Aug 10 2021

Black Hat 2021: Should There Be a Federal Cybersecurity Safety Board?

In the wake of several recent high-profile ransomware attacks, IT experts call for a national cybersecurity board.

Cybersecurity news reports over the past 18 months have been littered with headlines about ransomware and other cybercrimes that have had ripple effects on the customers and vendors working with the primary victims of those attacks.

As organizations absorb the reality of the cyberthreats they’re facing and attempt to shore up their defenses, some are questioning the role of the federal government in preventing these attacks and enforcing the law when they occur.

Speaking at Black Hat USA 2021, Scott Shackelford, chair of the cybersecurity program at Indiana University, and Christopher Hart, former chair of the National Transportation Safety Board, called for the establishment of a cybersecurity board analogous to the NTSB.

Summarizing their presentation, the Black Hat website said that recent high-profile attacks have shown that “the nation’s approach to supply chain cybersecurity is notoriously inadequate. Second, it demonstrates that a go-it-alone strategy for cybersecurity risk management is doomed to failure. Third, it highlights the extent to which our nation’s critical infrastructure remains vulnerable, despite decades of efforts aimed at improving our defenses.”

The Idea of a National Cybersecurity Board Requires Context

Shackelford began by offering a bit of context for the conversation, saying it’s important to note that a national cyber safety review board would be a small part of a much bigger conversation “on how we should go about protecting not only the nation’s but the world’s vulnerable critical infrastructure.”

“Here in the U.S., we have 16 critical infrastructure sectors as designated by our Department of Homeland Security, whereas in the EU, there are seven critical infrastructure sectors recognized under the Network Information Security Directive there,” Shackelford said. “So, even at the starting gates, we’re coming from different starting points.”

“Here in the states, given our broad perspective on critical infrastructure, if everything is critical, how can we best coordinate our expertise and resources to defend vulnerable critical infrastructure against the huge array of cyber-enabled threats, including ransomware, that we’ve seen recently?”

A National Body to Protect Critical Infrastructure Is Overdue

As Shackelford pointed out, “Cyberthreats to critical infrastructure are not a new problem, despite the fact that they’re constantly in the news these days.”

Shackleford said the stakes couldn’t be higher today, “given the huge proliferation of cyberattacks in terms of numbers, sophistication and severity, and the fact that they’re targeting companies and countries alike, both critical and noncritical infrastructure providers. And, of course the attack surface, as well, continues to grow exponentially with the rapidly expanding Internet of Things.”

Shackleford reported that most respondents to a survey conducted throughout Indiana had experienced cyberattacks in the past three years. Ninety-one percent of survey respondents reported taking proactive steps to prevent attacks, he said. “These really ran the gamut in terms of new anti-virus and new anti-malware software that was being installed, updating perhaps an incident response plan, purchasing cyber risk insurance. More than half of our respondents had already had a cyber risk insurance policy, with another 20 percent reporting that they were actively considering such a purchase.”

Does Critical Infrastructure Require a National Cyber Safety Review Board?

According to Shackelford, “During the Obama administration, there was a big push to establish the Department of Homeland Security as the focal point for protecting critical infrastructure. There was a bill back in 2012 that would have given DHS responsibility to not only define critical infrastructure sectors but to set cybersecurity benchmarks, along with a safe harbor to help incentivize companies to meet those benchmarks.”

That bill was filibustered and didn't go anywhere, which Shackelford said “was the big reason we got the NIST cybersecurity framework, which has done a lot to help define and establish cybersecurity due diligence in both the critical infrastructure and noncritical infrastructure context. And as we've seen with various supply chain attacks recently, more needs to be done, which is one reason that we think it could be time for this national cyber safety review board.”

Though the Cybersecurity and Infrastructure Security Agency was created in 2018, it investigates cyberattacks and issues alerts, but it has no enforcement authority. And while the White House’s recent executive order on improving the nation’s cybersecurity does take some important steps, it doesn’t go so far as to establish the national cyber safety review board as an independent agency similar to the NTSB, as Shackelford recommended.

WATCH: Learn about the about the latest hacking tactics being employed by cybercriminals.

The Push to Establish a National Cyber Safety Review Board Would Face Challenges

Shackleford highlighted some of the potential quagmires lying ahead in the development of a national cyber safety review board.

“There could be industry resistance that we’ll run into, as we’ve seen in the tech sector and otherwise. There’s been a lot of pushback for many years now against cybersecurity regulations,” he said. “It looks like that logjam might be starting to break, at least here and there. Still, it’s important to note elements of industry, including insurance, that could be supportive of this.”

He also cited several practical considerations to keep in mind, including the sharing of confidential information, such as protected health information, between these interdisciplinary review teams and other stakeholders.

“There’s a need for this slow, careful approach to investigations. At the same time, in this executive order that we just saw from the administration, the requirement is 90 days to submit these reviews. That’s another really difficult balancing act we’re going to have to see play out in practice, and I think we can learn from the NTSB.”

He concluded his proposal by noting that “this is just one of several much larger and more complicated reforms that we think are needed in this space.” Shackelford said he sees the need for a federal body to investigate major cyber incidents that would have power similar to that of the NTSB, including the power to subpoena when needed.

To keep up with our coverage of Black Hat 2021, bookmark this page, follow us on Twitter  @BizTechMagazine or the official conference Twitter account, @BlackHatEvents.

Getty Images/ gorodenkoff