How can cybersecurity improve if the problem can't be measured?
Connecting state and local government leaders
A proposal for accurately measuring the scope of cybersecurity problems and charting progress is being presented at the EastWest Institute's international summit on cyberspace.
How can you tell if you are making any progress if you don’t know where you are or where you’re going? That is the situation cybersecurity professionals find themselves in, according to a paper being released this week by the EastWest Institute (EWI).
It’s impossible to know whether security is working with no reliable measurements for the scope of the cybersecurity problem. “We do not have even an order-of-magnitude estimate of some of the most basic aspects of the cybersecurity problem that can be validated,” say the authors of the paper, “Measuring the Cybersecurity Problem.” The paper proposes an international voluntary scheme for gathering and interpreting meaningful statistical data about attacks, breaches and incidents in cyberspace.
“While these recommendations are primarily for the private sector, governments can benefit significantly from their implementation,” the authors say.
The paper is being released at the World Cyberspace Cooperation Summit IV, being held this week at Stanford University in California. Although this is the fourth annual summit produced by EWI, the name has changed this year to reflect changes in focus. What had been cybersecurity summits is now a cyberspace cooperation summit.
“We are discussing key areas of cyberspace cooperation,” said Harry Raduege, chairman of Deloitte LLP's Center for Cyber Innovation. “We are discussing what is possible.”
The EastWest Institute is an international think tank focusing on multilateral cooperation. Cybersecurity was identified about four years ago as a critical international issue and the cyber summits were initiated in Dallas in 2010. High-level industry and government officials attended subsequent summits in London and New Delhi, and this year’s summit returns to the United States in the Silicon Valley.
The gatherings have produced a number of papers on subjects ranging from the reliability of undersea cables to rules for government conflicts in cyberspace, but the most important result to date has been the relationships established, said Raduege, a retired Air Force general and former director of the Defense Information Systems Agency. “Just the fact that we’re getting to know each other is important,” he said. “The first step is figuring out who the key players are who can make things happen.”
He described the summits as track 2 diplomacy, informal talks that identify areas of international agreement that can be passed on to traditional diplomatic channels for development. Issues this year include critical infrastructure protection as well as the economic and legal impacts of cybersecurity.
Determining impact requires metrics, and despite the billions of dollars being spent on it there are no adequate metrics for cybersecurity. That lack spurred the proposal for setting up a way to measure the problem. The paper makes three recommendations:
- The private sector should establish a trusted environment for gathering worldwide statistical data that supports measurements of the cybersecurity problem.
- Private-sector companies should voluntarily provide statistical data to this trusted entity, which could use the data to produce meaningful statistics.
- Qualified subject-matter experts should develop statistical methods for analyzing this data. This could provide a quantitative framework for reliable benchmarks.
One of the most interesting topics likely to come up at this year’s summit is not on the formal agenda: Friction between the United States and much of the rest of the world generated by reports of National Security Agency surveillance of cyberspace. “What the impact of these reports will be has yet to be learned,” Raduege said. “It will be very revealing to see and hear from those who are attending.”