"Companies know, to the degree that they can detect compromises, what's going on in their organization, but from a quantifiable standpoint, they don't know how that compares; there's not a benchmark," Rauscher says in an interview with Information Security Media Group.
The EastWest Institute, a think tank focused on global security, has issued a paper co-authored by Rauscher that proposes the private sector collaborate to create a trusted entity that organizations could use to share statistics about cyber-attacks on their systems without jeopardizing corporate secrets and privacy. That information then could be used to create security benchmarks.
Rauscher explains that companies are reluctant to share information because of a fiduciary responsibility to protect their reputations, believing the sharing of data about systems' vulnerabilities and cyber-attacks could place them in a competitive disadvantage. Creating an organization to facilitate the sharing of data anonymously could help alleviate this problem, he says.
Representatives from about 100 organizations already are working to create the trusted entity for data sharing, Rauscher says.
In the interview, Rauscher addresses the three main recommendations offered by the Institute:
- Create a trusted environment for the aggregation of statistical data on the frequency and magnitude of cyber-attacks that can be used to support measurements of the cybersecurity problem worldwid;
- Get private companies to voluntarily provide statistical data to the trusted entity, which then will use the data to support cybersecurity metrics; and
- Get qualified subject matter experts to collaborate to develop statistical methods for analyzing the voluntarily submitted data and for reporting benchmarks.
Rauscher is a Bell Labs distinguished fellow and chief technology officer of the EastWest Institute. Before joining the Institute, he served as executive director of Bell Labs' network reliability and security office. Rausher holds more than 50 patents and pending patents for inventions in a wide array of fields, including artificial intelligence, advanced software testing, critical infrastructure protection, emergency communications, energy and water conservation, audio performance optimization, telemedicine, cyber-conflict policy, battlefield safety and resilient design.