Achieving National Cyber Resilience

As the new administration forms, cybersecurity is one of its top national policy issues. Several days ago, Rudy Giuliani was tasked with (1) bringing solutions from the private sector into the government, and (2) encouraging productive collaboration between multiple private and public sector groups who are working on solutions. Having anticipated this need for months, we humbly offer our views on how to approach this challenge.

Mr. Giuliani and the administration must determine how to create incentives and common ground where government and industry stakeholders can share information and align their efforts to protect critical infrastructure from cyberattacks. The goal will be getting organizations of all types to enhance their defensive practices and help the country’s cybersecurity posture to become more resilient to attacks.

Many organizations pay lip service to the importance of enhancing security while taking little action, while many others take tactical measures but are confused about how to be more deliberate about improving their defenses. A clear plan could encourage them to take needed actions.

To be able to change organizational behavior about cybersecurity, four elements must be put in place:

1. Establish baseline cyber maturity measurements. To do this, assess every organization against widely accepted national standards (NIST’s CSF is the obvious choice). The analog is the building codes that developed based upon incentives from fire insurance in its earlier days (read about it here).
2. Capture substantial detailed data on cyber wellness. By assessing multiple types of organizations, massive amounts of internal data can be combined with existing external measures of cyber readiness, cyber insurance claims data, and incident reports. This is similar to aggregating big data that correlates the causes of fires with types of structures to understand which fire-prevention behaviors should be encouraged.
3. Leverage the power of the insurance industry. Influencing good cyber hygiene can be done through premium discounts and other incentives. The cyber insurance industry is in its infancy, and its growth will accelerate when insurers can determine the risk level of applicants with far more accuracy than is currently possible.
4. Develop advanced predictive analytics. Underwriters urgently need to distinguish higher risks from lower risks and to reward good cyber hygiene. In the fire insurance world, lower rates are available for homes that are predicted to have less risk of catching fire.

To get started, two steps will rapidly move cyber insurance toward the certainty within which the fire insurance industry operates:

1. Begin a national program of assessing and certifying the cybersecurity posture of organizations. Broadly deploy automated assessment of cyber maturity to thousands of companies and agencies to create cyber wellness baselines and generate substantial amounts of data that can be anonymized and used in research. Providing rapid assessment and guidance derived from the principles in NIST’s Cyber Security Framework (CSF) will gauge each organization’s internal state of cyber readiness.
2. Support development of advanced predictive analytics that don’t currently exist as they do in other area like fire insurance. Arm researchers with the data and backing they need to create highly accurate models. Combine the information generated by assessment with existing external data (e.g., cyber incident data, insurance claims, external threat intelligence). Make that information available to thought leaders in data analytics and machine learning to create predictive modeling for insurers.