This week, we attended the Cyber Incident Data and Analysis Repository (CIDAR) Workshop hosted by the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security (DHS). The workshop was attended by the insurance industry, CISOs, technology experts, critical infrastructure, information sharing organizations and others. Over the course of two days, participants pored through the 16 proposed data points that were identified by Cyber Incident Data and Analysis Working Group (CIDAWG) members in the fall of 2015 for collection in the CIDAR. DHS facilitators and CIDAWG members went over each data point’s proposed definition, what is meant to be gleaned by collecting that data, who would report the data, who is most interested in the data and the method by which participants will report the data.
There is a strong need and desire for a repository like this in the insurance industry but there are a lot of information sharing mechanisms out there (ISACs, etc) so the framers of this CIDAR have been careful to differentiate this one and carefully outline the unique value proposition of each data point.
We learned a lot from the experts who are trying to take on the daunting task of designing a data repository that can be used by not only the insurance industry – for underwriting and modeling – but also the broader community for risk management and cyber defense. It has to be easy to use and have the ability to collect data that is either already collected by companies or that can be collected without additional burden. The data points have to be simple enough to provide, but not so simple that they aren’t useful. Some data points might give companies heartburn, such as “Internal Skill Sufficiency” – did your company have the necessary skills to stop and prevent future incidents? If the answer is no, this opens your company up to liability, so you have to trust that your submission will truly be anonymous and that you have legal protection.
The work continues – DHS will release its fourth white paper reporting on this meeting in the coming months and then there will be pilots to test the concept. At the end of the day, the CIDAWG can design the perfect data repository, but if a private entity doesn’t step forward to set it up, the concept stays on the shelf.