The massive hack into government systems through a software contractor would have remained unknown by the public if not for one company's decision to be transparent about a breach of its systems, Microsoft President Brad Smith told lawmakers at a hearing Tuesday.
"The fact that we are here today, discussing this attack, dissecting what went wrong, and identifying ways to mitigate future risk, is occurring only because my fellow witness, Kevin Mandia, and his colleagues at FireEye, chose to be open and transparent about what they found in their own systems, and to invite us at Microsoft to work with them to investigate the attack," Smith told the Senate Select Committee on Intelligence, according to his prepared remarks.
"Without this transparency, we would likely still be unaware of this campaign. In some respect, this is one of the most powerful lessons for all of us. Without this type of transparency, we will fall short in strengthening cybersecurity."
Smith's testimony highlights how many cybersecurity incidents can go undisclosed. Smith told lawmakers that private sector companies should be required to be transparent about significant breaches of their systems. He compared the "patchwork" of disclosure requirements in the U.S. to more consistent obligations in places like the European Union.
FireEye disclosed in a regulatory filing in December that it had been hacked by what it believed to be a state-sponsored actor who mainly sought information related to its government customers. The company said the attack was unusually advanced, employing "a novel combination of techniques not witnessed by us or our partners in the past."
Soon after, Reuters reported that hackers possibly linked to Russia accessed email systems at the U.S. Commerce and Treasury departments through SolarWinds software updates. The Defense Department, State Department and Department of Homeland Security were also affected, The New York Times later reported. Reuters reported, citing sources, that the SolarWinds attack was related to the FireEye incident.
A few days later, Reuters reported that Microsoft was also hacked. U.S. agencies later shared that Russian actors were likely the source of the attack. Smith said in his written testimony that Microsoft does not dispute that assessment while he said, "Microsoft is not able to make a definitive attribution based on the data we have seen."
Smith told Congress that Microsoft notified 60 customers, mainly in the U.S., that they were compromised in connection to the attack. But he warned lawmakers that there are certainly more victims that have yet to be identified. A White House cybersecurity advisor estimated last week that nine government agencies and roughly 100 private companies were affected by the attack. Smith told Congress that Microsoft identified further government and private sector victims outside the U.S. that were impacted.
Smith proposed that in addition to requiring more disclosures from private companies, government should provide "faster and more comprehensive sharing" with the security community.
"A private sector disclosure obligation will foster greater visibility, which can in turn strengthen a national coordination strategy with the private sector which can increase responsiveness and agility," Smith said in his written remarks. "The government is in a unique position to facilitate a more comprehensive view and appropriate exchange of indicators of comprise and material facts about an incident."
But Mandia, FireEye's CEO, told CNBC's Eamon Javers in an interview ahead of the hearing Tuesday that disclosure is "a damn complex issue."
"The reason it's a complex issue is because of all the liabilities companies face when they go public about a disclosure," Mandia said. "They have shareholder lawsuits, they have lots of considerations of business impact. You also don't want to unnecessarily create a lot of fear, uncertainty and doubt."
Intelligence Committee Chairman Mark Warner, D-Va., said in his opening remarks Tuesday that it may be worth considering greater disclosure requirements, even if it means creating liability protection for companies that follow those disclosure obligations.
-- CNBC's Jessica Bursztynsky contributed to this report.