicators of understanding and material facts regarding an incident.”
But Mandia, the CEO of FireEye, told CNBC’s Eamon Javers in an interview ahead of Tuesday’s hearing that disclosure was “a pretty darn complex issue.”
“The reason this is such a complex issue is because of all the responsibilities that companies face when making a public disclosure,” Mandia said. “They have shareholder lawsuits, they have a lot of business impact considerations. You don’t want to create a lot of fear, uncertainty and doubt unnecessarily either.”
Intelligence Committee Chairman Mark Warner, D-Va., Said in his opening remarks on Tuesday that it might be worth considering stricter disclosure requirements, even if it means creating protection against the responsibility of companies that comply with these disclosure obligations.
The hearing began at 2:30 p.m. Eastern time.
-Jessica Bursztynsky of CNBC contributed to this report.
Subscribe to CNBC on YouTube.
WATCH: How SolarWinds Massive Hack Failed