Developing Mandatory Reporting for Cyber-Attacks on U.S. Businesses

Abstract

The goal of this paper is to argue for the mandatory reporting of cyber-attacks on critical U.S. infrastructure, industries, and companies to the Department of Defense (DoD) for the DoD to improve national security through a clearer understanding of the threats and how to position the U.S. for better defense. The paper will first discuss who will be subject to mandatory reporting and propose a template for the requirements of reporting such as the turnaround time to report and the details needed from the attack. The paper will provide an argument showing the benefit to the DoD requiring reporting and why it should be concerned about external cyber-attacks on non-DoD systems. The paper will then look on the private sector viewpoints to discuss the benefits of mandatory reporting such as the bottom line and brand awareness. Additionally, the paper will also discuss how the consumer will benefit from mandatory reporting with a focus on both financial and privacy issues. Lastly, the paper will address some key points of dissent on the topic of mandatory reporting as well some evidence to push back or show how the negatives of not reporting outweighs the negative of reporting. After reading the paper, the reader will have a better picture of the current status of cyber-attacks on the private sector, how these attacks effect the DoD’s mission, and why mandatory reporting can help enhance private sector cybersecurity. More research is needed to better understand the legal argument for requiring reporting on cyber-attacks as well as economic incentives for compliance, however this paper is not intending to answer that argument given the authors do not come from the legal or economic disciplines.