Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

September 2019
Two thought leaders weighed in on the challenges of quantifying a company’s strengths.
By David Hechler
I’ve written about cybersecurity’s language problem. We don’t have a set of widely accepted terms of art. After I posted that article on LinkedIn, a reader agreed and asked me if I wanted to define “cyber security.” I imagine he was winking when he added, “Or is that cybersecurity?”  
     More recently I bumped into some articles that were also grappling with basic, foundational questions—questions that also aim to define the field. But these were larger inquiries, far beyond mere terms of art. The core issues were: Are we getting better at cybersecurity? Can we even tell? How would you measure such a thing?
     In early August, Lawfare posted one called “Preliminary Observations on the Utility of Measuring Cybersecurity.”  It began with this: “Cybersecurity is a bit like obscenity. It seems that we know it when we see it, but we have a great deal of difficulty describing it, categorizing it or counting it.”
     I found this an odd way to start. I’ve seen Potter Stewart’s famous observation about pornography used a lot of ways, but this was one of the more puzzling. Cybersecurity (or insecurity) can be hard to see. Cyber intrusions may go undetected, and malware can reside for years inside a seemingly secure computer, before hackers launch an attack.
     Fortunately, author Paul Rosenzweig’s real subject, as the headline suggested, was the idea of measuring effective cybersecurity. Can it be done? Is it being done? Is it even worth doing?
     Rosenzweig,  is a longtime consultant in this field and, as a senior fellow at the Washington think tank R Street Institute, has been leading an effort to tackle these questions. (He was also one of the experts featured in an ABA webinar that we covered last year.)

Three Different Attitudes
He began by making it clear that he does not believe a good system for measuring effective cybersecurity yet exists. He suggested that companies would be well served if there were ways to measure the economic value of adopting measures such as installing a firewall. If it were possible to calculate the number of intrusions that prevented, it should be possible to estimate the money saved.
     But rather than dwell on calculating the hypothetical, Rosenzweig and his colleagues at R Street conducted an (admittedly) unscientific sampling of opinion to get some sense of what people in the field thought about the idea of quantifying cybersecurity. It turned out that they fell into three categories.
     One group said that they already had it under control. They claimed to have good ways to measure cybersecurity that work for them. This group, Rosenzweig said, consisted mostly of high-end players in the field. They were big-name hardware and software vendors, service providers and platform developers.
     He went on to say that most of them did not want to speak publicly about their metrics. And they are not eager to see the development of a system of public metrics against which all companies might be encouraged to measure themselves. They prefer their own, and they worry that the end result of such an effort would be government oversight, mandates and enforcement.
     Another group—mostly academics and cybersecurity professionals—said that such an effort would be a waste of time because it’s unachievable. The threats, attacks, defenses and countermeasures are too dynamic and unpredictable to be accurately measured, they say. By the time you’ve measured something, it’s changed.
     The third group wishes it were possible, and hopes that it can be done. They are end users and people who work in enterprises that need to implement cybersecurity protections at the retail level. They long for help, but they wonder how reliable it would be, and how much it would cost.
     Rosenzweig’s own views were clear. He seemed skeptical that anyone had the answers, but he saw many potential benefits in studying the matter. To the first group, he suggested that a “‘trust us’ solution is poor public policy and unlikely to be sustainable politically in the long run.” To second, he said, “this perspective of the impossibility of measurement is just too grim.” It may be hard, but he wasn’t willing to give up without trying. As for the third group, he said, in effect, “let’s get to work.”  

Another Perspective
Three weeks after Rosenzeig’s article was posted, Robert S. Taylor responded with his own take on Lawfare. In “How to Measure Cybersecurity,”  Taylor voiced extreme skepticism that useful metrics can be developed. At best, he noted, it would be “strongly influenced by purely backward-looking information, such as the number of attempted intrusions, and would say nothing about the future or about the strength of existing defenses against the capabilities of potential future actors.” 
     Taylor, who was just named general counsel of MCE Social Capital, which raises funds for micro finance in dozens of developing countries, was more inclined to value a qualitative approach. But he was loath to reject quantitative possibilities out of hand. Hiring white-hat hackers to probe a company’s vulnerabilities appealed to him, he said, though he added, “I am not sure that this would provide information valuable for comparing risks or identifying tools for stopping future risks from emerging.”
     Formerly principal deputy general counsel of the Department of Defense, including a long stint as acting general counsel, Taylor was particularly enthusiastic about a certification program the department has under development. The Cyber Maturity Model program would certify a company at various security levels, and provide “an easily understandable measure of how good the company’s cybersecurity is,” he said. And perhaps this information would be made available to insurers to use in tailoring premiums, and to other companies deciding whether to hire a certified company, he added.
     Such a program could be “an imperfect but still helpful tool.”
     Though Taylor didn’t end his article by saying “More to come ….”, as Rosenzweig did, the implication was clear. It will be a long road to describe the characteristics of strong cybersecurity—in qualitative or quantitative terms. If you’re coming along, you may want to pack a second sandwich.
Paul Rosenzweig
Robert S. Taylor