Federal cybersecurity officials working on the policy and operations fronts agreed this week that better collection of data about vulnerabilities is key to fostering improved network defenses.
Brandon Valeriano, a senior advisor to the Cyberspace Solarium Commission, said at a July 7 event organized by NextGov that the U.S. needs to collect better international cyber threat data, and that the public and private sectors need to cooperate more fully in data collection and sharing.
He pointed to several metrics-related Solarium recommendations to improve cybersecurity in the U.S., including the creation of a Bureau of Cyber Statistics.
The absence of a private sector breach notification law makes it difficult to know the full scope of threats, said Valeriano. “It’s very problematic for us to start to talk about cybersecurity when we don’t even have a conception of what the basic defense is,” he said.
Speaking at the same event, Continuous Diagnostics and Mitigation (CDM) Program Manager Kevin Cox provided an overview of the program that relies at its foundation on generating data from sensors deployed across networks, and then turning that into a coherent picture of network vulnerabilities.
“We’re in the process of rolling out what we call the AWARE algorithm, it’s the agency-wide adaptive risk enumeration algorithm,” said Cox. “The idea that we’re really aiming for with our AWARE algorithm is to be able to start to quantify the aggregate number of opportunities for an adversary,” he said, “and help those agencies see that, so that they can see where they need to focus their efforts and reduce their attack surface.”