Toward more rational cyber policymaking, through better data?

Almost exactly four hundred years ago, Francis Bacon made the case for overcoming the idols of the cave, the tribe, the marketplace, and the theater—four categories of cognitive pitfalls common to all humans—with something approximating scientific inquiry. Early this week, friends of the Atlantic Council explained why the United States needs a central repository for cyber statistics against which public and private decision makers can test their intuitions and check their biases. 

In the Atlantic Council’s August 2nd conversation about “Why the US needs a Bureau of Cyber Statistics,” Tufts University cybersecurity policy professor Josephine Wolff, Dell Technologies VP Bobbie Stempfley, Atlantic Council Cyber Statecraft Initiative Director Trey Herr, and Nick Leiserson, Chief of Staff for Representative Langevin (Democrat, Rhode Island 2nd) maintained that the US operates from a shockingly impoverished cybersecurity knowledge base, grounding major decisions in gut feelings and best guesses. 

We can’t say, for example, whether or how much NIST standards actually facilitate security. We currently have difficulty making evidence-based statements about either the holistic health of the cyber ecosystem or micro-level security decisions. Cyber insurers struggle to quantify risk and reward productive postures, and instead tie their rates to company size. Past “best practice” recommendations, like updating passwords every ninety days, have proven detrimental. The dearth of data impacts resource allocation and policymaking, from local business decisions about which products merit purchase, to national decisions about where to take the country. 

So how would a Bureau of Cyber Statistics (BCS) help?

A national Bureau would, in the Council’s words, “provide a central collection, analysis and distribution point for uniform national cyber statistics.” Panelists presented slightly differing visions for the Bureau’s mission, mechanics, and mandate, as have other thinkers. Broadly, the BCS would benefit a diversity of public and private stakeholders—from Government agencies to academics, investors, customers, vendors, and companies—by providing key statistical and methodological insights with the overarching goal of boosting efficacy and efficiency across the digital ecosystem. 

Stempfley stressed that the Bureau would not equate to a threat sharing interface, and would aggregate a variety of cyber statistics beyond data about security controls. She sees as primary aims of the initiative Government and industry alignment around validated risk models and clear measures of programmatic and technical efficacy, observing that good policy flows from good data. Leiserson noted the economic importance of cyber resilience, and argued that the initial efforts of the Bureau should center on immediate, practical questions—like, “Is this the best tool to invest in today?”—with the potential for more general considerations at some later time. Herr would prefer a focus on systemic health and design to evaluations of particular mitigations as the information most beneficial to policymakers. The interactions of rules at higher levels of abstraction, he said, are hardest to puzzle out without better data. 

As for a BCS’s role in achieving these goals, the panelists reviewed a range of possibilities. Should the Bureau simply collect and disseminate data, or should it organize and analyze findings? While there exists general agreement that the statistics gathered should be made widely available, and that the Bureau has some professional responsibility to present the data in a useful and accessible format (i.e., not in a giant Excel sheet), the panel said, experts disagree on the organization’s analytical directive. Herr thinks the Bureau should function as a neutral resource, not as an umpire or a critic, and should strive to work within a narrowly tailored scope against what would surely be many requests to resolve every question. 

Logistical issues facing a Bureau of Cyber Statistics. 

 An even trickier challenge surrounds what data to collect, and how to collect them. Certain sources are already publicly available for free or for purchase, and the Government holds wide-ranging collection capabilities. Beyond these assets, decisions need to be made about mandatory reporting, since voluntary initiatives have failed in the past. As Wolff remarked, businesses do not want to hand over proprietary information, and many layers of lawyers stand in the way of free-flowing data transfers. Significant Government intervention would probably be necessary to help companies escape their prisoner’s dilemma, and share mutually beneficial statistics.   

The participants disagreed about the best home for BCS. In Herr’s opinion, the Department of Homeland Security is already overwhelmed, whereas the Department of Commerce’s economic focus is ideal for technology and community-oriented topics. Wolff thinks Commerce would never establish compulsory disclosures given industry’s reservations about such regulation, and that Homeland Security’s authority over civilian cybersecurity positions it well to assume responsibility for cyber statistics. (Nextgov has also noted this private sector preference for Homeland Security.) The appropriate home depends on BCS’s final mandate, Leiserson argued, but whoever is chosen should be an enthusiastic and able partner. Existing agencies like the Bureau of the Census are not up to the task, the panelists said, considering the distinctive quality and technical complexity of BCS’s model. 

The discussion didn’t delve too deeply into thorny issues of liability, costs, and security—such as how to share information broadly with private sector players without also looping in China and Russia. The analysis did touch on privacy concerns, which in the case of companies largely collapse into concerns about liability and trade secrets. Privacy concerns do generate additional legitimate risks and fears. Herr and Stempfley observed that a BCS would have the opportunity to prioritize and design for transparency and privacy from the outset, setting an example of responsibly limited data collection supported by vigorous management protocols and a team of attorneys and privacy staff. On one hand, the Bureau could get a lot of mileage out of narrowly targeted data collection; on the other, privacy protections must be balanced against other values and objectives. 

An Inglis cameo, offering a call for unity of effort and purpose. 

National Cyber Director Chris Inglis also made an appearance at the event, and spoke in support of the BCS. He warned that enemies of the US leverage data in increasingly sophisticated ways, and remarked that a number of forthcoming Federal policies will require a sturdy bedrock of quality statistics. Relatedly, the goals of the National Cyber Director’s office, he said, are fourfold: to advise on resource allocation, bolster resilience, facilitate public-private cooperation, and develop coherence across the Federal Government. Adversaries can’t divide and conquer a country marked by “unity of effort and unity of purpose,” he concluded, and will have a harder time taking on one characterized by data-driven decision-making.