Proposed U.S. Bureau of Cyber Statistics May Gather MSSP Cyberattack Data
An office operating within the Department of Homeland Security (DHS) would establish an early warning system to better understand attacks on U.S. organizations by adversarial nations, newly installed National Cyber Director Chris Inglis suggested in a recent virtual event.
A Bureau of Cyber Statistics would compile data and hunt for insights to help cybersecurity officials “get our arms around this,” Inglis reportedly said during an Atlantic Council event on August 2, 2021,“ The Hill reported. By “this,” Inglis means the sharp spike in ransomware attacks that have hit U.S critical infrastructure, government agencies and businesses, as exemplified in the high profile SolarWinds Orion, Microsoft Exchange Server Hafnium, JBS and Kaseya VSA cyberattacks.
Now here’s the important part for MSSPs: The proposed bureau would gather, analyze and publish information on cybersecurity threats collected from incident response organizations and insurance providers, which would be required to submit to the bureau a cyber incident report every six months, The Hill’s report said.
It’s a safe bet MSPs, MSSPs and MDR (managed detection and response) service providers would fit the definition of incident response organizations. As a result, IT service provider compliance officers and their legal teams need to closely watch the fast-evolving legislative landscape, which may influence how MSSPs gather, retain and share cyberattack data with U.S. government investigators.
At this point, President Biden has not gotten behind the idea but Inglis said officials are mulling over the prospect.
This Sounds Familiar
The basic idea for the bureau is not new. It was among a set of 75 recommendations presented in a report by the bipartisan Cyberspace Solarium Commission (CSC), formed in 2019 and composed of Congressional members, former government officials and private sector executives tasked with forming a strategy to defend the nation against cyber attacks. In that report, the CSC recommended the establishment of the bureau at the Department of Commerce.
“To properly address risk, we have to first understand it, we have to understand where it’s concentrated, where it cascades, what causes it, and more importantly to then discover how to address it. The Bureau of Cyber Statistics can do just that,” said Inglis, who is a CSC commissioner. “I think all would agree that in the absence of this information, we are going to be episodic, we are going to be uneven, and perhaps less than optimal in our response to any of these threats which reflect all of us in kind.”
As an indication of the bureau’s chances to receive the Biden administration’s approval, Inglis reportedly has huddled with his key lieutenants, Anne Neuberger, the deputy national security advisor for Cyber and Emerging Technology, and Jen Easterly, director of the Cybersecurity and Infrastructure Agency (CISA), the cyber wing of DHS, about the idea.
Defense of United States Infrastructure Act
Inglis’ remarks come on the heels of proposed legislation sponsored by Senators Angus King (I-ME), CSC co-chair, Mike Rounds (R-SD) and Ben Sasse (R-NE), a CSC commissioner, that calls for a Bureau of Cyber Statistics within DHS.
The Defense of United States Infrastructure Act would:
- Establish the National Cyber Resilience Assistance Fund to change how the federal government invests in cyber to risk driven, proactive investments in cyber resilience.
- Protect critical infrastructure entities whose disruption is likely to cause severe damage to national security, economic security or public health and safety.
- Give the National Cyber Director hiring authority to attract and retain high-level talent.
- Establish the Joint Collaborative Environment, a cloud-based information sharing environment to support a whole-of-government understanding of cyber threats facing the U.S.
- Create the Bureau of Cyber Statistics within DHS to drive insights into what works and what doesn’t to mitigate critical cybersecurity risks.
- Set up the National Cybersecurity Certification and Labeling Authority to help critical infrastructure owners and operators better understand the security of the technology products they use.
“In recent months, we’ve seen our gas pipelines, food system, water systems, and more hacked and attacked, and those are just the incidents that rose to widespread awareness,” said King. “These intrusions have made one thing crystal clear: America’s critical infrastructure is dangerously vulnerable to cyber disaster,” he said. “We must strengthen our cyber resilience, defend our critical infrastructure, and give our cyber leaders the tools they need to succeed before it’s too late.”