To prevent cyberattacks, create agency similar to National Transportation Safety Board: Experts
measures,” they wrote.
“A common refrain across many of these proposals … (is a call for) more robust data breach investigations, which could include on-site gathering of data on why the attack occurred so as to help other companies prevent similar attacks. This evokes one of the core functions of the NTSB, that is, to investigate and establish the facts behind an incident, and to make recommendations to help ensure that similar events do not occur in the future.”
Enhancing cybersecurity in the emerging Internet of Everything is technologically complex and legally challenging, especially when organizational cultures can be so different. Microsoft has estimated that the number of Internet-enabled devices could increase from 11 billion to 50 billion between 2013 and 2020. Another estimate from Morgan Stanley places the number at 75 billion by 2020.
Shackelford and Brady think a cybersecurity safety board could be a public-private partnership, potentially run by coalitions of companies.
“Funding could come from interested stakeholders, such as insurance companies,” they said, “because such secondary markets would benefit from greater clarity surrounding the attribution of claims, as well as more information about the utility of various cybersecurity best practices.”
They also acknowledge the limitations and criticisms of a safety board model. Some critics say firms may use it for settling litigation and reputation management than for preventing future attacks. Another concern is that any cyber safety board’s conclusions could be out of date by the time they are released, due to the dynamic cyberthreat environment and rapidly changing technologies.
“Such a model would be an improvement on the existing reliance on Cyber Emergency Response Teams and aid in effective policymaking at both the state and federal level, given the lack of hard, verifiable data on the scope of cyberattacks,” the authors said.
“The creation of a National Cybersecurity Safety Board could also help law enforcement investigations, particularly local and state agencies without the resources and expertise of the FBI,” they added. “This would be a boon to academics needing reliable data to undertake scholarly analysis as well as national security organizations and U.S. strategic partners around the world.”
— Read more in Scott Shackelford and Austin Brady, “Is it Time for a National Cybersecurity Safety Board?” Albany Law Journal of Science and Technology (9 February 2018)
