Congress has new appetite for breach law following SolarWinds hack: lawmaker

Introducing the witnesses, Thompson said that there was "growing interest in a cybersecurity reporting law" from his colleagues and that he hoped "we can enact cyber incident notification legislation in the short order."

What such a law might look like was not yet clear.

State and federal rules already compel organizations to notify the public in cases where health information or financial institutions' data has been compromised, but companies are generally free to keep quiet about more traditional forms of cyberespionage - something Microsoft Corp President Brad Smith said was hobbling the fight against foreign hackers.

"A lot of companies choose to say as little as possible and often that's nothing," Smith told lawmakers.

"Silence is not going to make this country stronger. So I think we have to encourage - and I think even mandate - that certain companies do this kind of reporting."

Testifying alongside Smith on Friday were SolarWinds Chief Executive Sudhakar Ramakrishna and FireEye Inc Chief Executive Kevin Mandia.

Their appearance before the joint hearing of the House Committees on Oversight and Reform and Homeland Security comes three days after the trio testified before U.S. senators over the massive breach, which has ensnared nine American government agencies and more than 100 other organizations.

Former SolarWinds Chief Executive Kevin Thompson, who stepped down shortly before the breach was announced, was also testifying on Friday.

(Reporting by Raphael Satter; Editing by Stephen Coates and Steve Orlofsky)