victims need to be legally compelled to be
forthcoming when they have been breached.
Even now, three months after the breach
was disclosed, the identity of most victims
remains unknown.
Congress has considered in the past whether to
require companies to report that they have been
the victim of a hack, but it has triggered legal
concerns, including whether they could be held
liable by clients for the loss of data.
U.S. authorities are also considering whether
to give additional resources and authority to
the Cybersecurity and Infrastructure Agency or
other agencies to be able to take a more forceful
role in working to prevent future breaches.
Another measure that has been considered
is to create a new agency, like the National
Transportation Safety Board, that could quickly
come in and evaluate a breach and determine
whether there are problems that need to
be fixed.
Sen. Ron Wyden, one of the most prominent
voices on cyber issues in the Senate, warned that
the U.S. must first make sure that government
agencies breached in this incident have taken
the required security measures.
“The impression that the American people
might get from this hearing is that the hackers
are such formidable adversaries that there was
nothing that the American government or our
biggest tech companies could have done to
protect themselves,” said Wyden, an Oregon
Democrat. “My view is that message leads to
privacy-violating laws and billions of more
taxpayer funds for cybersecurity.”