In the wake of a series of destabilizing and damaging cyberattacks, there has been a growing call for the U.S. government to establish an analogue of the National Transportation Safety Board (NTSB) to investigate cyberattacks. As we recently argued in a letter to the Wall Street Journal, we think that it is past time for such a move. The SolarWinds hack, for example, highlights many vulnerabilities that have gone unaddressed for too long. First, it shows that the nation’s approach to supply chain cybersecurity is notoriously inadequate. Second, it demonstrates that a go-it-alone strategy to cybersecurity risk management is doomed to failure. Cybersecurity firm FireEye’s coming forward helped ring the alarm that U.S. early-warning sensors reportedly missed. Third, it highlights the extent to which our nation’s critical infrastructure remains vulnerable, despite decades of efforts aimed at improving our defenses.
But how would such a Board function, and could it succeed where past public-private collaborations have fallen short given the rapid pace of technical innovation multifaceted challenges permeating the information security field? This presentation investigates and fleshes out this policy prescription by assessing how it could be used to respond to recent cyber incidents such as SolarWinds, applying lessons from the history and evolution of the original NTSB, examining the challenges (technical, political, and administrative) in establishing a National Cybersecurity Safety Board (NCSB), and globalizing the discussion to ascertain how other nations are approaching this same issue.
In short, we will make the case that it is time for Congress to create a cybersecurity safety board to investigate breaches to find out why they happened and how to prevent them from happening again. It’s exactly the type of entity that could play a role in preventing future SolarWinds-scale breaches. We recognize that no single reform can make breaches like SolarWinds as rare as plane crashes, but this would be a step in the right direction.