One of the biggest debates surrounding managing cybersecurity risks focuses on what is the best way to measure success. In other words, how do the federal government and private sector determine what works and what doesn’t when it comes to resolving cybersecurity weaknesses? While lawmakers have taken critical steps this year, it’s hard to say whether the nation’s cybersecurity is actually improving.
This speaks to a broader problem in understanding how effective cyber policy is. How do we know, for example, that the money and resources requested for departments and agencies in the wake of the SolarWinds, Microsoft Exchange, or Colonial Pipeline attacks is cost-effective? The United States has a poor understanding of the nation’s baseline cybersecurity, and little way of informing policymaking with evidence or data that demonstrates how proposed reforms would contribute to the nation’s overall level of cybersecurity. A potential Bureau of Cybersecurity Statistics (BCS) would help remedy that gap.
In August 2021, the Cyberspace Solarium Commission (CSC) released its 2021 Annual Report on Implementation, which outlines relevant developments with all of the recommendations contained within the initial March 2020 report and subsequent white papers. Congress and the executive branch have been instrumental partners in taking these recommendations and translating them into law. That said, and as the report emphasizes, there’s a big difference between success and implementation, and we are lacking that knowledge in the status quo.
To help remedy this challenge, the CSC proposed the creation of a Bureau of Cybersecurity Statistics (BCS) as a repository of information and data on the state of cybersecurity in the United States. Although this proposal received little attention initially, the bipartisan Defense of United States Infrastructure Act, sponsored by CSC Co-Chair Senator Angus King (I-ME, who caucuses with Democrats), CSC Commissioner Senator Ben Sasse (R-Nebraska), and Senator Mike Rounds (R-South Dakota), includes the Bureau of Cybersecurity Statistics as a critical proposal to help coordinate national efforts to secure and protect against critical infrastructure risk. (One of us, Tasha, currently works for the CSC, and Natalie did so until recently.)
A Bureau of Cybersecurity Statistics would serve as the dedicated statistical agency for collecting and analyzing data related to cybersecurity, cyber incidents, and cybercrime. This collected data would serve as a basis for continuous and comparable nationwide indicators of the prevalence, incidence, extent, distribution, and attribution of cyber incidents and for the publication of uniform national statistics. Such information would serve as a basis for national policymaking on cybersecurity, and this bureau would be empowered to share information on cybersecurity with the president, Congress, federal agencies, the private sector, and the public.
Precedents in Existing Statistics Bureaus
Luckily, there is precedent that policymakers can look to. The federal government has 13 principal statistical agencies responsible for tracking and providing information related to things like national income, crime, demographics, crop prices, commercial aviation, and more. These agencies provide an essential service for policymakers: We can’t fix a problem that we don’t understand. And while some of the existing principal statistical agencies track data relevant to cybersecurity, none has the mandate to focus singularly on the topic.
The closest existing body is the National Center for Science and Engineering Statistics, housed within the National Science Foundation. However, NCSES has a much broader mandate, focused more squarely on understanding things like national research and development investment, the state of the science and engineering workforce and STEM education, and national competitiveness in science and technology writ large. They don’t track things like business use of multi-factor authentication or network-monitoring software or the incidence of cyberattacks. But having data on how people and businesses are behaving with respect to cybersecurity, what strategies are effective for preventing cyberattacks, and even when and how such attacks are occurring is essential to developing sensible cybersecurity policy.
One of the most prominent debates surrounding the creation of such a bureau is where it would be housed. The clear frontrunners — the Department of Commerce and the Department of Homeland Security — each have pros and cons that have made this debate a contentious one among policymakers. The Department of Commerce has several federal statistical agencies housed under its umbrella, including the Census Bureau and the Bureau of Economic Analysis. The precedent is there, as Commerce has the experience and expertise to collect and analyze this data. However, the Commerce Department does not deal with critical infrastructure resiliency and challenges related to cybersecurity, which is where the primary challenge resides in terms of the problem at hand.
The Department of Homeland Security, on the other hand, holds the mandate for federal cybersecurity. Specifically, the Cybersecurity and Infrastructure Security Agency (CISA) serves as the nation’s risk manager, and they want to understand what does and does not work when it comes to alleviating cyber risks. However, the Department of Homeland Security overall does not have the same sort of muscle memory and experience with statistical bureaus in the way that the Department of Commerce does.
The Bureau of Cybersecurity Statistics would be able to obtain new sources of data via three key channels: through the federal government; state and local governments; and insurers who provide cyber coverage. The director of said bureau would publish a list of the data and information necessary to carry out its functions, and establish the standards and a process for the submission of such information. Crucially, to encourage the private sector to provide the fullest information possible, none of the information submitted to the bureau can be used for any purpose other than statistical analysis. Unless furnished through another manner to a federal department or agency or a state, local, tribal, or territorial government, the information submitted to the bureau could not be used as evidence to bring fines or lawsuits. Additionally, insurers will have particular rules to follow as well – insurers would have to submit a report to the bureau every 90 days on incidents for which they have issued a claim.
Distinctions From Cyber Incident Reporting
It is important to note that this bureau would serve a very different purpose than the proposed Cyber Incident Review Office that would be established in the “Cyber Incident Reporting Act of 2021.” The office proposed in the incident reporting legislation is designed to create operational situational awareness to inform CISA incident response and mitigation operations. The Bureau of Cybersecurity Statistics, on the other hand, would conduct long-term statistical analysis to inform policymakers and other decision-makers about what does and does not work to manage cyber risk and prevent cyber incidents. The pooling of this critical data also will help insurers improve their modeling of cyber risk.
This structure and design for the bureau aims to play on the strengths of existing department and agency programs, most notably the National Institute of Standards and Technology’s capability to define metrics and data necessary for collection. The proposed design of the BCS provides strong safeguards for the data collected by the bureau and protection for the entities that submit information, in order to build a better picture of the cyber threat facing the United States. Furthermore, it ensures that academics and researchers can help scale the kind of analysis that can be conducted once a repository is in place.
The United States is not the only country that has been looking into the collection and analysis of cybersecurity-related statistics. The Australian Cyber Security Centre released its Annual Cyber Threat Report for 2020-2021 earlier this year, for which the center extracted information from live datasets of cybercrime reports and cyber security incidents that had been reported to it. The United Kingdom’s National Cyber Security Centre released its sixth annual Cyber Security Breaches Survey in March 2021, based on data collected from organizations and businesses across the U.K. on cybersecurity threats. This data included the technical and governance processes that organizations had in place to manage cyber risks, the nature and impact of cybersecurity breaches, and differences in cyberattacks among various sectors. U.S. allies have recognized the importance of collecting cybersecurity data — it is time for the United States to follow suit.
The need for a Bureau of Cybersecurity Statistics intersects with growing calls for incident reporting and breach notification requirements in the wake of major cyber incidents crippling our national critical infrastructure. Ensuring that incident reporting and breach notification proposals interface with the BCS so that information is compiled in one central place should be a key consideration for lawmakers as they consider this proposal. It is also important to note that any information that is submitted to the Bureau of Cybersecurity Statistics would be insulated from regulators, as an incentive for submitting information.
Moreover, this data is not only useful to the government and policymakers, but it can also crucially inform private-sector efforts. In light of the recent string of ransomware attacks, discussion of the role that cybersecurity insurance plays in preventing and mitigating cyberattacks has risen to the forefront once again. Insurance associations like the American Property Casualty Insurance Association have released guidance on ransomware payments, and insurance companies have banded together to create CyberAcuView to compile and analyze cyber-related data. Several of the Cyberspace Solarium Commission’s recommendations focused on the role that insurance can play in providing incentives for private-sector entities to improve their cybersecurity. The market is nascent, and the bureau could play a key role in strengthening the market by providing the data necessary for underwriters to price cyber risk.
In order to support both national policymaking and firm-level security decisions, the United States needs a Bureau of Cybersecurity Statistics. As we look back on all of the cyberattacks that have occurred in just the past six months alone, the federal government and private sector need to have a solid understanding of how far they have come, which strategies work, and how to best allocate resources in the event of future attacks. And as Congress considers new legislation on cybersecurity, a Bureau of Cybersecurity Statistics is one of the best ways to bolster the nation’s cybersecurity.