Lack of Cyber Metrics Hamper U.S. Ability to Respond to Cyberattacks
Brian Thomas | March 20, 2020
As the nation struggles to come to terms with the coronavirus and questions linger around our readiness for such a pandemic, government leaders are already grappling with the next potential catastrophe — a major cyberattack against the U.S.
A new report issued by the federal Cyberspace Solarium Commission, a congressional body chaired by Sen. Angus King and Rep. Mike Gallagher, opens with a dire warning: that the country is “dangerously insecure in cyber” and “…is at risk, not only from a catastrophic cyberattack but from millions of daily intrusions disrupting everything from financial transactions to the inner workings of our elections,” reportsDark Reading.
In response to this threat, the Commission published more than 75 recommendations to lawmakers on ways in which public and private entities can strengthen their security posture to reduce the probability and impact of cyberattacks.
Lack of clarity hampers cybersecurity risk reduction
Yet even as cyber incidents are increasing in frequency and severity, the report acknowledges a major roadblock to achieving this goal: that both the U.S. government and broader marketplace “lack sufficient clarity about the nature and scope of these attacks to develop nuanced and effective policy responses.”
Much of the problem lies in the fact that official data sets are incomplete and provide only a superficial or cursory understanding of evolving trends in cybersecurity. The Department of Justice gathers data on cyber-crime, but the data is woefully out-of-date. Meanwhile, the FBI Cyber Crime division collects statistics on the monetary cost of cybercrime, but only on cases that it deals with. And while many industry titans in the cybersecurity sector assemble vast amounts of data about the true state of cybersecurity in the U.S., they are not obligated to disclose it.
This makes it hard for government and private companies to model and understand cyber risk and tell if they’re making progress defending their systems.
How a proposed Bureau of Cyber Statistics could help
In response to these data gaps, the report calls on Congress to establish a Bureau of Cyber Statistics within the Department of Commerce. The Bureau would collect, process, analyze, and disseminate essential data on cybersecurity, cyber incidents, and the cyber ecosystem. In partnership with NIST, the Bureau would use this data to help inform Americans of risk, drive greater risk reduction, and assist the government in crafting more effective cyber policy and programs.
But the responsibility for measuring cyber risk shouldn’t lie with the government alone. Whether or not these recommendations become law, the Cybersecurity Solarium Commission has identified serious shortcomings in the nation’s cybersecurity posture. Considering this, every organization has an obligation — to their customers, partners, investors, and employees – to apply meaningful metrics to cybersecurity performance.
After all, information is power. Without a commonly defined quantification of risk, organizations struggle to know where and how to prioritize their security investments.
One way to address this challenge is to utilize security ratings.
Security ratings: A powerful metric for revealing hidden cyber risk
Security ratings are a data-driven, objective, and dynamic measurement of an organization’s cybersecurity performance that provide much-needed visibility into cyber risk and help identify gaps in security programs.
Unlike traditional cyber assessments that provide a point-in-time risk metric, security ratings work by continuously monitoring digital assets for risk, such as unpatched systems, insecure access points, misconfigured software, and malware. They provide quantitative metrics to the assessment process.
Armed with daily ratings, organizations can proactively identify, quantify, and manage cyber security risk throughout their ecosystem. For example, BitSight Security Ratings range from 250 to 900, with a higher rating equating to better overall security posture. In fact, companies with a rating of 500 or lower are nearly five times more likely to have a breach than those with a rating of 700 or higher.
With this data-driven measurement of security performance, companies can quickly and efficiently allocate their teams’ limited security resources and investments to the most critical areas of cyber risk. They can also facilitate data-driven, risk-based conversations about cybersecurity among key stakeholders, including the board, C-suite, investors, and partners, and more.
Meaningful metrics and data are critical to cyber risk reduction
IT security leaders are always trying to find better ways of identifying and understanding cyber risk. As the findings of the Cybersecurity Solarium Commission show, having accurate metrics brings much-needed clarity to the process — inside and outside the corridors of government.
Security ratings compliment the government’s efforts to create a Bureau dedicated to making risk easier to identify, understand, and reduce. They are the type of non-traditional, outside-the-box, data-driven security solution that the Cyberspace Solarium Commission is recommending.
This week the New York Times released a report warning that a group of Russian hackers going by the name “Evil Corp” has been attempting to exploit the rampant vulnerabilities presented by the US workforce shifting to working from home at...
“Celebrity” vulnerabilities like BlueKeep attract the attention and resources of security teams, often hogging the spotlight, allowing other, less visible, but just as dangerous, weaknesses that could be exploited by bad actors to go...