There is a mounting gap between what the headlines say about the costs of cyber insecurity to the U.S. economy and the results of data-driven research on this topic—with negative implications for cybersecurity. Congress should move to narrow the gap by passing a federal law that takes two steps to protect data. First, it should require companies that possess sensitive personal information to publicly disclose when significant breaches of this information occur. Second, the law should also establish across-the-board requirements for companies that own and operate critical infrastructure, such as power plants and water utilities, to notify the authorities when sensitive operational systems are under credible threat from malicious cyber actors. A uniform, comprehensive framework would aid national security and enable executives, investors and policymakers alike to make data-driven investment and policy decisions.
These impressions are reinforced by statements from leading cyber professionals such as former National Security Agency director Keith Alexander, who has asserted that China’s cyber-enabled economic espionage against U.S. firms has resulted in “the greatest transfer of wealth in history.” His point, shared by many who work on cyber policy, is that this pilfering of American intellectual property and proprietary business information—and its presumed transfer to would-be competitors in China—presents a strategic threat to the competitiveness of U.S. companies and the U.S. economy writ large.