Many organizations are clearly subject to withering computer and network — “cyber” — attacks. Existing breach notification laws that focus on notifying people about possible leaks of personal information have been important and influential, helping to internalize some aspects of security due diligence. Incremental steps to increase cyberthreat information sharing are needed, but this must be done very carefully. Cyberattack information must be narrowly defined, narrowly shared and public disclosure is subject to rigorous privacy protections.
However, the underlying dilemmas of cyberinsecurity are a complex calculus of social, technological and institutional problems, not simply related to a lack of information about successful attacks. Disclosure may be valuable, in that it increases the collective knowledge about cyberattacks and may create additional incentives to do more to prevent them, but it doesn’t address the underbelly of this dilemma.