Tag Archive for: Law”

SolarWinds hack has lawmakers pushing for national breach notification law

/in


Lawmakers will push to pass a mandatory data breach notification law following the high-profile attack last year on SolarWinds, the network management and IT security company.

The compromise of the SolarWinds Orion IT monitoring and management software package, suspected to be the work of hackers affiliated with the Russian government, has compromised about 100 companies and nine U.S. agencies, including the departments of Homeland Security, State, and Justice. Up to 17,000 SolarWinds customers downloaded the malware.

Microsoft President Brad Smith called the SolarWinds hack “the largest and most sophisticated attack the world has ever seen” during a Feb. 26 hearing before two House committees.

During the hearing, several lawmakers promised to push a national data breach notification law this year. An upcoming bill would require companies to share information about breaches with the U.S. Cybersecurity and Infrastructure Security Agency but allow them to keep their names anonymous to the general public, said Rep. Michael McCaul.

The bill McCaul plans to introduce with Rep. Jim Langevin would presumably include penalties for failing to disclose breaches. All 50 states have their own data breach notification laws, some with significant fines for failure to disclose.

Lawmakers have for years tried to pass a federal breach notification law but have so far failed. Advocates of a national law say it would create a consistent breach notification standard with consistent penalties. However, some critics question whether federal law would water down tougher state laws.

In addition to a handful of lawmakers calling for a national breach notification law during the hearing, Smith also said it’s time for federal rules. Sharing threat information is “something that doesn’t happen broadly enough across the industry,” he said during the hearing.

Currently, reporting data breaches can open up companies to scrutiny from Congress and the public, Smith said. “A lot of companies choose to say as little as possible, and often, that’s nothing,” he added. “But silence is not going to make this country…

Source…

SolarWinds hack may lead to breach notification law and stronger cyber agency

/in


One of the lesser-known aspects of the SolarWinds hack that lawmakers and top U.S. cybersecurity officials are grappling with is figuring out how many American companies and federal agencies have been affected. 



a man wearing glasses and looking at the camera: From left, FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and Microsoft CEO Brad Smith testify during a Senate Intelligence Committee hearing on Feb. 23, 2021.

© Provided by Roll Call
From left, FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and Microsoft CEO Brad Smith testify during a Senate Intelligence Committee hearing on Feb. 23, 2021.

At present, no one knows.

This blind spot stems from the absence of a federal breach notification law that requires companies and federal agencies to notify the U.S. government if they have been hacked. That, however, may be about to change as congressional committees learn more about the SolarWinds hack and lawmakers in both chambers have signaled a bipartisan willingness to consider the idea. 

Last week, lawmakers summoned top tech company executives and the CEO of SolarWinds, the company whose software became the conduit for Russian intelligence agencies to access thousands of American companies and federal agencies. 

SolarWinds was hacked by Russian operatives who injected malware into routine software updates that went out to as many as 18,000 government entities and Fortune 500 companies that were clients of SolarWinds. Top U.S. government officials have said Russian intelligence services were behind the attack and that, as of now, nine federal agencies and about 100 companies were exposed but more victims are likely to be found as the probe continues.

Executives from FireEye, the cybersecurity company that found the Russian attack and made it public in December, Microsoft and SolarWinds told members of Congress that while they had come forward to share details of the attack, they were not obligated to do so and wanted Congress to address that gap. 

Without a law and clear guidance, companies don’t know whom to alert when they’re hacked, Brad Smith, president of Microsoft, said at a joint hearing of the House Oversight and Reform and House Homeland Security committees. 

Companies also face a legal barrier because contracts with federal agencies “restrict a company like Microsoft from sharing with others in the federal…

Source…

Hacker Claims to Have Stolen Files Belonging to Prominent Law Firm Jones Day

/in


A hacker claims to have stolen files belonging to the global law firm Jones Day and posted many of them on the dark web.

Jones Day has many prominent clients, including former President Donald Trump and major corporations.

Jones Day, in a statement, disputed that its network has been breached. The statement said that a file-sharing company that it has used was recently compromised and had information taken. Jones Day said it continues to investigate the breach and will continue to be in discussion with affected clients and appropriate authorities.

The posting by a person who self-identified as the hacker, which goes by the name Clop, includes a few individual documents that are easily reviewed by the public, including by The Wall Street Journal. One memo is to a judge and is marked “confidential mediation brief,” another is a cover letter for enclosed “confidential documents.” The Journal couldn’t immediately confirm their authenticity.

The Journal was able to see the existence of many more files—mammoth in size—also purported to belong to Jones Day, posted by the hacker on the so-called dark web. Hackers typically post such stolen information after the hacked entity fails to pay a ransom. The Journal was able to contact the hacker using an email on its blog.

Source…

Nervous System: How ‘The 414s’ Hacking for Video Game High Scores Led to Federal Cyber Law

/in


Online Gaming Credit: Zephyr_p/Shutterstock.com.

With the aggressive pace of technological change and the onslaught of news regarding data breaches, cyber-attacks, and technological threats to privacy and security, it is easy to assume these are fundamentally new threats. The pace of technological change is slower than it feels, and many seemingly new categories of threats have been with us longer than we remember. Nervous System is a monthly series that approaches issues of data privacy and cybersecurity from the context of history—to look to the past for clues about how to interpret the present and prepare for the future.

Source…