When Chinese hackers penetrated computer networks at The New York Times, The Washington Post, The Wall Street Journal, and Bloomberg, executives at each company fessed up with the kind of confidence you don’t find among most businesses with similar problems. The average corporation is terrified of admitting that it’s a target, much less that its servers have been broken into. And for good reason: Where a media company might at least get a halo of prestige for being important enough to hack, there’s no such silver lining for banks or manufacturers. Reputations suffer, stock prices tumble, and government investigations spring to life. The bad news is just plain bad, and the incentive to keep breaches secret is fairly strong.
But policymakers in Europe and the United States think the costs of publicizing a hack are worth paying. In an attempt to get more companies to disclose, legislatures on both continents are trying to make data-breach notifications a matter of law. Under a draft directive from the European Union, businesses would have 24 hours to reveal major lapses in their cybersecurity. On this side of the Atlantic, a House proposal would give companies 72 hours to divulge a hack after they find out about it, and the notification would trigger an investigation involving either the FBI or the Secret Service. The White House has included data-breach reporting in its legislative agenda since 2011.
Business leaders don’t like this, and they have a point. By themselves, hacking disclosures do almost nothing to improve the nation’s cybersecurity. After all, by the time a company becomes aware that someone has penetrated its networks, it’s already too late. Many lack an in-house capability to even detect intruders, let alone neutralize them, and they find out about attacks only when somebody else—a cybersecurity contractor, for instance—notifies them. “There are two kinds of companies,” House Intelligence Committee Chairman Mike Rogers, R-Mich., told utility operators shortly after February’s breaches. “Those that have been hacked, and those that have been hacked but don’t know it yet.”
Then disclosure can make it worse: Executives have to worry about drops in stock prices and shareholder lawsuits. In many cases, a hacking disclosure could threaten as much as 5 percent of a company’s overall valuation, according to a recent report from the Washington-based Center for Strategic and International Studies.
That pattern holds true for virtually all of the companies that have admitted to being hacked this year. In the five days following its disclosure, The Times’ share price fell by 10 percent. Apple, Facebook, and Microsoft, all of which said they were hit by the same attack in February, each lost about 4 percent of their preannouncement value within three days. (The Washington Post, oddly, saw its share price rise about 3 percent on the disclosure—and it didn’t fall again for another 11 days.)
But while costly disclosures don’t prevent attacks, they still serve a public good. Consumers assume the services they depend on are reliable, and they deserve to know when they’re not. Better information helps markets work more efficiently; competition increases as some people choose to abandon their old services for other alternatives. In that way, hacking revelations may also spur businesses and netizens to rethink their approach to security and online hygiene. These effects are cumulative. The more that peers in your network sing the praises of Google’s two-factor authentication—a more sophisticated way of logging in—the more you may consider enabling that feature yourself. Studies of online social networks, such as one published this year by the University of Pittsburgh’s Andrew Stephen, show that some behaviors can become contagious in a tightly knit digital community.
A second benefit of disclosing hacks is that it yields important, if incremental, intelligence about cyberthreats. When a company informs the FBI or the Secret Service that it’s been hacked, the investigation is likely to uncover lessons that will be useful for more than the company in question. That’s why the White House’s cybersecurity plan expands a system called the Enhanced Cybersecurity Services program, which shares data on cyberthreats with the private sector. And although the most technical aspects of a hack would still probably be hidden from public view, the congressional notification bill also requires companies to provide consumers with the date of an attack, a specific description of the personal information that was or might have been compromised, and a way to contact the business to learn more. Knowing something about where a hack came from and how it worked is better than not knowing anything about it at all.
Pooling all this data and metadata might someday allow us to weather cyberattacks better than we do now—and perhaps even to anticipate them. “If we can’t see the attack, we can’t stop it,” Gen. Keith Alexander, the head of U.S. Cyber Command, told the Senate Armed Services Committee last month. “We’re not talking about putting the military or the [National Security Agency] into private networks to see the attack.… But we have to have the ability to work with industry so that when they see an attack, they can share that with us immediately.”
There are good reasons for businesses to worry about making data-breach notifications. But consider what eventually happened to The Times, Apple, Facebook, and others. Despite momentary dips in their share prices, every one recovered its stock value within a month of disclosure. Corporate resistance to data-breach notification is driven principally by fears of a short-term—and temporary—slowdown in growth. What did Americans get out of The Times’ hacking disclosure? A greater understanding of the country’s vulnerabilities, more-honest assessments of the ethical problems linked to disclosing cyberwarfare and cybercrime, and pending legislation in Congress to protect the nation’s power grids, railroads, and waterways. It’s not a bad trade.