With the internet playing a crucial role in how so many companies do business, how can we defend businesses from cyberattacks by rogue nations like North Korea or Iran?
Measuring deterrence is critical, says the U.S. Chamber.
“Deterrence and norms need to be part of a new U.S. cybersecurity strategy,” write Ann Beauchesne, senior vice president, and Matthew Eggers, executive director, cybersecurity policy at the U.S. Chamber.
In a letter to the National Institute of Standards and Technology (NIST) commenting on a proposed update to its Framework for Improving Critical Infrastructure Cybersecurity, Beauchesne and Eggers offer three examples of how metrics can be used to deter cyberattacks.
1. Locating Where Cyberattacks Come From
First, metrics could be used to better pinpoint the geographic origins of cyberattacks. While attribution is a challenge, it is far from impossible. Prominent cyber authorities agree that certain foreign powers or their proxies represent high-end threats against the business community and the United States. Among the goals worth pursing include reducing the number of safe havens from which malicious actors can launch attacks against American interests with impunity.
There is no disincentive to being a cybercriminal that attacks U.S. industry from certain countries around the world. Recalcitrant governments too frequently will not help the U.S. government round up bad actors and turn them over to the FBI and/or the Secret Service.
2. Measuring Investigation Efforts
Second, metrics could help stakeholders understand the relationship between attacks that businesses report to the government and the number of attacks that are investigated, attributed, and prosecuted. A low ratio suggests that an inadequate amount of government resources are being devoted to disrupting bad actors, which the Chamber has communicated to the Cybersecurity Forum for Independent and Executive Branch Regulators, among others.
3. Bringing Cybercriminals to Justice
Third, the United States has issued several high-profile indictments against foreign hackers in recent years. For example, in March 2016, seven Iranians allegedly working on behalf of the Iranian government were indicted for a series of cybercrimes that cost U.S. financial institutions tens of millions of dollars and compromised critical controls of a New York dam, according to an FBI announcement.
It is unclear if the indicted individuals will ever be brought to justice. Metrics could demonstrate if deterrence—essentially dissuading bad actors from hacking businesses because they believe that the costs to them will exceed their expected benefit—is having the intended effect.
Just as data and metrics are being used inside companies to strengthen computer networks from attacks, the government should use metrics to determine if its efforts are adequately discouraging cyberattacks and making cyberspace safer for American companies and consumers.