Unearthing secret hacks

[Bloomberg]( Follow Us [Get the newsletter]( Hi, this is Alyza on Bloomberg’s cybersecurity team. Calls are growing for American companies to be more transparent about cybersecurity after suspected Russian hackers penetrated computer networks in the U.S. government and private sector. We still don’t know the scope of the attack, which compromised software by the Texas-based firm SolarWinds Corp., pushing malicious code to as many as 18,000 of its customers in updates. But how many of those companies were targeted for follow-on attacks by the hackers is still being investigated. The [White House says]( it has identified nine federal agencies and about 100 private companies that may have been hit, though that number could grow as the inquiry progresses. One reason we don’t know the full extent of the attack is there is currently no federal data breach notification law. I covered two Capitol Hill hearings focused on the cyber-attack last week, and the need for such a law was a common theme among lawmakers of both parties and the technology executives who testified. [They called for]( a federal requirement that companies notify the government of significant breaches. Part of their reasoning was that the suspected Russian hackers were only discovered after the cybersecurity firm FireEye Inc. found that it had been breached, and voluntarily disclosed the incident in December. Without the breach disclosure, the hackers could still be roaming government and private-sector computer networks undetected. It's an example that demonstrates the long-argued point that private sector breach disclosure can be critical to U.S. national security. In addition to the debate over whether companies should be required to disclose cyberattacks to the government, there are also increasing calls for publicly traded companies to be more forthcoming with investors about the cybersecurity risks that they're taking on. The cyber risk analysis firm [SecurityScorecard]( released a report Tuesday morning evaluating whether companies are heeding the U.S. Securities & Exchange Commission's calls to share information about cyber risks that could affect stock prices or companies' reputation and value. “Too often, cyber-related disclosure language is boilerplate in a way that could not assist an investor in assessing a company’s cyber-risk profile or management of those risks,” the report found. “Gaining investor confidence will depend on companies’ willingness to move beyond identifying systemic cyber-risks to articulating which proven strategies and tools they are using to manage them.” The report comes more than a year after the Cyberspace Solarium Commission—a bipartisan group created by Congress to develop recommendations for the U.S. to prevent future cyberattacks—pushed for increased corporate accountability on cybersecurity. The commission recommended specifying security metrics that publicly traded companies should track, and requiring that they keep records of their cyber-risk assessments. At the Senate Intelligence Committee hearing last week, Chairman Mark Warner asked technology executives: "Why shouldn't we have mandatory reporting systems, even if those reporting systems require some liability protection so we can better understand and better litigate future attacks?" Executives were receptive to the idea. Brad Smith, president of Microsoft Corp., said an obligation for private sector companies to disclose breaches will be critical step moving forward: “I think it is the only way we’re going to protect the country," he said. "And I think it is the only way we’re going to protect the world." —[Alyza Sebenius](mailto:asebenius@bloomberg.net) If you read one thing Amazon workers in Bessemer, Alabama are voting on whether to unionize. According to [interviews with 16 workers there](, anti-union sentiment on the warehouse floor runs at least as hot as pro-union passions. Paid Post Juniper Networks knows that experience is the first and most important requirement for networking in the cloud era. This enables network users—employees, students, patients, customers and guests—to be as happy and productive as possible. See what the top influencers and experts have to say [here](. Juniper Networks And here’s what you need to know in global technology news Zoom stock jumped in after-hours trading Monday after the company [projected annual revenue]( that topped analysts' estimates. Employees at Jack Ma's Ant Group thought they were poised for a major IPO windfall. Now, they're stuck with [unsellable shares](. The U.S. government asked Google to fork over granular information on how its search engine works as part of an [antitrust case](.  Like Fully Charged? | [Get unlimited access to Bloomberg.com](, where you'll find trusted, data-based journalism in 120 countries around the world and expert analysis from exclusive daily newsletters.  You received this message because you are subscribed to Bloomberg's Fully Charged newsletter. [Unsubscribe]( | [Bloomberg.com]( | [Contact Us]( Bloomberg L.P. 731 Lexington, New York, NY, 10022