As postmaster general of the fledgling U.S. Post Office, Benjamin Franklin gave postmasters a novel task: Jot down the local weather conditions and mail them back to headquarters on a postcard.
Piecing this information together from the field, Franklin concluded weather in one area didn’t exist in a vacuum, but was a product of conditions sweeping across the country from west to east.
National Cyber Director Chris Inglis, speaking Monday at the Atlantic Council, said the federal government should take the same approach to better understand, in terms of cyber threats, which way the wind is blowing.
“It wasn’t until we put that picture together that we understood what was happening locally. The same thing’s true in terms of what’s happening in cyberspace,” Inglis said. “Unless we can ride across the boundaries that jurisdictionally divide us, we’re not going to find the trends that afflict all of us, and we, therefore, have to appeal to a collection of that data somehow so that we can get our arms around this.”
Inglis urged Congress to stand up a Bureau of Cyber Statistics within the Department of Homeland Security that would collect, analyze and publish data on cybersecurity, cyber-crime and threats.
The idea of the Bureau of Cyber Statistics originates with the Cyberspace Solarium Commission, which also urged Congress to create Inglis’ current job. The bureau, as envisioned by the commission, would mandate organizations offering cyber response services or insurance products provide this data for statistical purposes every 180 days.
“To properly address risk, we have to first understand it. We have to understand where it’s concentrated,” Inglis said.
Lawmakers have already put the proposal into motion. The Defense of U.S. Infrastructure Act, introduced last week by Solarium co-chair Sen. Angus King (I-Maine) and Sens. Ben Sasse (R-Neb.) and Mike Rounds (R-S.D.), would mandate DHS stand up a Bureau of Cyber Statistics.
Nick Leiserson, the chief of staff for Solarium member Rep. Jim Langevin (D-R.I.) said the data collected by the bureau would help agency CISOs empirically understand the threats they face, rather than rely on anecdotal information.
Leiserson said enabling the bureau to collect this data is “table stakes” for what’s being discussed on Capitol Hill, but questions remain on how much in-house analytical power the bureau should have.
“Is there some analytical role of BCS, or is it mostly, ‘We’re going to aggregate the data and then it’ll be extramural, whether it’s another government agency, the private sector, academia, think tank who will make use of it,’” Leiserson said.
Josephine Wolff, assistant professor of cybersecurity policy at Tufts University’s Fletcher School of Law and Diplomacy, said a Bureau of Cyber Statistics would provide a level of statistical rigor that’s been lacking in the cyber policy arena, and would help agencies better understand where to commit limited resources.
“There will always be data points we’re missing, with the understanding that this landscape will change and we’ll need to keep thinking things through as things evolve, but knowing that there are some questions that we should be able to answer here that we can’t is very disheartening,” Wolff said.
Trey Herr, the director of the Cyber Statecraft Initiative at the Atlantic Council’s Scowcroft Center for Strategy and Security, said the bureau would help answer basic questions with elusive answers, like how much the federal government spends on cybersecurity.
But rather than just serve as a warehouse of this data, Herr said the bureau would also help bring together a community of cyber professionals.
“The National Archives is a good example. It’s a repository, but it’s also a community hub for researchers working on those documents,” Herr said.
Inglis stresses ‘federal coherence’ among agency CISOs
Beyond advocating for the Bureau of Cyber Statistics, Inglis also outlined four broad areas of focus for his newly established office.
Inglis stressed the need for “federal coherence” and unity of effort across more than a hundred civilian agency CISOs.
“They might have independent oversight, they might have independent budget lines, but they can no longer have an independent cybersecurity strategy that stops at some boundary,” he said.
Inglis said he’s also focused on increasing resiliency across the federal government by filling vacant cyber jobs and reexamining the skills necessary in these roles.
Inglis said he’s also focused on increasing collaboration across the public and private sectors, which includes reconciling the scope of his office with “players already on the field,” such as the Cybersecurity and Infrastructure Security Agency and Anne Neuberger, the White House’s deputy national security advisor for cybersecurity and emerging technology.
“What we need is something where we essentially have a merge of the capabilities, authorities and the will of those various components, so that if you’re an adversary in this space, you need to beat all of us to beat one of us. You can’t pick us off one at a time,” Inglis said.
Finally, Inglis said he’s focused on reviewing the state of cybersecurity spending across the civilian federal government and offering his feedback on that figure to Congress and other stakeholders.