Is It Time for a NTSB-Style Cybersecurity Board?
Over the past several years, cybsersecurity has become a growing concern for both the federal government and private corporations. Thus far, it has been largely a game of catch up, as security firms scramble to try to patch the holes discovered by hackers probing weaknesses in the system. As more and more of American life begins to move onto cloud servers and to store data on external databases, the need for data security has become more and more pronounced. In a paper last week, Paul Rosenzweig, a senior fellow at the R Street Institute, proposed a new model of cybersecurity oversight based on the National Transportation Safety Board (NTSB).
An independent government agency, the NTSB is responsible for analyzing the causes behind all civil aviation accidents and significant accidents of other forms of transportation, including rail. The NTSB is unique in that it focuses on investigation rather than strict oversight. Lacking enforcement authority, the board focuses its attention on the “cause and effect of accidents,” Rosenzweig explains. Any recommendations the board makes fall to other agencies to implement.
“[The NTSB model] isn’t about assigning blame and liability. It is fundamentally about finding out what happened or, as I put it in the piece, ‘what went wrong,'” he told InsideSources. “Especially in an area like cybersecurity where the forensics are in their infancy and we have no real metrics for security, simply gathering data and assessing it is a great first step. Oversight can come down the road if needed.”
The NTSB’s sole responsibility is to focus on the cause of accidents and to recommend solutions to prevent them from happening again in the future. Cost is left out of the equation. This security first mindset has advantages in the cybersecurity realm, Rosenzweig explains, particularly given the often ambiguous causes of hacks and the relatively new field of cybersecurity.
“Especially in a complex area like cybersecurity, which is rife with ambiguity, it will be hard enough to identify causes without then filtering those conclusions through an economic-benefit filter,” he writes in the paper.
“For this reason, although the cost/ benefit issue merits careful consideration, we should lean toward a model that replicates the current structure of the NTSB; that is, one focused on cause and effect, without any enforcement authority and without any mandate to address cost/benefit questions,” he continued.
Such a “Computer Network Safety Board,” as Rosenzweig describes, would be brought in to investigate and provide recommendations for risk reduction. This is an important understanding of the difference between physical and computer safety. The forensics of cyber-breach investigations are frequently less determinative than those behind transit crashes, and the prospect of failure in cyber systems is treated in many cases as inevitable.
As a result, a cyber security board should focus on risk reduction, rather than the impossible goal of risk elimination.
Rosenzweig also admits that addressing every hack or cybersecurity breach would be impossible for any one body to accomplish. Some cut off would need to be developed to determine which breaches were considered large enough to warrant investigation, similar to how the NTSB looks into major accidents on trains or highways, but necessarily every crash. For the purposes of cybersecurity, this could be a breach that affects more than one million people or one where the costs outweigh the potential implementation costs of a rule change.
The trouble would be determining where this line falls. Without Congress moving forward on some sort of plan, the details will remain largely hypothetical. Even so, the idea of some sort of cyber security oversight has been raised. Rep. Denny Heck (D-Wash.) asked in a hearing earlier this year if it was time to consider creating a cyber security board. With some 53,000 cyber security incidents occurring worldwide last year, the answer to his question for many voters might be “yes.”