The government needs to collect and store better data to develop a more effective cyber strategy and strengthen defenses, Cyberspace Solarium Commission members said March 17.
The Cyberspace Solarium Commission, which laid out several cyber policy recommendations March 11, suggested that the broader federal government and private sector adopt the Department of Defense’s defend forward policy, in which the DoD can operate on foreign networks, as part of a larger national strategy focused on using both military and non-military tools to deter adversaries.
But questions remain about how the effectiveness of that approach will be measured.
“You can’t manage what you can’t measure,” said Tom Fanning, a commissioner and CEO of Southern Company, a utility company.
Former deputy director of the NSA Chris Inglis, another commissioner, said that the effectiveness of defend forward could be evaluated by the number of allied nations that embrace the approach. But he also said that its effectiveness could be evaluated by a decrease in the amount of high-profile attacks that occurred over the next three to five years, such as WannaCry, NotPetya and Russian election interference.
“That’s harder to measure with high confidence just because it’s harder to measure a negative, it’s hard to measure what they would’ve done otherwise,” Inglis said on a webinar hosted by the U.S. Chamber of Commerce. “But that being said, we need to actually work hard to try to measure both of those.”
This is the story of how, in two short years, a new cybersecurity strategy has forced the national security community to rethink cyber operations and how "persistent engagment" will work.
Fanning said private-sector companies like Southern Company may have the data the government needs to measure the success. For example, he said that Southern Company’s cybersecurity professionals have the data indicating cyberattacks on the company’s networks and where they are originating.
“Those are all exceedingly valuable data points,” Fanning said. “I think this is something that we have to develop. It’s going to be hard and unclear at first but creating standards here going to be really important in our ability to measure our own offense and defense.”
The government also needs data to evaluate the effectiveness of the Pentagon’s defend forward strategy. But according to Mark Montgomery, executive director of the commission, the current data DoD provides isn’t adequate.
“As someone who received those reports in Congress, I thought they were sufficiently obfuscated to be of little value in understanding how defend forward, persistent engagement was working,” said Montgomery, who worked as policy director on the Senate Armed Services Committee.
Where the data would go
Another solution to the data problem is the creation of the Bureau of Cyber Statistics, a recommendation commissioners put in their final report. The commission formally made several cyber policy recommendations in a March 11 report.
“We’ve got to get this information,” Montgomery said. “Just like you can’t imagine certain portions of the economy working without the information from the Bureau of Labor Statistics or some of the commodities reports we do, we need this Bureau of Cyber Statistics to have an understanding of what’s happening in the cyber ecosystem.”
According to the final report, the bureau should be housed in the Department of Commerce and would be the go-to agency for collecting, processing, analyzing and disseminating “essential statistical data on cybersecurity, cyber incidents, and the cyber ecosystem."
One of the key beneficiaries of the statistical bureau would be the cyber insurance industry, which would have a centralized authority for data it can use to assess risk. The data would also help inform the broader business community.
“I think business understands that the more data you have to analyze in the raw and make competent decisions against, the better off you’re going to be,” Montgomery said.