Ask the Experts: How can we help organisations report data breaches?


The Cyberspace Solarium Commission recently published a report with 75 recommendations for implementing “strategy of layered cyber deterrence” for national security. Section 5.2.2, “Pass a National Cyber Incident Reporting Law,” raises the question of whether an organisation filing a report in the interest of national security will be subject to punishment under one or more data security or privacy regulations.

Co-Chairman Senator Angus King (I-Maine) and Mike Gallagher (R-Wisconsin) wrote; “The reality is that we are dangerously insecure in cyber. Your entire life—your paycheck, your health care, your electric-ity—increasingly relies on networks of digital devices that store, process, and analyze data. These networks are vulnerable, if not already compromised. Our country has lost hundreds of billions of dollars to nation-state-sponsored intellectual property theft using cyber espionage. A major cyberattack on the nation’s critical infrastructure and economic system would create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest, and hurricanes in the Southeast.”

The report outlines a new cyber strategy and provides more than 75 recommendations for action across the public and private sectors. Here are some big ideas to get the conversation started. The report recommends that “reported incidents may not be used to inform or drive punitive measures taken by regulatory agencies.”

After conducting an extensive study including over 300 interviews, a competitive strategy event modeled after the original Project Solarium in the Eisenhower administration, and stress tests by external red teams, the Commission advocates a new strategic approach to cybersecurity: layered cyber deterrence. The desired end state of layered cyber deterrence is a reduced probability and impact of cyberattacks of significant consequence. The strategy outlines three ways to achieve this end state:

  1. Shape behavior. The United States must work with allies and partners to promote responsible behavior in cyberspace.
  2. Deny benefits. The United States must deny benefits to adversaries who have long exploited cyberspace to their advantage, to American disadvantage, and at little cost to themselves. This new approach requires securing critical networks in collaboration with the private sector to promote national resilience and increase the security of the cyber ecosystem.
  3. Impose costs. The United States must maintain the capability, capacity, and credibility needed to retaliate against actors who target America in and through cyberspace.

The full report is available here.