There is a mounting gap between what the headlines say about the costs of cyber insecurity to the U.S. economy and the results of data-driven research on this topic—with negative implications for cybersecurity. Congress should move to narrow the gap by passing a federal law that takes two steps to protect data. First, it should require companies that possess sensitive personal information to publicly disclose when significant breaches of this information occur. Second, the law should also establish across-the-board requirements for companies that own and operate critical infrastructure, such as power plants and water utilities, to notify the authorities when sensitive operational systems are under credible threat from malicious cyber actors. A uniform, comprehensive framework would aid national security and enable executives, investors and policymakers alike to make data-driven investment and policy decisions.
Incidents that make headlines—such as a 2013 breach involving Target, which cost the company $292 million and counting, or the multi-billion-dollar lossessuffered in 2017 by victims of the NotPetya attacks perpetrated by the Russian military—convey a popular impression of calamitous costs of malicious cyber incidents.