The cybersecurity community applauded an order from the Biden administration in May to create a National Transportation Security Board-type system to deconstruct lessons after major breaches. But key challenges in execution all circle back to one key fact: cyberattacks are not plane crashes.
President Biden’s executive order on improving the nation’s cybersecurity included a mandate to establish the board, co-chaired by public and private sector leaders, modeled after the NTSB review board that created a case history for government, manufacturers and airlines to deconstruct for their joint preparedness. The approach may give stakeholders a chance to avoid mistakes by learning from other incidents.
At the time of the announcement, Jonathan Reiber, senior director for cybersecurity strategy at AttackIQ and former chief strategy officer for cyber policy at the Department of Defense, called the safety review board “a sexy thing” with the "potential to be transformative."
Three months later, staffing by DHS and the attorney general is about complete; and while it will not be an independent agency yet, “this is certainly an important step in that direction," said Scott Shackelford, associate professor and chair of the Indiana University Cybersecurity Program.
But the approach is not without complications, he noted during a virtual Black Hat session Wednesday with Christopher Hart, former chairman of the NTSB.
“One size does not fit all,” Hart conceded.
First, a board of this nature will likely face political and workforce issues: which cyberattacks should be investigated, for example, and who might be the right “experts” to participate? It could also face industry resistance, particularly as details tied to information sharing and confidentiality get worked out, and the need to access data, hardware and software emerge.
One key challenge, however, is quite distinct from a board focused on aviation incidents.
Speaking on investigations by the NTSB, “almost all our accidents are inadvertent error. It’s rare we have intentional wrong-doing,” with 9/11 being the most obvious exception, Hart said. “The objective is not to blame, but to propose improvements. Investigations are collaborative; nobody wants a plane to crash.”
He asked: “Can we say that in cyber?”
Like NTSB, certain cyber incidents will “even surprise the experts,” requiring an exhaustive investigation that looks at that event, while others will look very familiar – demonstrating signs of systemic issues that require an analysis of trends contributing to breaches. But in either case, cyberattacks are intentional; and that means that they combine the need to find the perpetrator, with the need to improve defenses.
"Transparency is crucial to NTSB, so public has confidence; but transparency is what you do not normally want in criminal proceedings,” Hart said. “How do we do this process? There is no precedent for an agency that does both.”
Shackelford acknowledged the transparency problem when law enforcement may be involved, noting too potential reluctance among victims to raise their hand for an investigation (“It’s a lot harder to hide an airline disaster than a cyberattack.") But what a cybersecurity safety board does have going for it, as much or more so than the NTSB did, is international efforts and standards that could help shape a structure.
“One reason the NTSB has been successful and helped bend the curve is because of this global network of NTSB-like organizations,” Shackelford said. “If we’re going to see the benefits come to the fore, we need to build on foundations that are already there.”