Bipartisan Lawmakers Work Toward Disclosure Bill for Cybersecurity Breaches

The News: As a result of recent cybersecurity breaches, a group of bipartisan lawmakers has been announced. Rep. Michael McCaul (R-Texas) and Sen. Jim Langevin (D-R.I.) are working on legislation that will require companies to notify the federal government in the event of a security breach. Read more at SCMedia.

Bipartisan Lawmakers Work Toward Disclosure Bill for Cybersecurity Breaches

Analyst Take: In the wake of the SolarWinds security breach, which impacted numerous federal agencies, lawmakers are beginning to understand that a system of self-policing as it relates to companies experiencing breaches is perhaps not the most reliable route to taking swift action to mitigate damage as a result of the breach.

Today, but a few weeks after lawmakers appeared at a joint meeting of the House Oversight and Homeland Security Committee and advised they are working on legislation to require reporting, we’ve added the Microsoft Server Exchange hack to the list of very big, very troubling breaches that have occurred in recent times.

Espionage, R&D Information and Data Grabs the Motive Behind Attacks

Both the SolarWinds and the Microsoft Exchange Server attacks were orchestrated by nation state threat actors either for purposes of espionage or massive data grabs from both the federal government and private companies — or both.

We’ve also seen news in recent months of hackers targeting vaccine data by way of global phishing campaigns with China, Russia, North Korea, and Iran all suspected of efforts to steal COVID-19 vaccine information.

Federal investigators believe the SolarWinds attack was the work of Russia’s Foreign Intelligence Service who have a track record of targeting government entities. Following the initial discovery of the SolarWinds hack, however, it is also believed there was a second SolarWinds hack that further compromised government systems, allegedly perpetrated by the Chinese. Reuters reported that the hackers breached the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, which exposed thousands of federal employees’ records. Separate groups of hackers targeting the same software product vulnerabilities is not unusual, and in fact, to be expected.

The Microsoft Exchange Server attack is believed to be the work of a state-sponsored group from China called Hafnium, targeting zero-day vulnerabilities in the Exchange server that hackers had been quietly exploiting. Microsoft was believed to be advised of the bugs in early January by a security expert. Microsoft released patches to address the vulnerabilities on March 2nd which left a wide of opportunity for the vulnerabilities to be exploited — and they were.

Lag Time in Discovery and Reporting Security Breaches is Problematic

In the cases of both the SolarWinds and Microsoft Exchange Server hacks, the security breaches were discovered not by the companies themselves, but by cybersecurity experts who discovered them and immediately issued alerts.

To illustrate the scope of the problem, and the reason lawmakers are exploring security breach reporting requirements is simple: The names we know as a result of two of the biggest security breaches of the last year are SolarWinds and Microsoft. There are thousands of other organizations affected by these breaches, including government entitles and companies of all sizes.

We know the identity of some of the government entities, but there is much less information available on the American companies who have been in some way compromised as a result of these or other security breaches.

Thus, the pressing need for businesses or breach responders to disclose breaches to the U.S. government in some way and within a certain time period after discovering the incident.

Security Executives Testify, Say Federal Guidance Needed

In the aftermath of the SolarWinds attack, executives from FireEye, the cybersecurity company who discovered and reported the attack, along with Microsoft executives, told members of Congress that while they came forward voluntarily and reported on details of the attack, there was no requirement for them to do so. There are also nuances involved that impede reporting and damage control that revolve around privacy requirements in vendor contracts with federal agencies and notification as a result is convoluted and clumsy.

Therein lies the rub, and an undeniable chasm in our national security posture.

FireEye CEO Kevin Mandia told lawmakers that state laws alone don’t provide sufficient protection. For instance, state laws around data breaches require the notification to consumers of a breach of personally identifiable information, if no PII is compromised, there is no duty to report.

The good news from all of this is that while Congress has tried and failed to pass federal breach notification laws in the past, the high profile nature of both the SolarWinds and Microsoft Exchange Server hacks, both of whom targeted not only government agencies but also organizations the world over, should hopefully serve to compel greater interest in enacting mandatory cybersecurity reporting legislation.

From a federal government standpoint, outdated systems and procedures, along with a shortage of tech skills and cybersecurity strategy expertise no doubt play a role. There is a call by tech executives to put the Cybersecurity & Infrastructure Security Agency (CISA) in charge of security the computer networks of the entire federal government outside the military, which is handled by the U.S. Cyber Command. Of note, Chris Krebs served as the Director of CISA from November 2018 to November 2020. It was his responsibility to oversee the security of the November 2020 presidential election and after calling the 2020 vote “the most secure in American history” was summarily dismissed by then President Trump. Following his dismissal, Krebs teamed up with Alex Stamos, former Facebook chief security officer to form a new cybersecurity consulting firm. Their first client: SolarWinds. In an interview with the Financial Times, who broke the story of Krebs’ hiring, Krebs said that it could take years before all of the compromised systems can be made entirely secure again.

While that shouldn’t be surprising to anyone immersed in the business of cybersecurity, it’s entirely possible that for many organizations, security isn’t yet a boardroom, foundational, critical business strategy action item. That needs to change. Cybersecurity threats threaten every aspect of an organization, whether publicly traded, private, government entity. Outdated infrastructure, a lack of internal expertise, lack of knowledge around the risks that both hardware and software pose throughout the organization, and also a lack of understanding around technology solutions available all play a role here. That’s part of the reason our team is excited about Confidential Computing, which is technology still in nascent stages, but which will provide protection that organizations need in some really innovative ways. More on that in a soon-to-be-published research brief.

My partner, Daniel Newman, and I covered these recent attacks, the impact on organizations from a financial standpoint as well as from a leadership standpoint, and it was the first of several conversations we’ll have on the topic of security and Confidential Computing. If that’s of interest, you can check out that conversation here:

This work by lawmakers toward a disclosure bill for cybersecurity breaches helps everyone involved — hopefully this time around it will make it into law.

Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.

More insights from Futurum Research:

More Security Woes for Microsoft’s Exchange Servers as Threat Actors Get Busy — Patching is Urgent

Microsoft Exchange Server Hack Attack Highlights an Issue with On-Prem Software

Cybersecurity and the Role Hardware Plays in the Enterprise Security Journey (Futurum Tech Webcast)

The SolarWinds Hack, Clubhouse, Vulnerable Agora SDKs, Microsoft — Security News You May Have Missed (Futurum Tech Webcast)

Image Credit: AFCEA International

Author Information

Shelly Kramer is a serial entrepreneur with a technology-centric focus. She has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation.

Related Insights
Can Anthropic's GRAM 'Off Switch' Make Dual-Use AI Safer Without Killing Utility?
July 10, 2026

Can Anthropic’s GRAM ‘Off Switch’ Make Dual-Use AI Safer Without Killing Utility?

Anthropic and AE Studio introduced GRAM, enabling selective removal of sensitive AI capabilities without retraining, potentially addressing privacy and security concerns for organizations adopting generative AI....
Exprivia Bets Big on Banking Security: Can Partnership Drive Real Innovation?
July 10, 2026

Exprivia Bets Big on Banking Security: Can Partnership Drive Real Innovation?

Exprivia announced partnership with ABI's WeSec summit as Main Partner, aligning with surging demand for cybersecurity and AI solutions across Italian banking. The move positions the company to capitalize on...
Kore.ai and Atos Bet on Sovereign Agentic AI, Will UK Enterprises Demand Proof, Not Promises?
July 8, 2026

Kore.ai and Atos Bet on Sovereign Agentic AI, Will UK Enterprises Demand Proof, Not Promises?

Kore.ai and Atos announce a strategic partnership to deliver Sovereign AI solutions to UK organizations, addressing data residency and compliance requirements in the rapidly expanding $181B AI platforms market....
ServiceNow and Accenture Bet on Migration to Win Enterprise Risk
July 7, 2026

ServiceNow and Accenture Bet on Migration to Win Enterprise Risk

Fernando Montenegro, VP at The Futurum Group, examines the ServiceNow and Accenture cybersecurity offering, and why its AI-powered migration and the Armis acquisition point to a bid to become the...
Compliance as Code Is No Longer Optional: Why Manual Reviews Can’t Keep Up
July 4, 2026

Compliance as Code Is No Longer Optional: Why Manual Reviews Can’t Keep Up

Qodo's 'Compliance as Code' framework automates enterprise AI compliance through PR checks, solving the data privacy and security gaps that plague manual reviews at scale....
Brave's Browser Containers Raise the Bar for Privacy and Workflow Flexibility
July 3, 2026

Brave’s Browser Containers Raise the Bar for Privacy and Workflow Flexibility

As AI platform adoption accelerates to $181.3B projected market size, Brave's v1.92 release introduces native browser containers addressing data privacy concerns for 52.6% of enterprise decision makers managing multi-cloud AI...

Book a Demo

Welcome

The vision behind everything in Futurum’s Custom Research practice is this: research should show you what is happening, what comes next, and what to do about it. It should be personal to each audience, easy for people to grasp, and structured so LLMs can reason over it accurately. And it should be fast and turnkey; you want answers now, not another project to carry for quarters.

Whether you are defining business, channel, or go-to-market strategy; evaluating vendors or justifying ROI; or commissioning research to fill an emerging market need, we have your back, with a program that answers your questions with the objectivity and credibility to drive real decisions.

To do it, we bring unmatched data to bear: Futurum research, surveys, and market projections; validated market feeds; ETR’s 15 years of insight from 10,000 technology decision-makers; G2’s buyer and user data; and what our analysts hear every day. Add leading primary collection, from AI-moderated voice interviews to surveys and analyst-led interviews, all turnkey, and every project comes out credible, nuanced, and actionable.

And we don’t just drop the results in your lap. For internal work, we provide analyst-led sessions, interactive dashboards, and a range of formats. For market-facing work, Futurum delivers turnkey activation and amplification that actually gets seen, by people and by LLMs, through our media and share of voice. This is research that moves decisions and markets.

We will meet you wherever you are, from a fast-turn brief to a multi-year program, and shape the work to your goals, timeline, and budget. The right program for your moment.

If any of this is useful, I would love to talk.

Benjamin Brown, VP Custom Research, Futurum Research

Benjamin Brown

VP, Custom Research · The Futurum Group

Newsletter Sign-up Form

Get important insights straight to your inbox, receive first looks at eBooks, exclusive event invitations, custom content, and more. We promise not to spam you or sell your name to anyone. You can always unsubscribe at any time.

All fields are required






Thank you, we received your request, a member of our team will be in contact with you.