‘We might not make cyber-attacks as rare as airline disasters, but we can hopefully make them a more manageable problem’
The mooted establishment of a US agency dedicated to investigating cyber-attacks should take lessons from its long-running aviation counterpart, attendees at Black Hat USA heard yesterday.
In an executive order issued in May, President Biden called for the creation of a National Cybersecurity Safety Board (NCSB) that would determine the causes of ransomware, supply chain, and other attacks, and offer recommendations for preventing recurrences.
The planned body would have an interdisciplinary composition and be co-chaired by government and private sector representatives.
Biden’s instruction followed a letter sent to the Wall Street Journal in March in which former NTSB chairman Christopher Hart and chair of Indiana University’s cybersecurity program Scott Shackelford said it was “past time for such a move”.
Addressing the subject at Black Hat USA, which is held both virtually and in Las Vegas this year, the pair said the far-reaching SolarWinds hack had exposed shortcomings in the US government’s approach to supply-chain cybersecurity and the inadequacies of “a go-it-alone strategy for cybersecurity risk management”.
Hart and Shackelford also outlined the hurdles facing policymakers, and the ways in which the NCSB could be modelled on the US National Transportation Safety Board (NTSB).
Founded in 1967, the NTSB’s prescriptions for improving aviation safety have contributed to a sharp fall in the accident rate since 2001.
Hart said the NCSB should also take inspiration from the Commercial Aviation Safety Team (CAST) – in particular how recurrent problems “reflect systemic shortcomings” and demand investigations of trends rather than individual events, while rare, surprising incidents require dedicated, in-depth investigations.
Towards the board
The long road leading to Biden’s executive order began, said Shackelford, with the Presidential Decision Directive 63 in 1998, which established sector-specific Information Sharing and Analysis Centers (ISACs).
Other milestones include reports calling for the creation of something resembling the NCSB (a 1991 Computers at Risk study and a 2014 National Science Foundation report) and the release of the NIST Cybersecurity Framework in 2014.
Establishing the NCSB itself, said Shackelford, will involve addressing challenges such as industry pushback, and recruiting people with the right mix of skills in the context of a near-zero infosec unemployment rate.
Defining the scope of the body’s remit will also be as difficult as it is critical, he added.
“In the second half of 2018 alone, there were more than 40,000 breaches reported under the GDPR scheme. It’s impossible [for a cyber safety board to] investigate all of these attacks,” Shackelford said.
There’s also the question of meeting Biden’s 90-day turnaround for releasing an investigation’s findings without jeopardizing their usefulness.
Shackleford and Hart recommend setting up additional bodies including a Major Cyber Incident Investigation Board with subpoena powers, a Bureau of Cyber Statistics, and a Cyber Safety Reporting System for reporting near misses.
Concluding, Shackelford noted that the NTSB’s success has been underpinned by cooperation with a global network of NTSB equivalents and the ICAO, an international regulatory body.
“We need to build on the foundations that are already there, including the dozens of countries using risk management frameworks like NIST or more omnibus approaches like GDPR, to build this consensus around cybersecurity and risk management and the utility of investigatory review boards,” he said.
“We might not be able to make cyber-attacks as rare as airline disasters, but we can hopefully make them a more manageable problem.”
Added Hart: “Combining the desire to find the perpetrator with the desire to prevent things from happening again will be an interesting mix with no precedent. We will be glad to do what we can at the NTSB to help that mixture work.”