In March 2020, the congressionally mandated Cyberspace Solarium Commission recommended — among other things — that the federal government set up an agency to track and store details about cyber incidents partly as a way to close the gap in comprehensive and actionable data related to information security.
The proposed Bureau of Cyber Statistics (BCS) would serve as a repository of data on cybersecurity incidents that would help both public and private sector organizations inform their risk-based decision-making and cyber strategy planning.
More than two years later, however, no action has been taken and the federal government still lacks a place for these critical cyber incident statistics to live. Because of that, there remains a gap of good statistical data on cybersecurity and the cyber ecosystem that could otherwise inform policy making and government programs. Beyond that, the data and analysis could help private sector enterprises make the best use of their resources to meet evolving cyber challenges.
Creating an agency such as the BCS would be a lift, but the challenge is not insurmountable. From starting with a phased approach to collecting data — increasing the scope as the organization matures — to defining mandated reporting requirements with precision and clarity, there are ways to do this efficiently.
Defining the cyber data gap
Let’s be clear. There is no dearth of raw cyber data floating around the federal government, but very little of it is made available to the public either in its raw form or in the shape of a detailed analysis. Both the FBI and the Office of Management and Budget publish yearly cyber incident reports on major events. Beyond that, agencies that oversee critical industries such as the Department of Energy and Securities and Exchange Commission often publish analyses on significant breaches. But that’s only a fraction of the information agencies collect.
“I think all would agree that in the absence of this information, we are going to be episodic, we are going to be uneven, and perhaps less-than-optimal in our response to any of these threats which reflect all of us,” Inglis said.
The kind of data repository that an agency such as the BCS could create would have myriad uses inside and outside government. For example, the data could help public utility providers make better decisions about how to sustain operations and recovery from cyberattacks. BCS data could also be used by national security and intelligence analysts to understand trends associated with exploits and attacks against the nation’s critical and business infrastructures, giving analysts the means to advise decision-makers regarding needed adjustments to computer network defense profiles.
An incremental approach
The BCS doesn’t have to be everything to everyone right out of the gate. Much like scaling any new organization, the federal government should start small and expand data collection and analysis in scope as the bureau matures. The new bureau could begin by collecting data from federal government agencies and supporting contractors, as well as anonymized data on substantial cyber incidents and ransomware that will be reported to the Cybersecurity and Infrastructure Security Agency under the Cyber Incident Reporting for Critical Infrastructure Act.
BCS could then turn that initial data into meaningful analyses. This would show public and private sector organizations the value of contributing to a central federal cybersecurity incident repository. BCS could also use that beginning stage as an opportunity to test and improve its own sharing processes and procedures with a wide range of organizations. From there, BCS would be able to scale up and widen its net of collection as more and more organizations become willing to feed data to the bureau.
Phasing in layers of analysis
In its initial phase, BCS could focus on collecting data to help measure scale and impact of the most situationally important aspects of cyber threats. This data should include basic, broad information on the number of cyber incidents and on the consequences of each attack or breach.
To help funnel data properly, reporting should be structured to set clear threshold criteria and to assess the impact of the incident on the confidentiality, integrity and availability of the target’s data. This kind of structured reporting is not only useful for technical analysis but will also help BCS determine how user-friendly their reporting processes are for non-expert victims.
In a second phase, the BCS could add reporting on cyber controls and policies that were in place at the time of specific incidents, supporting analysis and correlation of what measures work —or do not work—to reduce prevalence or susceptibility to malicious cyber activity and its impact.
This second phase data and analysis will be extremely valuable, but BCS should not try to run before it learns to walk. By deferring this kind of data collection to the second phase, BCS can avoid problems around determining the scope of the data needed and the burden of reporting and collecting that more granular information.
Once that second phase is complete, the BCS will be in a good position to provide unique and actionable cyber analyses to the public.
The cyber incident data gap isn’t going away unless we do something about it. Thankfully, we have a roadmap for helping close that gap. The federal government should create a BCS, not just for the safety of government networks, but so public and private sector organizations alike can come together to better secure everyone from the ever-changing threat environment.
Jim Richberg is the public sector CISO for Fortinet. Previously, he served as U.S. national intelligence manager for cyber in the Office of the Director of National Intelligence.