(suppose we had an..) International Bureau of Internet Statistics
Who we are:
Cooperative Association for Internet Data Analysis. A collaborative undertaking among organizations in the commercial, government, and research sectors aimed at promoting greater cooperation in the engineering and maintenance of a robust, scalable global Internet infrastructure.
www.bis.int. International Bureau of Internet Statistics. (start with bis.org/bis.gov in US) Borrowing ideas from the Bureau of Labor Statistics (bls.gov) and its analogous agencies around the world, as well as the OECD (oecd.org), the BIS will assist public-private partnerships into distilling (including anonymizing personally identifiable information) data that can be made available to various stakeholders for use in developing economic, education, social and science policy.
We recognize that several other proposals for cybersecurity advances, including recent reports from the Center for Strategic and International Studies and the Internet Security Alliance will have to navigate data acquisition and sharing issues that have plagued cybersecurity as well as other technical efforts since the National Science Foundation left the cyberinfrastructure stewardship scene in 1995. All reports in this area have the common need for -- and lack of -- an international organization devoted to objective, neutral data on the Internet. In fact, the root of the cybersecurity challenge is the limits on trusted empirical knowledge generation imposed by economic polices that render knowledge accumulation slower than it is for our enemies.
Based on the best available data on infrastructure security, stability and economic sustainability, as well as coordinated feedback from stakeholders (workshops, etc), BIS should engage in many gamechanging organizational roles:
- identify the most important cybersecurity research questions the cybersecurity research community should pursue, and the data needed to pursue them. (change rules, raise stakes)
- with research agencies and projects such as PREDICT and COMMONS, help get necessary data to approved researchers
- promote cooperative data collectives among trusted enclaves (all three)
- independent reports on accuracy of resource (e.g., IP addresses) ownership data from Internet registries, and other security-relevant databases. (all three)
- track which cybersecurity strategies are working over time, (e.g., feedback on impact of DNSSEC, additional TLDs, SIDR)
If statistics are intended to illuminate a sector, they must be designed by people who understand what aspects are important to the industry itself, and how industry processes relate to and result in measured outcomes. We painfully recognize a critical disjunction in the unfortunately intimately related financial sector, between lots of potential metrics and data and the (near absence of) illumination, leading to a crisis we certainly cannot afford to risk -- but presently find ourselves disturbingly similarly situated -- in cybersecurity (and for the same reasons). Methods will have to include ongoing assessment and refinement of the metrics to be monitored, as well as an awareness of the limitations of statistics for improbable but catastrophic events, cf. Normal Accidents, Black Swan.
Fortunately, more building blocks for this type of effort exist now than have ever existed before. DHS's PREDICT program has learned many lessons regarding data sharing to support cybersecurity research, which could be applied to this effort. DOD's TIC program has already taken initial steps to make empirical analyses of critical cyberinfrastructure scalable and sustainable, and through its EINSTEIN effort is gaining an appreciation for the volumes of data involved, and the need for information theory as well as practical advances in data curation and management. The OECD has also developed respected methods of sensitive data acquisition, analysis, and publication. We propose leveraging experience from all of these sectors with what we have learned does and does not work, and closely tracking the effectiveness of new methods as they are tried. Other methods we propose:
- incent participation through well-tested methods outlined in CSIS and ISA reports above (government purchasing power, research agency funding incentives), as well as regulatory tools proven effective for other critical infrastructure, and new methods geared to specific incentives and risks in cyberspace. (success of these methods assessed annually)
- 'adaptive foresight' and 'scenario planning' workshops for public and private sector xperts to discuss what are the most important data to be collecting and collating, and how it can be collected, anonymized, and shared to satisfy security as well as privacy objectives.
- sponsor projects such as "A Day in the Life of the Internet" (www.caida.org/projects/ditl), using federation of public and private measurement infrastructure available to support cybersecurity research, and guided by specific situational awareness questions, e.g., "how many vulnerable DNS resolvers are observable?"; retain historical data over time.
- host workshops with legal and technology policy experts to discuss legislative updates to obsolete frameworks, with aim toward consistency across nations where sensible.
- work with OECD and foreign government agencies to gather and improve data on cybersecurity related activity, and compare to what is available on U.S. networks.
Example macroscopic statistics the BIS could retain data for:
IP and AS topology, including coverage changes over time; BGP routing dynamics, including hijacking, e.g., PHAS; active measurement (RTT, bandwidth) gathered from research infrastructures around the world; flow statistics; trends in spam, malware, phishing, encryption, ciphers in e-commerce and other uses; IPv4 and IPv6 address space utilizatoin statistics; provisioning cost data
CAIDA, NSF CyberTrust, DHS S&T, NIST, security experts, whitehat teams, legal scholars with expertise in telecom data
How clear is the way forward?
To the extent that we're borrowing from already existing or proven techniques, it's clear. Whether they will work in this domain is less clear, and it is likely that legislative changes will be needed to support it. So on a scale of 1-10, maybe it's a 5.
How high are the hurdles?
Without the CSIS proposed NOC, or something like it, probably too high. With something like the NOC, hurdles are not only navigable but must be navigated anyway.