From the Desk of AFCEA’s Cyber Committee

A recommendation by the Cyberspace Solarium Commission to strengthen cybersecurity in the nation is to create a Bureau of Cyber Statistics (BCS) charged with collecting and providing statistical data on cybersecurity and the cyber ecosystem to inform policymaking and government programs. The data and analysis from such a bureau could also help private sector enterprises make the best use of their resources to meet evolving cyber challenges.

In a recent white paper, the AFCEA Cyber Committee endorses the creation. Cybersecurity and effective deterrence of adversary activity require data and analysis that is accurate, timely and pertinent to the policy and operational decisions made by government and industry executives and operators. The validity and usefulness of important decisions ranging from how to defend networks to congressional budget actions or the pricing of cybersecurity insurance would benefit strongly from data derived from a BCS.

The Cyber Committee’s white paper recommends the BCS follow an incremental approach to implementation, expanding data collection in scope as the organization matures. In its initial phase, the BCS could focus on collecting data to help measure scale and impact of the most salient aspects of cyber threats. In a second phase, the BCS could add reporting on cyber controls and policies that were in place at the time of specific incidents—supporting analysis and correlation of what measures work (or do not work) to reduce prevalence or susceptibility to malicious cyber activity and its impact.

The committee’s white paper recommends the BCS start by collecting data from federal government agencies and supporting contractors, as well as anonymized data on substantial cyber incidents and ransomware reported to the Cybersecurity and Infrastructure Security Agency under the Cyber Incident Reporting for Critical Infrastructure Act. An important near-term BCS goal should be to generate meaningful data and analysis for organizations such as critical infrastructure providers and state/local/tribal territorial governments to demonstrate the value/return on investment of contributing data and to provide an opportunity to test and improve BCS sharing procedures with a wide range of organizations and missions. As BCS data collection and analysis mature to encompass assessment of measures of effectiveness, we believe the data and work products of the BCS will become increasingly valuable and should be widely shared.

—Jim Richberg, AFCEA Cyber Committee

Each month, SIGNAL Magazine publishes a feature in the Committee Corner to highlight news you can use from AFCEA’s committees. Committee leaders should submit entries to sjontz@afcea.org. Happy writing.