SolarWinds CEO Recommends Liability Protections for Sharing Information about Incidents
The new CEO had a couple of other asks for Congress too.
While it’s not especially a concern for SolarWinds itself, Congress could improve cybersecurity by passing regulations that would protect companies from being punished if they report incidents to the government, the company’s CEO Sudhakar Ramakrishna said.
Ramakrishna is set to appear before multiple Congressional committees this week in the wake of a compromise at the Texas-based network management company that played a significant role in widespread breaches of its customers, including several government agencies and major private companies. Ramakrishna joined SolarWinds as CEO after the incident was revealed.
During a virtual event Monday with the Center for Strategic and International Studies’ Suzanne Spaulding, he said creating liability protections or incentives for information sharing is one of three things he’d ask Congress to address.
“A lot of victims, as you mentioned … are hesitant to come out about exfiltration of data or attacks or information,” he said. “That could be because of liability concerns and other potential punitive concerns. So providing regulation and helping them and giving them comfort to step forward and step quickly and step in a timely fashion with information will, I believe, help us all be more safe and secure.”
Spaulding, a Cyberspace Solarium Commission member and former leader of the Department of Homeland Security’s cyber directorate, noted that Congress already provided some liability protections in the Cybersecurity Information Sharing Act of 2015, but suggested those might need to be broader.
“What the Solarium determined is that we need to go beyond simply sharing threat indicators, for example, and pushing information back and forth at each other, to get to a place where we share understanding where we share insights, where we are collaborating to understand what's happening and, and how to respond and recover.”
Ramakrishna also called for a single government entity where companies can report their incidents, something that might also address restrictive contractual arrangements individual agencies enter with their vendors.
“I find myself having to deal with multiple government agencies, and there is information asymmetry. And when that happens, we are losing time in fighting these attacks,” he said. “Having a simpler structure of communication, and exchange of information with a singular entity would be hugely beneficial.”
The government should generally be trying to tighten its partnership with the private sector, Ramakrishna said. Pointing to the National Institute of Standards and Technology and the Defense Department’s Cybersecurity Maturity Model Certification program, he said the government should leverage work SolarWinds is doing post-hack “to essentially enhance standards such as NIST’s and CMMC’s.”