February 9, 2023 | Policy Brief

Why Cybersecurity Decision-making Needs Better Statistics

February 9, 2023 | Policy Brief

Why Cybersecurity Decision-making Needs Better Statistics

The Congressional Research Service (CRS) released a report last month concluding that the lack of centralized, standardized, uniform data on cyberattacks “stymies public policy debates and action.” The report highlights how lawmakers can prioritize evidence-based cybersecurity policymaking by creating a Bureau of Cyber Statistics as the congressionally-chartered Cyberspace Solarium Commission recommended in its final report in 2020.

A Bureau of Cyber Statistics would collect, process, analyze, and distribute data on cybersecurity incidents and their impact. The CRS report specifically examines the feasibility of housing the bureau under the Cybersecurity and Infrastructure Security Agency (CISA), cautioning that while CISA has useful partnerships already in place, it still needs proper authorities and capabilities to collect, aggregate, and analyze data.

CRS also lays out the case for why policymakers and private industry need standardized and reliable data. Current data does not provide consistent information on the frequency and severity of cyberattacks each year, preventing stakeholders from “understanding the true scope and scale of cybersecurity risk,” the report warns. Higher-quality data would also facilitate federal coordination with essential partners, including industry members, non-cyber stakeholders, and state, local, tribal, and territorial governments, to protect critical infrastructure and promote local resiliency.

Similar to how the Department of Transportation utilizes car crash data to develop better safety regulations, the work of a cyber statistics office would improve cyber risk models and cybersecurity policymaking. With better data, decisionmakers in the private sector may be better able to evaluate the return on cybersecurity investments. For lawmakers, analysis could provide context to appropriately authorize funds for government programs such as a reinsurance program to cover catastrophic cyber events.

Last year, Congress passed the Cyber Incident Report for Critical Infrastructure Act of 2022 (CIRCIA), requiring critical infrastructure operators to report significant cyber incidents to CISA to improve the government’s ability to share information with network defenders in the private sector. Once CISA establishes the rules and reporting requirements, CIRCIA-mandated reporting will provide an important component of the data the cyber statistics office needs.

To date, the hurdles on Capitol Hill to creating a cyber statistics office have been disagreements over where it should be housed, how it would be funded, and its reporting structure. Housing the office within CISA, whose budget and authorities have increased significantly over the past few years, would resolve many of the outstanding legislative concerns. The office would then leverage CISA’s existing resources and programs — including CISA’s current data collection and dissemination projects — streamlining cross-agency data collection and processing.

Without better cyber statistics, government and industry are making decisions without a clear, comprehensive picture of the cybersecurity landscape. Creating an Office of Cyber Statistics would jumpstart evidenced-based decision making.

Jiwon Ma is a program analyst with the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). Elysse Gregor is a CCTI intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow Jiwon on Twitter @jiwonma_92. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.

Issues:

Cyber