Microsoft Corp. President Brad Smith urged U.S. lawmakers to impose obligations on companies and organizations to report any cyberattacks they face in order to better safeguard the country from incidents like the breach of SolarWinds Corp.'s systems.

Speaking at a Feb. 26 joint hearing held by the U.S. Committee on Oversight and Reform and the Committee on Homeland Security on the implications of the SolarWinds cyberattack, Smith said many companies impacted by cyberattacks choose not to report. Disclosing that information exposes companies to scrutiny from customers, shareholders and the government.

"I think we have to encourage and even mandate that certain companies do this kind of [cyber breach] reporting," Smith said. "2021 needs to be the year that Congress acts to take steps to strength the cybersecurity of the nation."

Before such rules are adopted, Smith said lawmakers need to address things like which companies the rules should apply to, how the process should be managed, and which agencies can access the disclosed information.

"CISA [the U.S. Cybersecurity and Infrastructure Security Agency] is a very strong candidate, it deserves consideration, and we need to think about the process and the type of information that should be shared and when it should be shared," Smith said.

Also speaking at the hearing, Kevin Mandia, CEO of cybersecurity company FireEye Inc., which first identified the SolarWinds breach, said CISA should work with the private sector to effectively conduct threat hunting, an active cyber defense process of proactively searching through networks to detect and isolate advanced threats that evade existing security solutions.

"The reason we have to do threat hunting is because not every product stops everything," Mandia said. "There is no such thing as perfect security, so you have to have the catcher's mitt behind your products, and CISA's folks who do threat hunting will be able to tap the private sector and be trained by the private sector, so that would be the right thing to do."

The SolarWinds breach, which was discovered by FireEye in December 2020, impacted as many as 18,000 SolarWinds customers who were exposed to a software vulnerability in the company's Orion products. This allowed hackers to breach the systems of U.S. agencies such as the Justice Department and companies including Microsoft.

"This was an attack on the software supply chain, as it planted malware into a software update," Smith explained. "I think this points to one of the first things we need to focus on securing more broadly across the software ecosystem. All applications need to be updated, and we need to work together to prevent this kind of tampering with software updates."

Smith said it is crucial to not only focus on modernizing IT infrastructure, but also to broadly apply cybersecurity best practices that are too often neglected. He noted that Microsoft repeatedly found that its customers who were targeted by the breach could have better protected themselves by applying security measures.

When asked whether the hackers received access to classified information, Smith said Microsoft could not determine that, as most classified systems are maintained by the government and not the company itself. However, he cautioned that it would not be prudent to assume that sensitive and classified data was not in jeopardy.

"The SolarWinds hack was one vector of attack by an agency that in all probability is engaged in many vectors of attacks every single day of the year on a broad international basis," Smith said. "So what we have seen here is one slice of activity that is always ongoing. We should always assume there are things that we don't know and always assume there are things that are worse than we do know. That is, I think, a cause for concern."