“Incident reporting is an element, but it’s not an end in itself.”
Moving the needle on cyber incident reporting is important, but arguably more significant are the processes government agencies leverage to receive, analyze and respond to that data. Mark Montgomery, senior fellow at the Foundation for Defense of Democracies, stressed that the end goal is not reporting, but rather the ability to create a speedier transmission of information and analysis of that information.
“Incident reporting is an element, but it’s not an end in itself,” said Montgomery. “It’s a means to an end of a better understanding of the threat environment, and then really long term a better more ubiquitous sharing of information.”
At the same time, security experts like Eleanor Fairford, deputy director for incident response with the National Cyber Security Centre have previously pointed out a problematic lack of response by government officials once an incident is reported. In order to keep up with the influx of data on cyber incidents being reported, government agencies need a quality information sharing and distribution system as well as professional statisticians with the capabilities to sift through the data and understand the trends that are occurring (a database with such capabilities is also one of the many factors in the Cyber Incident Reporting for Critical Infrastructure Act that CISA is continuing to flesh out).
The Cyberspace Solarium Commission has proposed the establishment of a Bureau of Cyber Statistics for the U.S. government, which would serve as an agency for collecting and analyzing data related to cyber incidents and cybercrime, and sharing that data with federal agencies, the private sector and the public. National Cyber Director Chris Inglis last year expressed support for the idea.
“We absolutely have to build the infrastructure for data sharing, so that this information begins to become easily transferable,” said Montgomery. “This information after it is shared has to be analyzed and then also needs to be shared with others so that we each can have a good understanding of what the threat signals are out there, and what the tactics and procedures used by the attackers are.”
Overall, the government is taking steps in the right direction around cyber incident reporting, and Stifel said she hopes that public perception around data breach reporting will change in the future, particularly with more collaboration between private and public entities around cybersecurity.
“I do think it will change,” she said. “I hope it will change… with the evolution of the market rewarding good cybersecurity, it’s reasonable to expect to see less shame in the next 10 years or so.”