Launching a Cyber Risk Grand Challenge

November 19, 2020
5 min read
The Challenge: Cyber Risk Must be Quantified

The Challenge: Cyber Risk Must be Quantified

Across the economy, organizations are under serious pressure from cyber criminals, ransomware attacks against the healthcare sector are running rampant during a global pandemic, and hostile foreign actors have again sought to disrupt U.S. election infrastructure. Yet, cybersecurity still lacks the quantification needed to become a fully risk-based discipline. As a result, cybersecurity teams in organizations can report their good days––those on which no incident occurs––only by measuring how they updated a firewall or conducted anti-phishing training. Those reports do not connect with the question executives want answered: Have those activities reduced the risk faced by the organization? Connecting a cybersecurity team’s activities with risk reduction will require measuring risk in quantitative terms. Industry and government leaders need new risk-measurement methodologies to make meaningful comparisons across industries and to direct appropriate interventions. There is no time to waste.

There are a number of reasons for the current lack of progress toward quantification. The private sector fears it will incur liability through information sharing, there is no agreed methodology about what data to collect and how best to collect it (including the right balance of quantitative alongside qualitative methods), and the cyber insurance industry has not been incentivized to apply the effort required to price cyber risk.

To overcome these challenges, the U.S. Cyberspace Solarium Commission proposed the establishment of a Bureau of Cyber Statistics (BCS), a data agency akin to the Bureau of Labor Statistics. The commission stated that establishing a BCS would be the best way to address the “lack of clarity about what security measures are effective in reducing risk [by] identifying and establishing meaningful metrics and data necessary to measure cybersecurity and risk reduction in cyberspace.”1 Support is growing in Congress for this proposal and the parallel recommendation to establish a public-private partnership on modeling cyber risk. Still, a pilot demonstration of the BCS concept would help build further support while also providing a foundation for a future federal BCS.

The Solution: A Grand Challenge for Cyber Risk Measurement

To build support for a federally-funded BCS and ensure the BCS has a positive impact on the cybersecurity ecosystem from day one, the federal government should take advantage of authority already available through the America Competes Act of 2007 to establish an open innovation competition—a “grand challenge”—to prove the BCS concept. The organizers should construct a competition that has two components: the design of a set of metrics to measure cyber risk and the development of a model that uses those metrics to accurately predict such risk. If successful, the competition would provide insight into what data sets best enable predictive models and provide the starting point for continued refinement of the most successful risk models, both of which would help inform the activities of the BCS. These metrics and models could be shared with the government to lay a foundation for the BCS.

Participation from the broader risk-management community would engage the wealth of knowledge and expertise available throughout the economy in developing the BCS. Participants might include representatives from industries such as insurance and cyber defense as well as academics and other risk professionals—potentially in cross-disciplinary teams. To encourage participation, all the teams would have the opportunity to commercialize their methods after the competition. The competition could also start building the case for private-sector companies to share their incident data with a trusted third party like the BCS, including the opportunity to benefit from the predictive models that sharing would make possible.

A key element of this competition would be ensuring that participants have access to the right data to develop cyber risk models. In the context of establishing the competition, one or more sector-specific information security and analysis centers/organizations (ISAC/ISAOs) could be charged with establishing a mini-BCS to generate the initial data sets. The sectors chosen would need to be those where members were willing to share cyber-incident data––either because they have a pressing need for analysis to help respond to such incidents (such as the healthcare sector) or because there exists little competitive motivation to prevent sharing information (such as state governments). Seed funding would enable the relevant ISAC/ISAOs to pilot the collection and curation of the incident data that competition participants would need to build models for quantitative cyber risk assessments.

The competition could be run by a number of federal government agencies that have been given the authority to do so under the America Competes Act. Perhaps the most obvious candidate would be the General Services Administration’s (GSA) Challenge. gov program. The GSA would likely benefit from support from cybersecurity agencies like the Cyber and Infrastructure Security Agency within the Department of Homeland Security, which could play an important role in recruiting ISACs to capture and curate data. In the interests of building enthusiasm for the competition, however, the government might also seek to work with outside partners, including philanthropic donors to boost a potential prize pot and industry organizations to encourage private-sector participation.

Conclusion

The BCS is an important idea, and the need is pressing. There should be urgent action to prove the concept (and thus get the congressional and administration support it needs) and ensure that it hits the ground running. A grand challenge that attracts the finest risk management experts in the country is the best way to do that.

Download the full report »

Photo Credit: wk1003mike / Shutterstock

Adam Bobrow is the founder and CEO of Foresight Resilience Strategies and a senior fellow with GMF Digital. He previously served as the senior policy advisor for international affairs in the White House Office of Science and Technology Policy.


1 U.S. Cyberspace Solarium Commission, “Report,” March 2020.