A National Body to Protect Critical Infrastructure Is Overdue
As Shackelford pointed out, “Cyberthreats to critical infrastructure are not a new problem, despite the fact that they’re constantly in the news these days.”
Shackleford said the stakes couldn’t be higher today, “given the huge proliferation of cyberattacks in terms of numbers, sophistication and severity, and the fact that they’re targeting companies and countries alike, both critical and noncritical infrastructure providers. And, of course the attack surface, as well, continues to grow exponentially with the rapidly expanding Internet of Things.”
Shackleford reported that most respondents to a survey conducted throughout Indiana had experienced cyberattacks in the past three years. Ninety-one percent of survey respondents reported taking proactive steps to prevent attacks, he said. “These really ran the gamut in terms of new anti-virus and new anti-malware software that was being installed, updating perhaps an incident response plan, purchasing cyber risk insurance. More than half of our respondents had already had a cyber risk insurance policy, with another 20 percent reporting that they were actively considering such a purchase.”
Does Critical Infrastructure Require a National Cyber Safety Review Board?
According to Shackelford, “During the Obama administration, there was a big push to establish the Department of Homeland Security as the focal point for protecting critical infrastructure. There was a bill back in 2012 that would have given DHS responsibility to not only define critical infrastructure sectors but to set cybersecurity benchmarks, along with a safe harbor to help incentivize companies to meet those benchmarks.”
That bill was filibustered and didn't go anywhere, which Shackelford said “was the big reason we got the NIST cybersecurity framework, which has done a lot to help define and establish cybersecurity due diligence in both the critical infrastructure and noncritical infrastructure context. And as we've seen with various supply chain attacks recently, more needs to be done, which is one reason that we think it could be time for this national cyber safety review board.”
Though the Cybersecurity and Infrastructure Security Agency was created in 2018, it investigates cyberattacks and issues alerts, but it has no enforcement authority. And while the White House’s recent executive order on improving the nation’s cybersecurity does take some important steps, it doesn’t go so far as to establish the national cyber safety review board as an independent agency similar to the NTSB, as Shackelford recommended.
The Push to Establish a National Cyber Safety Review Board Would Face Challenges
Shackleford highlighted some of the potential quagmires lying ahead in the development of a national cyber safety review board.
“There could be industry resistance that we’ll run into, as we’ve seen in the tech sector and otherwise. There’s been a lot of pushback for many years now against cybersecurity regulations,” he said. “It looks like that logjam might be starting to break, at least here and there. Still, it’s important to note elements of industry, including insurance, that could be supportive of this.”
He also cited several practical considerations to keep in mind, including the sharing of confidential information, such as protected health information, between these interdisciplinary review teams and other stakeholders.
“There’s a need for this slow, careful approach to investigations. At the same time, in this executive order that we just saw from the administration, the requirement is 90 days to submit these reviews. That’s another really difficult balancing act we’re going to have to see play out in practice, and I think we can learn from the NTSB.”
He concluded his proposal by noting that “this is just one of several much larger and more complicated reforms that we think are needed in this space.” Shackelford said he sees the need for a federal body to investigate major cyber incidents that would have power similar to that of the NTSB, including the power to subpoena when needed.