For barriers to the companies reporting, number one, the insurance companies often say, “We're running the response for this breach. It's cheaper for us to pay out the ransom. You're not involving the police. Shut up.” If you're a publicly traded company, this could affect share price. The lawyers get super wired about this.
We have to change the risk equation. It has to be that you need to report or you face consequences. Then all of a sudden legal, insurers and others will be saying, “We have to bring CSE and others into the fold”, and you change the relationship.
If the criminals know that we have laws that say they are going to call us, maybe then they are going to move on to somewhere else. I'm with Dr. Kayyem. I'm of the world of doing better and not getting it perfect. The old expression in New Brunswick was—my dad used to joke—“I don't have to outrun the bear. I just have to outrun you.” The same applies in cyber. We just have to get incrementally better about doing that.
Mandatory reporting changes the equation. We need it. If we go this route of provincial, you're going to have have-not secure provinces and secure provinces. Is that the kind of country...? This is a national security issue, and we have to deal with it. We are too small to deal with this without centralizing it, so we have to.