After SolarWinds, Lawmakers Want Companies to Come Clean About Cyberattacks

But structuring such requirements is contentious. While companies welcome disclosures from other organizations, some fear detailing their own incidents could fuel bad press and investor panic, yield legal trouble and give hackers information to use in future attacks.

Still, said Tom Fanning, chief executive of the Atlanta-based utility Southern Co., digitized businesses and interconnected supply chains make such transparency crucial.

“What’s happening to us might also be happening to finance, telecom or natural gas pipelines,” Mr. Fanning said, adding that his company faces millions of cyber threats each day. “That’s why we need this.”

Staffers for Sen. Mark Warner (D., Va.) are speaking with companies and cyber experts in the hope of writing a bill, an aide said.

Separately, Rep. Jim Langevin (D., R.I.) is fine-tuning two proposals in a pincer-like approach to the issue, an aide said. One rule would require a broad array of businesses to report specific incidents, such as personal data theft and ransomware, Mr. Langevin’s aide said. The other would mandate much more data-sharing from organizations that operate infrastructure deemed critical to national security.

The latter proposal will likely be more politically fraught, said Mark Montgomery, former executive director of the Cyberspace Solarium Commission, a bipartisan policy group that includes Mr. Langevin. Such a law would have to specify what constitutes an incident, what information the private sector must share and what companies it covers—a definition that wouldn’t necessarily include a relatively obscure tech vendor like SolarWinds, he said.

“Where people cut the deck is a little different,” said Mr. Montgomery, who now serves as a senior adviser to the commission.

Certain businesses in heavily regulated sectors, such as defense, already have detailed reporting requirements under agency rules, said Jennifer Urban, a partner at law firm Foley & Lardner LLP, whose clients include Pentagon contractors.

President Biden is also considering ways to facilitate such notifications by government information-technology vendors as part of a broader executive order on cybersecurity, according to a senior administration official. “We are acutely aware that federal agencies cannot react to information they don’t have,” the official said in a statement.

The Cybersecurity Information Sharing Act of 2015 allows companies to share details about threats with the Department of Homeland Security under liability and confidentiality shields. But a report last year by the DHS inspector general found that only nine of 252 participants in the program in 2018 voluntarily handed over information.

Wider proposals that would force companies to disclose sensitive details on security incidents have sunk in Congress amid pushback from industry lobbyists who feared such obligations and subsequent financial risks, as well as from civil liberties groups that warned of heightened surveillance.

Sen. Susan Collins (R., Maine), who co-authored a 2012 bill that would have required DHS-designated infrastructure owners to report “significant cyber incidents,” called some businesses’ newfound support for such an idea “a dramatic change.”

“We lived in a different world back then,” she said in an interview. “There was not the realization that every company, virtually, is vulnerable.”

Recent hacks targeting SolarWinds software and Microsoft Corp.’s Exchange server software have highlighted how an attack on a single vendor can ripple through hundreds or thousands of companies.

At a February hearing of the Senate Select Committee on Intelligence, senior executives from Microsoft and FireEye Inc., firms near the center of the SolarWinds incident, said they supported confidential reporting requirements, with liability protection against risks such as shareholder lawsuits.

Microsoft declined to comment further. A SolarWinds spokesman said the company supports “transparent and responsible sharing of information.”

Lawmakers have applauded FireEye’s decision in December to report a breach of its systems to both the government and the public. Neither disclosure was required by law, but they jump-started an investigation in which U.S. officials determined the attack likely originated in Russia. Moscow has denied the claim.

Kevin Mandia, FireEye’s chief executive, said he briefed his board via Microsoft Teams just hours after learning of the intrusion, with little to share other than a warning to “brace for impact.” Just days later, Mr. Mandia was convinced his company faced a nation-state attacker, he said.

FireEye began contacting U.S. intelligence officials after learning the hackers had compromised its “red team” tools used to test customers’ defenses.

“I still was in the fog of war when we were talking to people,” he said, adding that FireEye didn’t initially know that hackers broke in through SolarWinds software. “I thought I was in a race that this was going to leak out. I wanted to be the guy leaking it out.”

Mr. Mandia said a reporting requirement should include cyber experts. That is, “first responders, meaning companies that professionally respond to breaches,” as well as cloud providers, he said.

“Most companies can’t generate intel—they just can’t,” Mr. Mandia said.

Mr. Fanning, Southern Co.’s chief executive, said government and company analysts should exchange such information—including classified intelligence—in real-time through a centralized clearinghouse.

Some critics say the SolarWinds fallout is obscuring more pervasive issues.

Patrick Gaul, executive director of the National Technology Security Coalition, a trade group of chief information security officers, has urged congressional staffers in recent meetings instead to create a federal requirement for businesses to tell consumers about personal data theft, replacing state-level breach-notification laws.

Mr. Gaul warned that more expansive definitions of what constitutes a breach or threat could make compliance difficult.

Top U.S. cyber officials from the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency at DHS have nevertheless endorsed deeper data-sharing.

“I’m not here today to prescribe what that might look like,” Brandon Wales, acting director of CISA, said at a March 18 hearing of the Senate Homeland Services and Governmental Affairs Committee. “But I really do believe that it is essential going forward.”

Write to David Uberti at [email protected]