Leveraging Uncertainty for Strategic Cyber Deterrence

Updated: Feb 21

PRIVATE SECTOR PERSPECTIVE — Legislators are calling for mandatory disclosure of cybersecurity events in previously unregulated industries. On the surface, this seems like a reasonable way for defense and intelligence agencies to acquire more data on adversary activity in the civilian sector. With more data on hand, more actionable intelligence can be generated. But this is true only under certain conditions. In reality, this type of data acquisition and synthesis is quite complicated as the input data must be uniform and pristine or the resulting intelligence will not be accurate. Legislators who expect under-resourced security teams with disparate discovery and verification protocols to produce timely, untainted, unified data show a naïve understanding of what it takes to turn raw data into viable intelligence. Pristine data obtained via required-disclosure regulation is an unreasonable expectation which will yield unviable intelligence.