Published by The Lawfare Institute
in Cooperation With
The Cyberspace Solarium Commission completed its work earlier this year, with a panoply of recommendations for improving the national cybersecurity posture of the United States. As one might expect for a federal commission, many of the more readily implementable recommendations focused on matters that lie exclusively within the control of the federal government. A number of those recommendations will soon become reality through either executive action or legislative decision.
But the government is not the be-all and end-all of cybersecurity in the United States. Quite to the contrary, much of the responsibility for securing American information technology systems and other infrastructure lies with private-sector actors. Most of the yet-to-be implemented recommendations set forth by the commission involve private actors and will require greater government coordination and/or cooperation with the private sector in order to become reality.
This post begins to look specifically at one of the more significant outstanding commission recommendations—Recommendation 4.3, which holds that Congress should establish a Bureau of Cyber Statistics (BCS). We do not, in this post, propose to define the nature of the BCS. Rather, our goal is to identify several relevant questions that relate to the organizational structure of the BCS. We believe that asking these questions can advance the discussion on the structure and direction that this proposed body should take.
The commission envisions that the bureau would be “the government statistical agency that collects, processes, analyzes, and disseminates essential statistical data on cybersecurity, cyber incidents, and the cyber ecosystem to the American public, Congress, other federal agencies, state and local governments, and the private sector.” As the newest member of the system of federal statistical agencies, existing agencies’ practices can guide decision-making about the BCS.
Statistical organizations of the United States take two distinct forms. Some are stand-alone statistical agencies with distinct organizational structure housed within cabinet departments, while others are smaller programs or statistical centers that operate within larger existing programs.
In 2018, 40 percent of funding for government statistical collection and evaluation went to the thirteen statistical agencies (see box below) that are members of the Interagency Council on Statistical Policy (ICSP). The other 60 percent of funding was distributed among “94 programs in a broad set of centers, institutes, and organizations.” Thus, the initial question is whether the BCS should join the group of larger statistical agencies or whether it should function as one of the more common, smaller programs. Given the size and scope of the proposed BCS it seems likely that it will be structured as one of the larger stand-alone agencies and it is certainly clear that this was the commission’s expectation.
The 13 ICSP members that function as distinct federal statistical agencies are coordinated by the Statistical and Science Policy (SSP) office within the Office of Information and Regulatory Affairs under the Office of Management and Budget. The SSP office is headed by the chief statistician of the United States. Each of the 13 statistical agencies also falls under a specific department or agency. For example, the Bureau of Labor Statistics falls under the Department of Labor and the Bureau of Economic Analysis is structured below the Department of Commerce. Only two of the 13 ICSP members fall under non-Cabinet agencies: the National Center for Science and Engineering Statistics under the National Science Foundation, and the Office of Research, Evaluation, and Statistics under the Social Security Administration.
- Bureau of the Census
- Bureau of Economic Analysis
- Bureau of Justice Statistics
- Bureau of Labor Statistics
- Bureau of Transportation Statistics
- Economic Research Service
- Energy Information Administration
- National Agricultural Statistics Service
- National Center for Education Statistics
- National Center for Health Statistics
- National Center for Science and Engineering Statistics
- Office of Research, Evaluation and Statistics
- Statistics of Income
No federal department currently handles all cyber matters because these matters are intersectional by nature—cyber issues cut across industry, commerce, defense and governance. The commission suggests that the BCS lie within the “Department of Commerce, or another department or agency,” possibly due to the proposed bureau’s need for a close relationship with companies in collecting and disseminating cyber data.
Because the functions of the BCS would involve the duties of multiple departments, such as the departments of Commerce, Defense, Homeland Security and Labor, we might also consider whether the BCS should fall directly under the purview of the national cybersecurity director (whose own creation is recommended by the commission in Recommendation 1.3) or an independent cyber agency if one is created. If the BCS were to be independent in this manner, the bureau would be relatively unique in structure (insofar as it would be a wholly independent bureau) and might lack the institutional “heft” necessary to achieve its objectives. Since the BCS is likely to be relatively large, it would be unusual were the BCS not to have any institutional home or if it were to exist as merely a program or center.
Relationship to the Office of Management and Budget
Other statistical agencies are members of the SSP office—an office within the Office of Management and Budget that coordinates the federal statistical agencies. Among its functions, the SSP office is charged with “establishing statistical policies and standards, identifying priorities for improving programs, evaluating statistical agency budgets, reviewing and approving federal agency information collections, and coordinating U.S. participation in international statistical activities.”
As a new statistical agency, the BCS would likely be made a part of the SSP office. This inclusion would not only maximize the efficiency of BCS data collection but also allow the bureau to develop appropriate data standards, benefit from the best practices of other agencies, and work with international partners to standardize metrics and the reporting of cyber incidents. It is possible, of course, that the BCS would be independent of the SSP office—though we can see no benefit to that structure, and the BCS would likely suffer from a resultant lack of expertise and interbureau coordination.
Leadership and Personnel
The commission has additionally, as we’ve noted, recommended the appointment of a national cybersecurity director, a Senate-confirmed official whose office will be within the Executive Office of the President. When creating the BCS, Congress will need to decide whether the bureau’s director should likewise be appointed by the president and perhaps even confirmed by the Senate.
Among ICSP members, the directors of the Bureau of Justice Statistics, the National Center for Education Statistics, the Bureau of Labor Statistics, the Census Bureau and the Energy Information Administration are appointed by the president. The latter three are also Senate confirmed. The remaining eight ICSP members are headed by a senior executive service appointee. Keeping the position apolitical could have several benefits such as continuity, minimal politicization of the BCS’s work, and consistency of data and objectives. At the same time, political appointment elevates stature and may enhance the BCS’s accountability to Congress.
Beyond forming the leadership structure of the BCS, Congress will also need to consider whether the BCS should have the authority to determine its own personnel selection and promotion in addition to dictating its data collection and dissemination practices. The perception of independence is important to ensuring the consistency of data and objectives, as well as acceptance in the broader private sector. That said, Congress may wish to retain the right to require the collection, analysis or release of certain data, even if it grants the BCS with such authority.
Most funding for statistical agencies is “direct,” which means that it is apportioned by Congress. It seems highly likely that this will be the case with the BCS. But other funding models exist. For example, Jared Bernstein, former chief economist to Vice President Joe Biden, has recommended a tax on financial markets to fund all national statistical programs using the model of the Securities and Exchange Commission.
Statistical agencies are also sometimes reimbursed by others for their statistical work. While some federal statistical bodies, like the Bureau of Economic Analysis, make a net profit from buying and selling their records to other agencies, most statistical agencies spend much more than they generate through this stream. Federal statistical offices were reimbursed a total of $738 million by other federal agencies in 2018. The federal statistical offices paid each other only $419 million for their work—but the offices also paid state and local governments $474.8 million for data while earning only $78.2 million in reimbursements from those nonfederal bodies.
Congress should consider whether to directly fund the BCS while also seeking opportunities to allow the BCS to work with other statistical agencies through reimbursement to avoid duplication of effort. Examples of this cooperation could potentially include the BCS working with the Bureau of Justice Statistics on the National Computer Security Survey, sharing data with criminal investigators, and proposing additional questions for the Annual Business Survey conducted by the Census Bureau and the National Center for Science and Engineering Statistics.
Private Sector and Analysis
The final piece of the puzzle (and this one is larger than the organizational questions) lies in the authorities with which the BSC will be created. The commission recommends that the BCS be empowered to collect “aggregated, anonymized, minimized data on cyber incidents” from government bodies and companies “that regularly collect cyber incident data as a part of their business.” It would also receive such data from breached companies themselves, upon the passage of a national breach notification law (Recommendation 4.7.1).
There is some uncertainty about precisely what this might mean. To begin with, there are many questions to be asked about what to collect and why, as well as what to do with the information collected. A fundamental question exists in defining the mission of the BCS. How much analysis do we want BCS personnel to do? Does the BCS exist primarily to purchase/collect, standardize and share data without analysis? Or is there additional value that they can provide analytically? And in the latter case, how much? Put another way, is the BCS a “pure” statistical collection agency, or does it also have a remit of providing analysis derived from its cyber data?
To this, we can add the questions of how such a collection will be achieved and how the resulting analysis will be shared.
The Bureau should be empowered and sufficiently funded to establish programs and make purchases required to collect the data necessary to inform its analysis. These tasks include collecting and aggregating open-source data, purchasing private or proprietary data repositories, and conducting surveys. Departments and agencies should assist the Bureau in its work, making available data sets as needed, and to the greatest extent practicable, in furtherance of its work.
There is, of course, also the possibility that the BCS could be permitted to mandate certain reports if it deems that appropriate and if it has the requisite authority to do so.
As companies support data collection and taxpayers fund it, the bulk of the BCS’s output should be “accessible in ways that make it as useful as possible to the largest number of users—for decision making, program evaluation, scientific research, and public understanding.” We anticipate that this accessibility will be made explicit in the BCS’s authorizing legislation.
That said, some data may not be shared publicly—either for security purposes or due to risks of reidentification of anonymized data. We might also envision that anonymized data could be shared with the private sector beyond that which is released to the public. Some private-sector actors (like insurance companies) could benefit from expanded data sharing. Licenses could be conservatively granted to such private actors or other regulated bodies. And rather than having the BCS charge for licensing directly, which could create perverse incentives to grant an excessive number of licenses, access and processing of data could be purchased by the record. This would enable executive or congressional regulators to keep track of the specific information and quantities that different bodies are paying to access.
The Cyberspace Solarium Commission’s recommendation to establish the BCS is a valuable proposal that would fill a current void in the federal statistical landscape. Data (and, potentially, analysis) generated by the BCS would greatly benefit U.S. security and boost American productivity in cyberspace. Therefore, it is important that the bureau be organized in line with the best practices governing statistical collection agencies and additionally be granted the necessary authorities to fulfill its mandate. In raising the most important structural questions that need to be considered regarding the creation of the BCS, we hope that this post will serve as a base from which constructive conversation can be advanced.