Today, U.S. government agencies collect statistics on cybersecurity incidents for a variety of purposes, but there isn’t a central reporting organization or standardized methods of collecting this information. Additionally, different ideas and metrics of what is important to whom in what circumstances, makes correlation between existing data sets difficult and inconsistent.

In order to ensure the country’s cybersecurity risk management is in line with cyberattack trends, we need  unified, effective, and comprehensive cyber incident reporting. A major step to achieving this is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), passed by Congress last year, which requires the Cybersecurity and Infrastructure Security Agency (CISA) to:

1. Engage in rulemaking to require private sector entities to report when they experience a cyber-attack or pay a ransom
2. Enforce compliance with required reporting
3. Disseminate analysis based on the information collected

While CIRCIA is likely to have benefits for the cybersecurity community and for national security, it likely won’t be adequate to meet all the needs of various stakeholders. In 2020, the Cyberspace Solarium Commission recommended creating the Bureau of Cyber Statistics (BCS). The BCS would be a federal statistical agency that would collect, process, analyze, and distribute data on cybersecurity incidents, including their impacts, to inform policymakers and industry, rather than for any specific program. Additionally, as a federal statistical agency, the BCS would follow strict and rigorous methodologies for collecting and processing data, adding to its credibility and the consistency of its reporting.

The BCS would also combat issues Congress faces when evaluating annual agency budget requests or considering new authorizations. With insufficient data, it is difficult to decide which programs to resource and how much investment would lead to necessary reduction in cybersecurity risk.

The Solarium Commission identified five distinct attributes for the BCS:

• Definition of cybersecurity metrics
• Collection and aggregation of cyberattack data
• Reporting mandates for incidents
• Data and privacy protection
• Information exchange between academia and the private sector

More recent proposals have advocated for establishing a BCS within CISA so that resources developed to implement CIRCIA can be leveraged. However, others have suggested that it makes more sense to keep it tied into other statistical agencies, which would allow it to use their tools and resources more easily. Further, keeping the work of the BCS separate from the mission of CISA could prove to be useful for both agencies. Ultimately, where the BCS is housed shouldn’t be a hindrance to its creation, which would have numerous benefits.

More reporting on attack responses and outcomes, the quantified loss from an attack, and the impact an attack had on a specific business or organization are all valuable data sets and likely to be captured by CIRCIA. However, other types of data are also valuable, such as what frameworks and controls are most effective, what sectors have the most significant risks over time, the success of attacks correlated to resources allocation, and so on. The lack of consistent data in these areas keeps policymakers from grasping the true scope and scale of cybersecurity risk in the country and inhibits the adoption of policies that would address those risks.

Federal statistical agencies already exist to avoid this very issue in other sectors such as the U.S. Census Bureau, the Bureau of Justice Statistics, and the Bureau of Labor Statistics, all of which are considered to be invaluable resources for policymakers. The lack of a corresponding agency for a challenge as significant and ubiquitous as cybersecurity is notable, just as the Solarium Commission pointed out.

‍