Today, U.S. government agencies collect statistics on cybersecurity incidents for a variety of purposes, but there isn’t a central reporting organization or standardized methods of collecting this information. Additionally, different ideas and metrics of what is important to whom in what circumstances, makes correlation between existing data sets difficult and inconsistent.

In order to ensure the country’s cybersecurity risk management is in line with cyberattack trends, we need  unified, effective, and comprehensive cyber incident reporting. A major step to achieving this is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), passed by Congress last year, which requires the Cybersecurity and Infrastructure Security Agency (CISA) to:

  1. Engage in rulemaking to require private sector entities to report when they experience a cyber-attack or pay a ransom
  2. Enforce compliance with required reporting
  3. Disseminate analysis based on the information collected

While CIRCIA is likely to have benefits for the cybersecurity community and for national security, it likely won’t be adequate to meet all the needs of various stakeholders. In 2020, the Cyberspace Solarium Commission recommended creating the Bureau of Cyber Statistics (BCS). The BCS would be a federal statistical agency that would collect, process, analyze, and distribute data on cybersecurity incidents, including their impacts, to inform policymakers and industry, rather than for any specific program. Additionally, as a federal statistical agency, the BCS would follow strict and rigorous methodologies for collecting and processing data, adding to its credibility and the consistency of its reporting.

The BCS would also combat issues Congress faces when evaluating annual agency budget requests or considering new authorizations. With insufficient data, it is difficult to decide which programs to resource and how much investment would lead to necessary reduction in cybersecurity risk.

The Solarium Commission identified five distinct attributes for the BCS:

  • Definition of cybersecurity metrics
  • Collection and aggregation of cyberattack data
  • Reporting mandates for incidents
  • Data and privacy protection
  • Information exchange between academia and the private sector

More recent proposals have advocated for establishing a BCS within CISA so that resources developed to implement CIRCIA can be leveraged. However, others have suggested that it makes more sense to keep it tied into other statistical agencies, which would allow it to use their tools and resources more easily. Further, keeping the work of the BCS separate from the mission of CISA could prove to be useful for both agencies. Ultimately, where the BCS is housed shouldn’t be a hindrance to its creation, which would have numerous benefits.

More reporting on attack responses and outcomes, the quantified loss from an attack, and the impact an attack had on a specific business or organization are all valuable data sets and likely to be captured by CIRCIA. However, other types of data are also valuable, such as what frameworks and controls are most effective, what sectors have the most significant risks over time, the success of attacks correlated to resources allocation, and so on. The lack of consistent data in these areas keeps policymakers from grasping the true scope and scale of cybersecurity risk in the country and inhibits the adoption of policies that would address those risks.

Federal statistical agencies already exist to avoid this very issue in other sectors such as the U.S. Census Bureau, the Bureau of Justice Statistics, and the Bureau of Labor Statistics, all of which are considered to be invaluable resources for policymakers. The lack of a corresponding agency for a challenge as significant and ubiquitous as cybersecurity is notable, just as the Solarium Commission pointed out.

John Banghart

Read Next

EU’s Cyber Resilience Act can bolster security, but lacks structure

The Cyber Resilience Act can, if done correctly, meet its objectives to bolster the security and resilience of products, however, as structured its effectiveness may be undermined.

Changing the Cybersecurity Mindset

Here are some recommendations to start the new year on how organizations can think differently about cybersecurity.

U.S. Government Advances TikTok Restrictions

The U.S. has several federal policy activities underway that could place new restrictions on TikTok, the popular social media platform owned by Chinese technology company ByteDance.