Download this Paper Open PDF in Browser

Voluntary Reporting of Cybersecurity Incidents

Forthcoming in Colorado Technology Law Journal 16.2

39 Pages Posted: 6 Dec 2017  

Jonathan Bair

University of Colorado at Boulder, School of Law, Students

Steven M. Bellovin

Columbia University - Department of Computer Science

Andrew Manley

University of Colorado at Boulder, School of Law, Students

Blake E. Reid

University of Colorado Law School

Adam Shostack

Independent

Jean Pierre De Vries

University of Colorado at Boulder Law School - Silicon Flatirons Center

Date Written: December 1, 2017

Abstract

The proliferation of connected devices and technology provides consumers immeasurable amounts of convenience, but also creates great vulnerability. In recent years, we have seen explosive growth in the number of damaging cyber-attacks. 2017 alone has seen the Wanna Cry, Petya, Not Petya, Bad Rabbit, and of course the historic Equifax breach, among many others. Currently, there is no mechanism in place to facilitate understanding of these threats, or their commonalities. While information regarding the causes of major breaches may become public after the fact, what is lacking is an aggregated data set, which could be analyzed for research purposes. This research could then provide clues as to trends in both attacks and avoidable mistakes made on the part of operators, among other valuable data.

One possible regime for gathering such information would be to require disclosure of events, as well as investigations into these events. Mandatory reporting and investigations would result better data collection. This regime would also cause firms to internalize, at least to some extent, the externalities of security. However, mandatory reporting faces challenges that would make this regime difficult to implement, and possibly more costly than beneficial. An alternative is a voluntary reporting scheme, modeled on the Aviation Safety Reporting System housed within NASA, and possibly combined with an incentive scheme. Under it, organizations that were the victims of hacks or “near misses” would report the incident, providing important details, to some neutral party. This database could then be used both by researchers and by industry as a whole. People could learn what does work, what does not work, and where the weak spots are.

Keywords: computer security; data breach

Suggested Citation

Bair, Jonathan and Bellovin, Steven M. and Manley, Andrew and Reid, Blake E. and Shostack, Adam and De Vries, Jean Pierre, Voluntary Reporting of Cybersecurity Incidents (December 1, 2017). Forthcoming in Colorado Technology Law Journal 16.2. Available at SSRN: https://ssrn.com/abstract=3081216

Jonathan Bair

University of Colorado at Boulder, School of Law, Students ( email )

Boulder, CO
United States

Steven Bellovin

Columbia University - Department of Computer Science ( email )

New York, NY 10027
United States

Andrew Manley

University of Colorado at Boulder, School of Law, Students ( email )

Boulder, CO
United States

Blake Reid

University of Colorado Law School ( email )

401 UCB
Boulder, CO 80309
United States
303.492.0548 (Phone)

Adam Shostack (Contact Author)

Independent ( email )

No Address Available

Jean De Vries

University of Colorado at Boulder Law School - Silicon Flatirons Center ( email )

1070 Edinboro Drive
Boulder, CO 80309
United States

Paper statistics

Downloads
61
Rank
307,593
Abstract Views
323