To read the argument in favor of requiring that companies share information about cyberattacks, click here.

NO: It Would Limit Companies’ Ability to Thwart Attacks

In the ever-evolving world of cybersecurity, a blanket mandate that organizations must report incidents and share cyberattack information could ultimately create more problems than it solves.

Context is the key. In some cases, not reporting an attack can be a good strategy. Security experts may be able to better understand or even disarm a cyberattack by taking their time to quietly observe the infiltrators’ activities. This kind of approach cannot work if organizations are forced to pre-emptively publicize an attack, or if the policing effort that follows involves too many parties. In addition, a mandate requiring companies to share cyberattack information would effectively criminalize this kind of quiet security strategy and limit organizations’ abilities to effectively counteract cyberattacks on their own.

It is important to view the government as a trusted resource for collaboration when appropriate—for instance, when an attack involves a nation-state or terrorist group. But the amount of work that would result from a system of routine mandatory reporting of data breaches may have the effect of diverting valuable resources from security toward compliance. The likely information overload that would result could inundate analysts with reams of unhelpful data while useful information about real threats gets lost in the shuffle.

Some supporters of compulsory reporting think that it will bring about greater transparency in the world of cybersecurity, leading to more cooperation and enhanced security for all. But the federal government itself is often unable to properly act on cyberthreat information that is shared even among its own offices. And the government’s idea of information sharing is usually asymmetric. Indeed, federal agencies are often unwilling to share information with private entities. In addition, some intelligence agencies, such as the National Security Agency, when they find “zero-day” vulnerabilities—system weaknesses that network security analysts aren’t aware of and so have spent no time working on—stockpile them for their own use rather than report them to the appropriate party for patching.

Advocates of required reporting were pleased when Congress in December passed the Cybersecurity Act, a bill that offers liability protections to corporations that monitor their information systems for security and share information about threats. Lawmakers passed the bill in the face of strong opposition from computer-security experts and civil-liberties advocates who argued that it threatened to undermine Americans’ privacy while doing little to actually address our biggest cybersecurity challenges. Policy makers who backed the Cybersecurity Act assured the public it was only a voluntary program.

But the law has done nothing to make us safer from cyberattacks. And less than a half a year later, the specter of mandatory reporting is still with us as its supporters appear eager to continue the debate.

Required reporting would be a clear increase of government power and, in some ways, inconsistent with the spirit of the Cybersecurity Act. While that law is intended to limit the liabilities of those organizations that cooperate, mandatory information sharing would seek to force cooperation by extending liabilities to all.

There is much that can be done to improve U.S. cybersecurity without requiring companies to report cyberattacks. The government should first focus on correcting policy missteps from the past. It should promote the use of strong encryption and reform counterproductive laws like the Computer Fraud and Abuse Act that chill security research. Requiring organizations to share information with hack-prone federal agencies under threat of penalty will only add to the current contradictory mess of policies.