back to article Microsoft president asks Congress to force private-sector orgs to admit when they've been hacked

The private sector should be legally obliged to disclose any major hacks of their systems, says Microsoft’s president and top lawyer Brad Smith. Speaking at a Senate Intelligence Committee hearing on Tuesday regarding the SolarWinds backdoor, through which suspected Russian agents infiltrated the computers of US government …

  1. Anonymous Coward
    Anonymous Coward

    Perhaps Microsoft should be made to run an ad campaign each & every week on each & every radio & TV channel.

    The 30 second spot (sometimes a monthly 60 second bumper edition) should list all the vulnerabilities and bugs in their systems, when they were discovered and when they were fixed.

    Since almost everyone on planet earth is touched by Microsoft, this seems appropriate.

    1. katrinab Silver badge
      Flame

      How much would you need to speed up the audio buy to fit that list into 30 seconds? Would it still be intelligible?

      1. quxinot Silver badge
        Devil

        That would not work.

        The resulting frequencies would be 1) well beyond the range of human hearing and 2) probably well above the carrier frequency if broadcast anyway.

        :P

  2. AW-S

    A team of 1000.

    "Microsoft’s investigative team concluded that it had taken a team of over 1,000 “very skilled engineers” to pull it off"

    I've found that figure of 1,000 very hard to believe. A team of 6 would be so much more believable.

    1. a_yank_lurker Silver badge

      Re: A team of 1000.

      6 to 10 competent engineers for anyone else but for the Rejects of Redmond it probably takes a 1000 of their staff to find 5 or 6 semi competent engineers /<snark>

      1. Anonymous Coward
        Anonymous Coward

        Re: A team of 1000.

        You forget that this is a discussion of a government run operation. Even in Russia a team of 5 or 6 engineers (the sophistication of this is well above semi competent) working for a government department will have 15 other engineers who are clocking in and out each day but not really contributing much, 20 project managers, 50 programme managers, a finance department, political officer, a bunch of enterprise architects that no one knows what they do, and an HR department to run all of that.

    2. cd

      Re: A team of 1000.

      This is just asking for a new Reg measurement of incompetence.

      "How incompetent were these people?"

      "x000 Microsoft Engineers"

      "Ahh"

  3. NoKangaroosInAustria
    Mushroom

    GDPR been there done that

    So, we have this thing in the EU called GDPR which does just that. Now who's got egg on their face?

    /snark mode off

    Yes, I know gloating is unbecoming but considering the amount of anti-EU=Anti-GDPR postings the past year alone, this feels good.

    And TBH, I think California, New York and IIRC 2 or 3 other states individually have somewhat similar and strict regulations to varying degrees.

  4. Potemkine! Silver badge

    "it’s the only way we’re going to protect the world.”

    4 words: General Data Protection Regulation

    +1 for NoKangaroosInAustria

    1. Mike 137 Silver badge

      Re: "it’s the only way we’re going to protect the world.”

      Article 33(1) Notification of a personal data breach to the supervisory authority

      ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

      So even under the GDPR there's an escape clause.

      As practically no data controller ever considers the rights and freedoms of data subjects, the majority of data breaches are likely to go unreported. Where they are reported, it's usually driven by embarrassment, triggered by some outside agency such as the press picking up on it.

      1. NoKangaroosInAustria

        Re: "it’s the only way we’re going to protect the world.”

        Sorry to contradict you, but, that's not entirely as easy as it sounds. IANAL, but GDPR Article 33 ends as follows: "Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay."

        My understanding of this clause is that it doesn't absolve the data controller of their reporting responsibilities but merely extends the 72hr window to whatever the data controller can argue was a "reasonable" time period to prevent/mitigate risks to rights and freedoms of persons and so on.

        If (or rather when) the breach eventually becomes known and the controller can't sufficiently justify the risks that they purportedly were mitigating whilst violating the 72 hours rule, well - let's just say some bigwigs@data-controller might have a harder time collecting their undoubtedly well deserved bonuses.

        1. Mike 137 Silver badge

          Re: "it’s the only way we’re going to protect the world.”

          @NoKangaroosInAustria

          The clause is open to more than one interpretation, and there has so far been no case usable to set a precedent. However the ICO has in the early days advised against "over-reporting" of "minor" data breaches, so there is indeed apparently some (ill-defined) latitude as whether to report or not. And of course if a breach is not self-reported or externally reported on, who is to know it occurred?

  5. Anonymous Coward
    Anonymous Coward

    I see......."Blame the Victim"......where have I heard that before!

    Quote: "The private sector should be legally obliged to disclose any major hacks of their systems, says Microsoft’s president and top lawyer Brad Smith."

    *

    And most times, that would not protect anyone.......the SolarWinds attack was found LONG AFTER THE HACKERS STARTED HACKING.

    *

    The Equifax hack was found..................LONG AFTER THE HACKERS STARTED HACKING.

    *

    ...........and so on. Horse....stable door......oh dear!

    *

    And as for GDPR......Google, FB, Palantir....and hundreds of other "aggregators" are packaging and selling PII to thousands of clients. How in the world could anyone ever understand where PII was stored....never mind whether the data was accurate....never mind the "right to be forgotten". GDPR is a joke!!

    *

    1999: https://www.wired.com/1999/01/sun-on-privacy-get-over-it/

    2015: https://www.wired.com/2015/11/yes-the-nsa-worried-about-whether-spying-would-backfire/

    2018: https://www.bloomberg.com/features/2018-palantir-peter-thiel/

    1. NoKangaroosInAustria

      Re: I see......."Blame the Victim"......where have I heard that before!

      RE: "GDPR is a joke".

      You have a right to your opinion of course. And while you are free to think of GDPR as "a joke", a couple of companies would strongly disagree. Please refer to this website that tracks GDPR fines: www.enforcementtracker.com

    2. IGotOut Silver badge

      Re: I see......."Blame the Victim"......where have I heard that before!

      Hi Bob.

  6. mmccul

    California has almost this

    California's breach notification laws are surprisingly powerful tools. Yes, there is an escape clause if the personal information was encrypted (and yes, it is defined enough that double ROT-13 doesn't count). Yes, it has to impact 500 residents of California, but it's surprisingly powerful, to the point that long before I lived in California, I had to be aware of it routinely. The long arm clauses makes even businesses that don't "exist" in the state still have to notify people of breaches, so reorganizing in Texas or Delaware doesn't protect the business.

    As I understand, New York State also has similar laws, though I have not sat down and analyzed them.

    I suspect that some of these companies would like to see a single federal standard breach notification law rather than state by state requirements that differ slightly in what constitutes personal information, what protections exist, etc.

    1. Zippy´s Sausage Factory
      Devil

      Re: California has almost this

      The usual reason they want a federal standard for anything is that it would override a state one. And a federal one is a lot easier to water down because you only have to lobby in Washington, DC.

      Yes, I am that cynical, thank you for noticing.

    2. NoKangaroosInAustria

      Re: California has almost this

      Ah yes, the famous POSL that the US has for data privacy matters - "Pieces of Scattered Legislation".

      California is purportedly comparable to GDPR in terms of stringency of user protection.

  7. FlamingDeath Silver badge

    I think we all need to show due diligence, but this message is a bit hard to swallow when its coming from fucking Microsoft

    Didn’t they hose a load of peoples data not too long ago in one of their many botched patches if a certain folder caching policy was enabled?

    We got Bill fuckin Gates leading the charge against infectious diseases, the man who spawned an operating system that has more holes than a 3rd degree burns victim

    1. IGotOut Silver badge

      Go learn about the Gates foundation and come back.

      They are doing more to eradicate infectious diseases than most nations. Or how about improving farming in poor areas? Or teaching women about family planning? Or how about sorting out schooling for the poor?

      Yeah, that Bill Gates.

      1. Claverhouse Silver badge

        I doubt if [ American Schooling ] Voucher Schools have much to do with helping the 'poor' by defunding the public schools. And as for other things since when is it acceptable for private foundations to influence public policy ? As with Bloomberg, another rich wretch who seeks to use his billions to control peoples.

        Notably with The War on Vaping; down to one individual's personal objections.

        In accordance with Bloomberg’s agenda, these groups have directed a significant amount of their energy on low- and middle-income countries. Using their money, clout, and connections, they impose their views and will on these nations, without the input of local populations and with little or no regard for their specific circumstances, needs, and values. In the midst of a wave of interest in “decolonializing” public health, this sort of patronizing interference, well-intentioned though it may be, deserves scrutiny.

        .

        https://insidesources.com/bloombergs-philanthro-colonialism-a-threat-to-global-health-and-science/

  8. Mahhn

    MS has no room to talk

    Just this morning I went to report to MS that we received a phishing Email with a link to "malware hosted on their dynamics.com domain."

    There is literally no way to report it. Even called them, unless I would give them an account number, they didn't care.

    MS needs to get their cranium out of their donkey before they tell anyone else to be responsible.

    1. IGotOut Silver badge

      Re: MS has no room to talk

      Registrar Abuse Contact Email: email@cscglobal.com

      Registrar Abuse Contact Phone: +1.8887802723

      Your welcome.

      1. Mahhn

        Re: MS has no room to talk

        I did eventually end up with a way to report it and they took the malware down. It was though a different address. But thank you for posting a way also.

        Searching on their site for "report abuse" (among others) should get more than xbox results though.

  9. Falmari Bronze badge
    Angel

    What’s Microsoft’s angle?

    What’s Microsoft’s angle? Admitting to the world you have been hacked is not good for any company’s business Microsoft included. What’s in it for Microsoft by making the private sector legally obliged to disclose any major hacks of their systems?

    Or is it just a case of, they have seen the writing on the wall and this will eventually happen so they are just trying to get out and in front of it.

  10. DS999

    How was the attack "reckless"?

    If you want to exploit government and big business networks, you WANT people to have less trust in patches and security updates. From the perspective of the attacker their attack method wasn't reckless, it was genius because it accomplished one short term goal (breaking all the Solarwinds stuff) and one long term goal (potentially making some people less willing to install patches, or wait longer before they do)

  11. Claptrap314 Silver badge

    Just a question.

    Would you also support fines for companies that repeatedly take a year or more to address reports of security issues?

    That repeatedly send out software updates that create new security vulnerabilities?

    That repeatedly introduce tools that create obvious attack surfaces?

    That repeatedly ship software with unsafe defaults?

    Just wondering.

  12. Kaki

    disclosures could be made to government-level watchdogs in exchange for limited liability protections, for instance. They may not necessarily have to be fully public disclosures, either

    So, normal people not associated with gov. or who don't have deep pockets will still be screwed, in one side the hackers, on the other side if gov. decides the hack is useful to them, probably will keep it quiet for a while.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021