BlackHat: Do We Want a National Cybersecurity Safety Board?

One interesting presentation at this year's BlackHat security conference was on whether it makes sense for the US Government to set up a National Cybersecurity Safety Review Board modeled on the NTSB, the National Transportation Safety Board. That is the organization that investigates major transportation accidents, primarily aircraft crashes. Of course, the answer to this question depends a lot on knowing how the NTSB actually works, which I didn't. And you probably don't.

Chris of Hart Solutions LLP used to be a member, a vice-Chairman, and Chairman of the NTSB. So he knows what he is talking about when it comes to NTSB.

Most of this post is about relevant details of how the NTSB works, and leads up to the conclusion that the answer to the question in the title of this post is "no"...because it couldn't work in the same way (thus not violating Betteridge's Law that any headline that ends in a question mark can be answered by the word "no").

Chris went into a lot of detail about some of the rules around the NTSB. It is an agency, led by five members, nominated by the President, and confirmed by the Senate. It investigates transportation accidents in all modes. Meaning not just planes. For example, the NTSB investigated the 2003 crash of the Staten Island Ferry (best value trip going, since it is free). NTSB determines cause(s), and makes recommendations to prevent occurrence. It also investigates undesirable trends (not just single accidents) and makes recommendations to correct trends. It also is an advocate for the adoption of its own recommendations, since they are not mandatory (however, about 80% are adopted). It also acts as the US Government representative for aviation accidents outside the US.

One of the big advantages of an independent investigator like the NTSB is that mishaps in regulated industries are usually investigated by the regulator...but the regulator's own actions or non-actions often play a role in the mishap. The regulator's investigation report does not usually include its own actions or omissions, either because the regulator doesn't consider them relevant or because the regulator is unwilling to fall on its sword and admit its actions contributed to the mishap. An independent investigation identifies actions and omissions by the regulator...in fact more NTSB recommendations concern regulators than any other single party in the industry.

Congress, not an organization that I'm usually very complimentary about, did a great job of making NTSB independent from political forces...such as Congress. Deliberately giving up some of its own powers is not the usual action of any organization with power:

• Only 3 of the 5 members can be from the President's political party
• Members are appointed for a fixed term and cannot be fired by the President
• Three of the five members must have relevant experience (e.g. knowledge of aviation)
• The 5 members' terms are staggered so one expires each year and so the President can only replace one person per year

The result of this helps ensure that probable cause determinations of things like plane crashes are based on the facts, and not on lobbying by political parties or commercial parties (such as plane manufacturers, airlines, or pilots' unions).

Another important aspect of the NTSB is its openness and the fact that generally NTSB reports cannot be used in litigation. I think that this is very important since it drives the various parties to be open about discussing the incident, since what the NTSB concludes cannot be used in litigation, and the way in which NTSB investigators can be deposed is very limited. However, since they can only be deposed about the facts, and the facts are public, this is rarely required.

One can imagine something equivalent to the NTSB for investigating important cyberattacks (such as the recent Colonial Pipeline ransomware incident, or SolarWinds). But there is a big difference between transportation incidents and cyber incidents. Transportation incidents are almost always genuine accidents, and everyone involved didn't want it to happen and doesn't want a recurrence. The exceptions, like Germanwings 9525 or EgyptAir 990, stand out because they are so rare.

That is not true of cybercrime, which results from the deliberate actions of cybercriminals. In fact, when evidence of criminal activity is found (such as 9/11), the NTSB asks the FBI to lead and then provides technical support.

The challenge in an NTSB-style investigation into a cybercrime is that full transparency is probably undesirable since some of the ways that the attack was executed may be dangerous to reveal since it invites other groups of cybercriminals to take advantage of the same issue. This is a standard problem in cyber security—how do you reveal enough to improve everyone's defenses without also providing information to allow other people to exploit the same defensive weakness? This is different from transportation accidents. It might take time for NTSB recommendations to be implemented (replacing wiring in planes, for example), which means that during that time there is a small possibility of a second event resulting from the same issue. But it also takes time to update security policies and technology, and during that time the cybercriminals have free rein.

Another difference is that it is much harder to hide an airline disaster than a cyberattack. The attacks that come to public view are just a small percentage of the total, whereas effectively 100% of plane, ship, and train crashes are public knowledge. Under GDPR, for example, we know that there were 20,000 security incidents declared, whereas just a few impinged on the public consciousness.

Chris had some recommendations for the administration suggesting that any equivalent of the NTSB focus on trends rather than individual incidents. That suffers less from the dilemma of revealing too much and instead of limiting repeat events actually inadvertently causes them.

He also pointed out some big challenges, the biggest of which is that there is a serious shortage of security experts. There is also a lack of understanding of the technical issues and tradeoffs in security in Congress, perhaps no longer at the "internet is a series of tubes" level, but almost nobody in Congress has any sort of technical background (there are a lot of lawyers but not nearly as big a percentage as there used to be).

There is, in fact, already a mandate (from this year) on improving the nation's cybersecurity, although it doesn't go as far as creating something like the NTSB. So far, it is just a collection of good intentions. Congress was very careful setting up the NTSB to ensure that it was independent from political pressure, could not form the basis of litigation, and so forth. All the stuff already discussed in this post. So far, all that political will has been lacking. Meanwhile, we continue to hear daily about ransomware attacks, millions of credit cards being stolen, and so forth.

There remains a lot to be done to discover an effective way to give political oversight of the security of the nation's critical infrastructure in some practical way.

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.

.