An NTSB for cyber attacks? Critics grapple with Biden's Cybersecurity Safety Review Board plan

President Joe Biden's recent executive order on cybersecurity drew praise for addressing critical gaps in the government's efforts to protect its digital assets, but lawmakers and experts are raising questions about one aspect of the order: the creation of a Cybersecurity Safety Review Board.

The executive order establishes a review board "co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity." 

The board will be there to "ask the hard questions" according to the executive order and is modeled after the National Transportation Safety Board, which investigates airplane crashes and transportation incidents.

The fine print of the executive order says Homeland Security Secretary Alejandro Mayorkas will work with the Attorney General Merrick Garland to create the board, which will look into any attacks "affecting FCEB Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses."

Both federal law enforcement officials and private-sector cybersecurity experts will populate the board, with one of each serving as chair and deputy chair biennially. Within 30 days, Mayorkas has to send a report to Biden about who will be on the board, its scope, responsibilities, structure, "thresholds and criteria for the types of cyber incidents to be evaluated" as well as how they plan on forcing companies or individuals to comply with their investigation. 

Democratic leaders in Congress expressed support for the effort but had a range of concerns they hoped would be addressed by Mayorkas and Garland once the idea was more fully sketched out. 

Rep. Carolyn Maloney, chairwoman of the Committee on Oversight and Reform, told ZDNet that it is "critical for the federal government to respond quickly when a significant cyber event occurs." 

But Maloney said the board had to walk a fine line of complying with the Federal Advisory Committee Act, which forces boards like this to be "objective and accessible to the public," while also keeping the information it collects safe.

"It is important that sensitive information be properly protected but it is also important that the board operate with transparency and in full compliance with ethics laws," Maloney said.

Other congressional leaders in cybersecurity echoed those remarks and raised more pressing concerns about the board's ability to effectively address devastating attacks that now occur on a weekly basis. 

Congressman Jim Langevin, who helped found the House Cybersecurity Caucus that he now co-chairs, said he was in support of the idea that the cyber review board was meant to help defenders understand major incidents better. 

But as a member of the Cybersecurity, Infrastructure Protection, & Innovation subcommittee, he told ZDNet he was "seriously concerned about the trend toward larger, more frequent cyber incidents that may be too much for a review board to handle." 

"That's why I support the creation of a Bureau of Cyber Statistics so that we can examine incident data in aggregate and make more informed cyber risk management decisions," Langevin said. 

A congressional aide explained to ZDNet that some on Capitol Hill have questioned how the board could work like the National Transportation Safety Board, which has broad authority to investigate transportation incidents and can issue subpoenas. 

It is still unclear what thresholds the cyber review board will use to decide which breaches or attacks to investigate and what power they will be given to compel organizations to hand over critical information that some may be reluctant to share. 

"With the NTSB, they just show up with their badge and the entity has to produce anything the investigator wants. They don't always need a subpoena or the court system to get what they want," the congressional aide said. 

"It's so far outside of the existing legal systems and I think there's a strong incentive to cooperate because what are your options otherwise?"

The aide added that the idea for an NTSB-like effort for cybersecurity incidents has long been floated on Capitol Hill because there is always interest in finding the root causes of attacks and potential mitigations. 

But the NTSB deals with far fewer incidents than any cyber review board would and incidents often involve dozens, if not hundreds, of different organizations, some of which will not cooperate with federal law enforcement. The NTSB mostly interacts with airline companies and maintenance operators, whereas the review board would be trying to investigate entire software supply chains. 

"There's huge benefits to root cause analysis but in terms of getting access to the data, it's quite extraordinary the powers that NTSB has in some respects. I don't think that that's necessarily applicable in a cyber context," the aide said. 

Anurag Lal, former director of the US National Broadband Task Force for the Federal Communications Commission under the Obama administration, expressed fear that the board will be "bogged down by bureaucracy as others have in the past" and are hamstrung by red tape while investigating cyber incidents that require quick responses. 

The executive order was a step in the right direction to creating the processes needed to respond to cyberattacks, Lal explained, but he said a more comprehensive cyber response bill is needed to put laws in place governing how the US responds to attacks. 

"While these are comparable boards, I believe the Cybersecurity Safety Review Board needs to act with much greater urgency than the NTSB. In the case of flight incidents, a great deal of time needs to be taken to thoroughly investigate. However, the nature of cyber-attacks requires us to act quickly, so this board will not have the luxury of time," Lal said. 

"The CSRB must be mandated to respond in an urgent, accelerated manner. This executive order addresses how we can respond, but now we need to push further and determine how we are going to go on the offensive to prevent these attacks from even happening."

Christopher Fielder, who spent years as a network and cryptographic systems technician in the US Air Force and as a security analyst contractor with the CIA, told ZDNet that too many cyber incidents are shrouded in secrecy, resulting in numerous incidents that could have been prevented earlier had the information been shared accordingly. 

Fielder said the review board was a good idea because it could quickly identify underlying issues and establish a federal-level baseline of transparency around future compromises and how to learn from them. 

"Using this postmortem approach for breaches can drive the development of standards based around historic evidence. It's important to understand, however, that for a review board such as this to be effective it is going to require significant buy-in from both the private and public sectors," Fielder said. 

"We are going to have to feel that this will be a board that is not a regulatory body intended to punish or place blame on those who are affected by compromises, but instead designed to foster the sharing of knowledge and best practices that are discovered from incidents that are reviewed." 

The board would be a good first step but cybersecurity is still like the Wild West, Fielder explained, with many organizations protecting themselves the best they can with the resources they have available. 

Post-incident recommendations often differ between cybersecurity companies and researchers, and Fielder said a board like this could help reconcile differing opinions on an incident's root cause or next steps so that agreed-upon and trusted recommendations can be made. 

Sounil Yu, the chief information security officer at JupiterOne, said the best version of the review board would include "blameless postmortems" that produce "meaningful lessons learned that reduce the likelihood of repeated failure events."

"There are great examples of security-oriented postmortems (e.g., Coinbase and FireEye) that are highly instructive and can serve as a model for what a Cyber Review Board investigation report might look like," Yu said. 

A number of cybersecurity experts praised the review board idea for similar reasons but questioned what would happen in instances where it was clear the attack was leveraged by a state actor, like the most recent attacks attributed to Russia and China. 

"The NTSB didn't take the lead in the 9/11 investigations because it was clear that the cause was not due to safety issues," Yu added. "Safety incidents are often handled very differently than security incidents."