Karl Herchenroeder

Cyber notification requirements are a legislative priority, said House Homeland Security Committee Chairman Bennie Thompson, D-Miss., and ranking member John Katko, R-N.Y., Friday during a virtual hearing on the SolarWinds breach. They echoed interest from Senate Intelligence Committee Chairman Mark Warner, D-Va., Sen. Susan Collins, R-Maine, and Sen. John Cornyn, R-Texas, at a hearing earlier in the week (see 2102230064).

Data portability and interoperability could get early movement as the House Antitrust Subcommittee looks to draft bipartisan bills for its antitrust review, Chairman David Cicilline, D-R.I., and ranking member Ken Buck, R-Colo., told us. At a hearing earlier Thursday, members of both parties showed support for working on portability and interoperability. Buck highlighted both items for potential subcommittee collaboration.

There won’t be legislative announcements from leadership at Thursday’s hearing on tech antitrust, House Antitrust Subcommittee Chair David Cicilline, D-R.I., told us Wednesday. But he expects the conversation to further define specific proposals. Legislative proposals could touch on interoperability, explicit prohibitions on favoring products and services, and nondiscrimination, he said. The hearing focus will be on the power of dominant firms to exclude competitors and favor products and services to make it difficult for entrants to compete, he added.

Senate Intelligence Committee Chairman Mark Warner, D-Va., and Sen. John Cornyn, R-Texas, suggested Tuesday it might be time for legislation on mandatory notification requirements for cyberattacks. Microsoft and FireEye executives agreed with the suggestion, which would include liability protection, during a hearing on the SolarWinds breach (see 2102180043).

SolarWinds CEO Sudhakar Ramakrishna will testify Friday about the company’s recent breach, the House Oversight and Homeland Security committees announced Monday (see 2102180043). Microsoft President Brad Smith, FireEye CEO Kevin Mandia and ex-SolarWinds CEO Kevin Thompson will also testify. The vulnerability that enabled the breach exists in “every company, so what happened to us can happen to any software developer in the world,” Ramakrishna told a Center for Strategic and International Studies event Monday. The attacker was able to inject malware into Orion software code in a narrow way that went undetectable, so SolarWinds delivered and signed it, he said: “The ability for our bill systems to identify that did not exist.” Ramakrishna “came to know” about the breach around Dec. 13-14, when he wasn’t officially an employee, he said. He noted the attackers used older software releases as test beds. He said SolarWinds is working with third parties to understand the breadth, depth of the sophistication and patience of the attackers. SolarWinds is working with the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology on potential generalized best practices, he said. He suggested the U.S. government should have one agency for companies to inform and brief about incidents, because having multiple points of contact results in wasted time and effort.

Apple threatens online advertising through its anticipated policy requiring developers to gain consent for tracking users across platforms and sites, Facebook Chief Privacy Officer-Policy Erin Egan said Friday. Privacy claims shouldn’t be used to oppose ads, which is the basis for a free internet, she told a Media Institute virtual forum.

The Virginia House passed the Senate version of a state privacy law Thursday, while the Senate delayed a vote on the House version until Friday. The House voted 89-9 Thursday for SB-1392; the Senate wanted to reconsider arguments on HB-2307. The measure would let consumers access, correct, delete and obtain copies of personal data, and opt out of targeted advertising. The state attorney general would enforce the bill after giving 30 days to cure violations. The bill doesn’t include a private right of action. Legislators amended the bill to add a work group to review the law and implementation and report to the legislature by Nov. 1, before the law takes effect Jan. 1, 2023 (see 2102160040). Gov. Ralph Northam (D) is expected to sign. His office didn’t comment.

Acting FTC Chair Rebecca Kelly Slaughter’s recent direction on privacy and algorithmic bias (see 2102100062) shows she’s going to pursue a vigorous progressive agenda while auditioning for the permanent role, observers told us. She has shown bipartisan agreement on some technical issues, they noted. Since the acting designation, her office has met with consumer advocates about privacy, educational technology, advertising technology and other topics, one advocate said.

If congressional inaction continues, Republican FTC Commissioner Christine Wilson said she's open to a Magnuson-Moss privacy rulemaking, an idea her Democratic colleagues proposed. Wilson said Friday she opposes rulemakings or “any attempt to engage in industrial engineering” unless there's a market failure. “Here I believe there is a market failure,” she told a Silicon Flatirons event. “There is such a significant asymmetry between what companies know about how data is collected and used and what consumers know.”

The Cybersecurity and Infrastructure Security Agency lacks funding for incident response and engagement with the critical infrastructure community, despite its $2 billion budget, the agency's former Director Chris Krebs told the House Homeland Security Committee Wednesday. “My biggest regret was that we were not able to plow additional resources into the ability to get out there into the field and engage critical infrastructure and engage state and local actors,” he said during a hearing on the SolarWinds attack (see 2102090076). Chairman Bennie Thompson, D-Miss., said the attack is “dominating the cyber conversation.” CISA is part of the Department of Homeland Security.