The National Transportation Safety Board may be one of the most trusted U.S. agencies worldwide. That trust is based in part on NTSB’s standalone status outside any cabinet department; it is truly independent and objective, and its recommendations are generally treated as gospel.
The creation of a Cyber Safety Review Board (CSRB) in President Joe Biden’s executive order on improving cybersecurity is being compared to the establishment of the NTSB in 1967, first as part of the Transportation Department, then reconstituted in 1974 as a fully independent agency.
“I know a lot of people are focused on [this],” said Karen Evans, former administrator of electronic government and IT at the Office of Management and Budget during the George W. Bush administration. “It’s a thing that’s going to continue to evolve, an area that’s going to require statutory [actions].”
The board is to be appointed by the Secretary of Homeland Security, in consultation with the Attorney General, with board members drawn from the departments of Defense and Justice, the National Security Agency, FBI and “appropriate private sector cybersecurity or software suppliers.” CSRB’s responsibilities extend over both federal civilian executive branch agencies and non-federal systems, and cover threat activities, vulnerabilities, mitigation actions and agency responses.
“The Cyber Safety Review Board is a worthy initiative that has precedent in identifying problems and potential solutions to prevent recurrence,” said Greg Touhill, director, CERT Division at Carnegie Mellon University’s Software Engineering Institute, and former a federal CISO in the Obama administration.
“For example, in 2003, the Air Force Personnel Center conducted what was then called a ‘Cyber Safety Investigation Board,’ chaired by Col. Bruce Harmon, to investigate the facts and circumstances surrounding the failure of a personnel data system,” he said. “Col. Harmon modeled his investigation using the procedures the Air Force uses to conduct Aircraft Investigation Boards in the aftermath of incidents involving aircraft and crews. It was a great model back in 2004 and to formally adopt a Cyber Safety Review Board (CSRB) now using the lessons learned from aviation and initiatives like Col. Harmon’s Cyber Safety Investigation Board can help instill a measure of discipline and rigor that will enhance information sharing while reducing overall risk.”
CSRB is tasked with reviewing “significant cyber incidents” as defined in Presidential Policy Directive 41, which itself was in response to the Russian hack of Democratic National Committee IT systems in 2016.
PPD-41 defines a cyber incident as “an event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon … a cyber incident may include a vulnerability in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.”
What makes a cyber incident “significant,” according to the PPD, is that it – or a group of related incidents – are “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”
Deciding whether a cyber incident rises to the level of significance will be based on an assessment of evidence, not a knee-jerk reaction to the level of intrusion. The Cybersecurity and Infrastructure Security Agency created a scoring system, on a scale of 0-100, that will drive triage and escalation processes. The system corresponds to the Cyber Incident Severity Schema that was issued as part of PPD-41.
There are signs this kind of collaborative enforcement is already taking hold. On Aug. 5, Jen Easterly, the director of CISA announced the formation of the Joint Cyber Defense Collaborative, bringing together public and private sector actors to address cyber readiness and threats.
Focus on EO Section 4: Enhancing software supply chain security