Mandatory disclosure requirements and government procurement rules are among “effective...

for increased security is nonexistent,” it said. Citing the data breach disclosure laws that many states have adopted, the study said public disclosure of a breach is “expensive because it drives away customers, decreases public perception and increases the potential for lawsuits.” Similar mandatory disclosure of vulnerabilities and attacks by critical infrastructure could have the same effect with regard to cybersecurity, the report said. The government could require private sector contractors to adopt security standards “as a prerequisite to enter the contracting process,” it said. That would raise the “baseline level of security in many sectors,” it said. In the absence of government oversight, companies are “unlikely to adopt reasonably necessary measures in some sectors,” even as sectors such as telecom, oil and gas, transport and emergency services remain vulnerable to attack, the report said. The U.S. should adopt a critical infrastructure cybersecurity policy setting forth national goals and the “means to achieve them,” it said. “The appropriate policy goal should eliminate all reasonably avoidable risk based on best practices that balance both the relevant benefits of cybersecurity investment and the relevant harms of failing to invest.” Such a policy will allow the federal agencies and the private sector to “prioritize the threats, determine business rationales for security solutions, and focus on accountability, prevention and risk-management,” the report said.