Blog archive
Sextant against digital sea background

How can cybersecurity improve if the problem can't be measured?

How can you tell if you are making any progress if you don’t know where you are or where you’re going? That is the situation cybersecurity professionals find themselves in, according to a paper being released this week by the EastWest Institute (EWI).

It’s impossible to know whether security is working with no reliable measurements for the scope of the cybersecurity problem. “We do not have even an order-of-magnitude estimate of some of the most basic aspects of the cybersecurity problem that can be validated,” say the authors of the paper, “Measuring the Cybersecurity Problem.”  The paper proposes an international voluntary scheme for gathering and interpreting meaningful statistical data about attacks, breaches and incidents in cyberspace.

“While these recommendations are primarily for the private sector, governments can benefit significantly from their implementation,” the authors say.

The paper is being released at the World Cyberspace Cooperation Summit IV, being held this week at Stanford University in California. Although this is the fourth annual summit produced by EWI, the name has changed this year to reflect changes in focus. What had been cybersecurity summits is now a cyberspace cooperation summit.

“We are discussing key areas of cyberspace cooperation,” said Harry Raduege, chairman of Deloitte LLP's Center for Cyber Innovation. “We are discussing what is possible.”

The EastWest Institute is an international think tank focusing on multilateral cooperation. Cybersecurity was identified about four years ago as a critical international issue and the cyber summits were initiated in Dallas in 2010. High-level industry and government officials attended subsequent summits in London and New Delhi, and this year’s summit returns to the United States in the Silicon Valley.

The gatherings have produced a number of papers on subjects ranging from the reliability of undersea cables to rules for government conflicts in cyberspace, but the most important result to date has been the relationships established, said Raduege, a retired Air Force general and former director of the Defense Information Systems Agency. “Just the fact that we’re getting to know each other is important,” he said. “The first step is figuring out who the key players are who can make things happen.”

He described the summits as track 2 diplomacy, informal talks that identify areas of international agreement that can be passed on to traditional diplomatic channels for development. Issues this year include critical infrastructure protection as well as the economic and legal impacts of cybersecurity.

Determining impact requires metrics, and despite the billions of dollars being spent on it there are no adequate metrics for cybersecurity. That lack spurred the proposal for setting up a way to measure the problem. The paper makes three recommendations:

  • The private sector should establish a trusted environment for gathering worldwide statistical data that supports measurements of the cybersecurity problem.
  • Private-sector companies should voluntarily provide statistical data to this trusted entity, which could use the data to produce meaningful statistics.
  • Qualified subject-matter experts should develop statistical methods for analyzing this data. This could provide a quantitative framework for reliable benchmarks.

One of the most interesting topics likely to come up at this year’s summit is not on the formal agenda: Friction between the United States and much of the rest of the world generated by reports of National Security Agency surveillance of cyberspace. “What the impact of these reports will be has yet to be learned,” Raduege said. “It will be very revealing to see and hear from those who are attending.”

Posted by William Jackson on Nov 06, 2013 at 11:34 AM


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.