The Case for a National Cybersecurity Safety Board

Presented at Black Hat USA 2021, Aug. 4, 2021, 2:30 p.m. (30 minutes)

In the wake of a series of destabilizing and damaging cyber attacks, there has been a growing call for the U.S. government to establish an analogue of the National Transportation Safety Board (NTSB) to investigate cyber attacks. As we recently argued in a letter to the Wall Street Journal, we think that it is past time for such a move. The SolarWinds hack, for example, highlights many vulnerabilities that have gone unaddressed for too long. First, it shows that the nation’s approach to supply-chain cybersecurity is notoriously inadequate. Second, it demonstrates that a go-it-alone strategy for cybersecurity risk management is doomed to failure. Cybersecurity firm FireEye ’s coming forward helped ring the alarm that U.S. early-warning sensors reportedly missed. Third, it highlights the extent to which our nation’s critical infrastructure remains vulnerable, despite decades of efforts aimed at improving our defenses.

But how would such a Board function, and could it succeed where past public-private collaborations have fallen short given the rapid pace of technical innovation multifaceted challenges permeating the information security field? This presentation investigates this policy prescription by assessing how it could be used to respond to recent cyber incidents such as SolarWinds, applying lessons from the history and evolution of the original NTSB, examining the challenges (technical, political, and administrative) in establishing a National Cybersecurity Safety Board (NCSB), and globalizing the discussion to ascertain how other nations are approaching this same issue. However, it is not necessary to wait for the U.S. government to act; rather, states, and the private sector, can launch a beta version of this NCSB today.

In short, we will make the case that it is time for Congress to create a cybersecurity safety board to investigate breaches to find out why they happened and how to prevent them from happening again. It’s exactly the type of entity that could play a role in preventing future SolarWinds-scale breaches. We recognize that no single reform can make breaches like SolarWinds’ as rare as plane crashes, but this would be a step in the right direction.


Presenters:

  • Christopher Hart - Former Chairman, Formerly NTSB
    <div><span>Christopher A. Hart is the founder of Hart Solutions LLP, which </span><span>specializes in improving safety in a variety of contexts, including </span></div><div><span>the safety of automation in motor vehicles, workplace safety, and </span><span>process safety in potentially hazardous industries.</span></div><div><span><br></span></div><div><span>Mr. Hart is also Chairman of the Washington Metrorail Safety </span><span>Commission, a three-jurisdictional agency (MD, VA, DC) that </span></div><div><span>was created in 2019 to oversee the safety of the Washington area subway system. In addition, in 2019 he was asked by the Federal Aviation Administration to lead the Joint Authorities Technical Review that was created to bring together the certification authorities of 10 countries, as well as NASA, to review the robustness of the FAA certification of the flight control systems of the Boeing 737 MAX and make recommendations as needed to improve the certification process. Also, in 2021 he was asked to join the Board of the Joint Commission on Accreditation of Healthcare Organizations, the non-government organization that accredits hospitals, to help improve healthcare safety. After an Uber test vehicle struck and killed a pedestrian in Tempe, AZ, in 2018, and Uber terminated such tests on public streets, Mr. Hart was included in the team of experts that Uber engaged to recommend how to safely resume street testing, which it has done.</span></div><div><span><br></span></div><div><span>From 2009 until 2018 Mr. Hart was Chairman, Vice Chairman, and a Member of the National Transportation Safety Board (NTSB), having been nominated by President Obama and confirmed by the Senate. The NTSB investigates major transportation accidents in all modes of transportation, determines the probable causes of the accidents, and makes recommendations to prevent recurrences. He was previously a Member of the NTSB in 1990, having been nominated by (the first) President Bush.</span></div><div><span><br></span></div><div><span>Mr. Hart’s previous positions have included:</span><span></span></div><div><span>Deputy Director, Air Traffic Safety Oversight Service, Federal Aviation Administration,</span></div><div><span>Assistant Administrator for System Safety, FAA,</span></div><div><span>Deputy Administrator for the National Highway Traffic Safety Administration (NHTSA),</span></div><div><span>Deputy Assistant General Counsel to the Department of Transportation,</span></div><div><span>Managing partner of Hart & Chavers, a Washington, D.C., law firm, and</span></div><div><span>Attorney with the Air Transport Association.</span></div><div><span><br></span></div><div><span>Mr. Hart has a law degree from Harvard Law School and a Master’s Degree and a Bachelor’s Degree (magna cum laude) in Aerospace Engineering from Princeton University. He is a member of the District of Columbia Bar and the Lawyer-Pilots Bar Association, and he is a pilot with commercial, multi-engine, and instrument ratings as well as a Cessna Citation SIC Type Rating.</span></div>
  • Scott Shackelford - Associate Professor; Chair, IU Cybersecurity Program; Executive Director, Ostrom Workshop, Indiana University
    <p><span>Professor Scott J. Shackelford</span> serves on the faculty of Indiana University where he is Cybersecurity Program Chair along with being the Executive Director of the Ostrom Workshop. He is also an Affiliated Scholar at both the Harvard Kennedy School’s Belfer Center for Science and International Affairs and Stanford’s Center for Internet and Society, as well as a Senior Fellow at the Center for Applied Cybersecurity Research. Professor Shackelford has written more than 100 articles, book chapters, essays, and op-eds for diverse publications. Similarly, Professor Shackelford’s research has been covered by an array of outlets, including <em>Politico</em>, <em>NPR</em>, <em>CNN</em>,<em> Forbes</em>, <em>Time</em>, the <em>Washington Post</em>, and the <em>LA Times</em>. He is also the author of <em>The Internet of Things: What Everyone Needs to Know </em>(Oxford University Press, 2020), <em>Governing New Frontiers in the Information Age: Toward Cyber Peace </em>(Cambridge University Press, 2020), and <em>Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace </em>(Cambridge University Press, 2014). Both Professor Shackelford’s academic work and teaching have been recognized with numerous awards, including a Harvard University Research Fellowship, a Stanford University Hoover Institution National Fellowship, a Notre Dame Institute for Advanced Study Distinguished Fellowship, the 2014 Indiana University Outstanding Junior Faculty Award, and the 2015 Elinor Ostrom Award.</p>

Links:

Similar Presentations: