The Establishment of a Cyber Safety Review Board
In 2013, the Obama Administration began asking what government could do to improve cybersecurity. By February 2014, Farnam Jahanian, Assistant Director for Computer and Information Science and Engineering at the National Science Foundation, convened a three-day “idea lab” to come up with suggestions. You can see the resulting report, titled Interdisciplinary Pathways Towards a More Secure Internet, here.
One of the ideas we worked on was a “Cyber NTSB.” This concept has so much appeal because of the frustration security people feel over the lack of transparency and conflicting messaging around major cyber incidents. The breach of the Office of Personnel Management (OPM) in April 2014 may have been the trigger, but the SONY Entertainment hack later in 2014 created a lot of spurious speculation. Was it disgruntled insiders? Was it North Korea responding to a Seth Rogen movie?
We have to rely on the press to get these stories, eventually, and journalists often have to get the story from insiders who will not go on record. It would be nice to have a trusted group from which to get access to critical information and provide definitive reports.
The first instance of a Transportation Safety Board was in 1927, a few short years after the aviation industry was born. For aviation to be a commercial success, there was a need for a body independent of the Civil Aviation Agency to investigate crashes. Decades later, in 1967, Congress passed legislation creating the Department of Transportation, which set up both the FAA and the National Transportation Safety Board (NTSB).
By 2013, the NTSB had 400 staff and a $100 million budget. We tend to trust it, and there have been few controversies over its findings which are, for the most part, accepted as truthful.
The just-published EO on Improving the Nation’s Cybersecurity creates what feels like the 1927 version of the NTSB. In other words, there will be multiple iterations of the Cyber Safety Board until we get it right.
Here is what the National Science Foundation IdeaLab proposed:
Create a Cyber NTSB: Create a cyber analogue to the NTSB charged with analyzing cybersecurity incidents and providing public reports on the circumstances and causes of each incident.
Problem Statement: A critical problem in cybersecurity is the lack of reliable, consistently reported data about security incidents. The lack of data makes it difficult for others to learn from these attacks, and is leading to misplaced priorities.
Recommendation: The government should create an organization charged with investigating cybersecurity incidents. Such investigations would not be for law enforcement or immediate response purposes, but rather to carefully analyze each incident and publicly report the who, what, where, when, how and (perhaps) why behind an incident. One can think of this service as analogous to what the NTSB does for the transportation industry, or as an improvement upon the Computer Emergency Response Team (CERT) or Computer Security Incident Response Team (CSIRT) approach. Done right, such an organization could make tremendous contributions, by providing a common base of information about what types of incidents occur, who is affected, who is attacking, the methods of attacks and the vulnerabilities that are exploited, both at a given point in time and as a way of identifying and characterizing trends. The reports could be mined to guide research and policy, much as NTSB reports lead to improvements in transportation safety.
The cybersecurity EO provides for establishing a Cyber Safety Review Board (Section 5.) To summarize:
The Secretary of Homeland Security shall establish a Cyber Safety Review Board.
The Board shall review and assess, with respect to significant cyber incidents affecting Federal Civil Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities and agency responses.
The Board shall be convened following a significant cyber incident triggering the establishment of a Cyber Unified Coordination Group (UCG) as provided by section V(B)(2) of PPD-41; at any time as directed by the President acting through the APNSA; or at any time the Secretary of Homeland Security deems necessary.
The Board’s initial review shall relate to the cyber activities that prompted the establishment of a UCG in December 2020, and the Board shall, within 90 days of the Board’s establishment, provide recommendations to the Secretary of Homeland Security for improving cybersecurity and incident response practices. In other words, look for the first report from the Board to be about the SolarWinds attack.
The Board’s membership shall include Federal officials and representatives from private sector entities. The Board shall comprise representatives of the Department of Defense, the Department of Justice, CISA, the NSA and the FBI, as well as representatives from appropriate private sector cybersecurity or software suppliers as determined by the Secretary of Homeland Security. (My guess: Mandiant and Crowdstrike.) A representative from OMB shall participate in Board activities when an incident under review involves Federal civil agency information systems, as determined by the Secretary of Homeland Security.
The Secretary of Homeland Security may invite the participation of others on a case-by-case basis depending on the nature of the incident under review.
The Secretary of Homeland Security shall biennially designate a Chair and Deputy Chair of the Board from among the members of the Board, to include one Federal and one private sector member. (This is much like how the board of the NTSB is set up.)
The Board shall protect sensitive law enforcement, operational, business and other confidential information that has been shared with it, consistent with applicable law.
The Secretary of Homeland Security shall provide to the President through the APNSA (Jake Sullivan?) any advice, information or recommendations of the Board for improving cybersecurity and incident response practices and policy upon completion of its review of an applicable incident.
Within 30 days of completion of the initial review (SolarWinds), the Secretary of Homeland Security shall provide to the President through the APNSA the recommendations of the Board based on the initial review. These recommendations shall describe:
(i) identified gaps in, and options for, the Board’s composition or authorities;
(ii) the Board’s proposed mission, scope, and responsibilities;
(iii) membership eligibility criteria for private sector representatives;
(iv) Board governance structure including interaction with the executive branch and the Executive Office of the President;
(v) thresholds and criteria for the types of cybersecurity incidents to be evaluated;
(vi) sources of information that should be made available to the Board, consistent with applicable law and policy;
(vii) an approach for protecting the information provided to the Board and securing the cooperation of affected United States individuals and entities for the purpose of the Board’s review of incidents; and
(viii) administrative and budgetary considerations required for operation of the Board.
By my calculation, this gives DHS 120 days from May 12 to report back both on the SolarWinds attack and identify ways to improve and finance the Cyber Safety Review Board. I am putting a reminder in my calendar for September 9, 2021, to see what they come up with.
I like the approach of creating an ad-hoc Board to review a critical incident, like SolarWinds, then come back with that experience and flesh out the structure and operations of the Board. I suspect that Congress will have to get involved to provide funding and exert some control over the process. I hope it takes less than the forty years it took to firmly establish the NTSB.
