Mandatory Cyber Extortion Reporting: Why We Need It Now

The growing ransomware crisis

In 2025, ransomware attacks are unrelenting, with school, hospital, private and public sector victims mounting at a torrid pace. Most attacks can be stopped with the implementation of basic, inexpensive, and well-understood security measures, so why aren’t they?

At least part of the reason comes down to awareness of the threat and confusion about how to defend against it. Public disclosure of cyber incidents can help address these issues by making it clear that companies of any sector and size are at risk, and fairly straightforward defenses can be remarkably effective.

Let’s break this down by starting with the basics.

What is ransomware?

Even experts disagree about what this term means. The first documented case of malware in 1989 came to define malware as malicious software that renders computer systems or data unusable, with a payment demanded to help the victim recover normal operations.

Criminal tactics have evolved since 1989. Today criminals use a variety of methods to gain initial access, and can use existing programs to accomplish their objectives, negating the need for malicious software. Once a device is compromised, files may be encrypted, but more often, they are simply stolen. Attackers then demand payment, threatening to release the stolen private and potentially sensitive information of employees, customers, and others.

Although modern attacks don’t always involve traditional ransomware, the end result is the same. For many, and in the context of this discussion, “ransomware” refers to any form of digital extortion that can take various forms, with or without malicious software or encryption.

It’s important to remember that those behind these extortion schemes are criminals and cannot be trusted to honor any promises made during negotiations.

Current situation

The frequency and severity of ransomware attacks have surged dramatically since the first recorded case in 1989, posing serious threats to national security and economic stability.

How does ransomware endanger national security? Criminal groups behind financially motivated attacks refine techniques that can be—and often are—used against critical infrastructure, including healthcare, power grids, water supplies, and gas pipelines. CISA and the FBI warn that a single ransomware group has “impacted over 300 victims from a variety of critical infrastructure sectors.” Moreover, the nation states that condone this criminal activity—primarily Russia, China, North Korea, and Iran—are believed to leverage these skills to advance geopolitical agendas or worse: in the event of a full-blown international crisis.

While ransomware poses a significant national security risk, businesses and everyday individuals also suffer severe consequences. A recent study found that 58% of victims are forced to shut down operations in order to recover. We must enhance awareness of the threat and effective defense strategies. Timely reporting of cyber incidents helps normalize the fact that breaches are common, reducing stigma and encouraging proactive security measures.

Ransomware gangs operate through online marketplaces, trading tools, services, and compromised credentials. Strengthening our defenses requires better collaboration—sharing insights from past attacks to anticipate and counter adversarial tactics.

The need for mandatory cyber reporting

Part of the problem is that those with this critical knowledge—the incident response industry—aren’t always inclined to share it. Their priority is assisting clients, not preventing future attacks. The broader benefits of disclosing cyber incidents often don’t influence their actions. In fact, some believe that parts of the response industry actively try to hide the details of attacks.

This is fundamentally a policy issue. To strengthen our collective defense, we need more consistent and effective laws mandating cyber incident notification.

State-level reporting laws in the U.S. are a patchwork of inconsistent policies. Some states collect data but never share it, while others enforce weak regulations or none at all. Here’s a breakdown of the current landscape:

• Some states (New Jersey) provide the occasional link to news media articles covering data breaches.
• Some states (Colorado) require entities to notify consumers when their personal information may have been compromised, but don’t appear to enforce the law.
• Some states collect data, but don’t share it.
• Some states (North Dakota, Hawaii) used to collect and report data, but have stopped.
• Some states (North Carolina) collect and share summary data, but not the details that are required to understand the nature of the attacks.
• Some states (Delaware, Oregon) share data in tables that can’t be effectively sorted chronologically.

We need uniform data breach reporting laws and state attorney general websites that present this information clearly and promptly. A unified, nationwide approach to mandatory reporting should include:

• Clear reporting requirements for companies and government agencies when breaches occur.
• Publicly accessible informative data in a structured, searchable, and standardized format.
• Timely disclosure requirements so affected individuals can take action.
• Stronger enforcement to ensure compliance and accountability.

The broader benefits of reporting

• Empowering action: When organizations and individuals understand the scale of cyber threats, they can strengthen their defenses before becoming the next victim.
• Better threat intelligence: Cybersecurity professionals can analyze trends, improve defenses, and prevent future attacks.
• Stronger law enforcement Action: Better reporting helps law enforcement track, disrupt, and prosecute cybercriminals.
• Increased accountability: Companies will be incentivized to implement stronger security measures if they know incidents must be disclosed.

The bottom line

Without mandatory reporting, we are fighting an invisible war—one where businesses, hospitals, and critical infrastructure are under siege daily. Lawmakers, cybersecurity professionals, and business leaders must come together to implement real change. The time to act is now.