Why We're Still Debating an NTSB for Cyberattacks

When President Biden issued an executive order on cybersecurity this spring—looking to shore up software security in the wake of the massive SolarWinds attack—he proposed what many in the tech industry had both dreaded and hoped for: a federal cyberforensics review board.

Modeled on the National Transportation Safety Board (NTSB), which investigates aviation and highway accidents, the proposed National Cybersecurity Safety Board (NCSB) would delve into significant criminal hacks against U.S. businesses, infrastructure, and federal agencies.

But not everyone is on board, says Scott Shackelford, a legal scholar who directs a program on cybersecurity and internet governance at Indiana University and who spoke at this week’s Black Hat conference on the challenges ahead. Among them: Private industry is reluctant to share proprietary information. Regulators warn of potential conflicts of interest on a board that includes industry leaders. And privacy advocates worry about the sharing of personal data.

In a recent conversation with Endpoint, Shackelford discussed how a cyber review board would operate and the need for CIOs and CISOs to start preparing for one today.

How would the NCSB function in the aftermath of an incident like SolarWinds?

Breaches are now reported through different players, from the state-level attorney general’s office to the Federal Trade Commission. We don’t have a single point agency for that. Ideally, information about cyber incidents would flow to a Bureau of Cyber Statistics. In fact, the Cyberspace Solarium Commission—the intergovernmental body aimed at protecting the U.S. from cyberattacks—has recommended setting up this bureau to collect cyber incident data.

[Read also: The Man Who Could Help Prevent a Cyber Disaster]

After the NCSB learns about a breach, its first step would be assembling an interdisciplinary team of investigators. They would interview security teams at breached companies, software providers whose products were infected, and forensic analysts studying the breach, among many other sources. Investigators would subpoena information from databases. Once they figured out what happened and who was behind it, they’d release a report and make recommendations that would then become industry standards.

What are the technical, political, and administrative challenges to establishing a NCSB?

Because cybersecurity touches on so many facets of our economy, there’s resistance from tech companies—software vendors and hardware vendors—and probably resistance from industries that are not heavily regulated or used to regulation. Potential conflicts of interest might come up, in terms of the people on the board or on the investigatory teams. We are also living through quite the era of data localization. It’s possible to establish regional or global networks of these bodies, but at the same time there’s this much bigger conversation about the future in global dataflow that makes it that much more challenging to pull off.

NTSBs investigations can take a year or more. How could a NCSB move fast enough to help mitigate an ongoing attack or prevent the next one?

It’s a tough balancing act—getting folks together and coming out with a comprehensive report that’s going to be immediately helpful to practitioners and policymakers while also responding to a challenging situation in real-time where a lot of other organizations and ultimately people are still vulnerable. I could envision a monthly digest that the NCSB puts out to give a sense of what they’re finding. This would be a bird’s eye view that goes along with other initiatives being discussed like mandatory incident response reporting.

Given the IT labor shortage, where will the board find workers to staff a team?

You’re going to need people well versed in cyberforensics and cybersecurity fundamentals. An ideal model would be creating a national service opportunity for students so they can get their degrees paid for in return for serving, a kind of Cyber Peace Corps. You can easily amend the federal acts that created AmeriCorps and Peace Corps to add cybersecurity to the other capacity building work they’re doing domestically and internationally. Plenty of tech companies also are starting to give their personnel opportunities to do kind of mini-sabbaticals and help out on worthy causes like they did to help safeguard the last election. That could be a model for this. 

Could states take the lead if Congress drags its feet creating a national board?

There’s nothing stopping a state or a regional collection of states from doing something similar to a federal NCSB. Governors could establish administrative-level cyber boards. To investigate an incident, that board could pull together a team of experts from the state attorney general’s office, local law enforcement, and state regulatory bodies. I think you’d also get buy-in from the private sector, who are often targets in these ransomware attacks, especially businesses involved in critical infrastructure, like gas and electric utilities, energy suppliers, and water companies.

What should CIOs and CISOs do today to prepare to work with a state or national cyber review board?

Start ensuring your organization is already meeting something like the SANS Institute CIS Controls and the NIST Cybersecurity Framework. CIOs should have teams and processes for incident response reporting to assist the cyber board investigating a breach. Frankly, I think they should take on these initiatives just to be good citizens. CIOs and CISOs should also start asking their in-house security experts if they want to serve on a review board. Those board roles will be a great opportunity for your own experts to learn what’s happening in other sectors and to bring that knowledge back to your organization—which makes you stronger and more secure.