Can NTSB-style oversight work for cybersecurity?

President Joe Biden's cybersecurity executive order calls for the establishment of safety review boards to respond to significant breaches and other incidents. The administration is modeling this approach after the National Transportation Safety Board, which probes the aftermath of plane crashes and other transportation calamities. The differences between the tightly regulated world of transportation and the relatively unregulated realm of cybersecurity raised questions among some experts about how effective such a panel can be.

"I have serious concerns that the scale of cyber incidents and the pace of change in cyberspace make a review board poorly suited to the task," Rep. Jim Langevin (D-R.I.) told FCW on Monday in an emailed statement. The congressman credited the White House for its efforts but said a "Bureau of Cyber Statistics" should examine incident data in "aggregate and provide empirical backing for cyber risk management decisions."

The first board to be empaneled will review the attack against SolarWinds, according to the executive order. The Homeland Security secretary will co-chair each board alongside an appropriate member of the private sector depending on the circumstances. The panel will include representatives from the Defense Department, Justice Department, the Cybersecurity and Infrastructure Security Agency, National Security Agency, the FBI as well as several members of industry. Once established, the panel will have 90 days to assess the incident and provide recommendations to the DHS secretary, who must then provide recommendations to the president within one month of the panel completing its work.

The notion of a review board, specifically one based on the NTSB, is not new. Lawmakers such as Sen. Mark Warner (D-Va.), who chairs the Senate Select Committee on Intelligence, have previously advocated for these sorts of panels, particularly in the aftermath of the attack against SolarWinds. The NTSB model may not be the best fit for investigating the aftermath of cybersecurity incidents, some experts said.

"The timelines alone would make a 'cyber NTSB' almost impossible," said Tatyana Bolton, policy director of the cybersecurity and emerging threats program at the R Street Institute.

Bolton, who formerly worked at CISA, added the administration should wait to have its national cyber director confirmed before creating new organizations or panels. The president has nominated Chris Inglis, the former NSA deputy director, to be the first national cyber director.

"I think the biggest bang for your buck in cyber incident response is streamlining roles and responsibilities for incident responders and making sure everyone's working off the same playbook. We don't even have that right now, so let's focus on the basics," she said.

Tim Erlin, an executive at the software company Tripwire, predicted a public review board could lead to greater transparency about individual incidents. He said investigations today are usually conducted by private firms and paid for by the victims, who do not have to disclose the findings.

Ari Schwartz, who worked on cybersecurity at the National Security Council during the Obama administration, said the boards will likely have the most impact through recommendations for long-term policy changes.

Schwartz predicted that a review of the SolarWinds episode will include a focus on red flags that went unnoticed.

"I think that they will look at what information was known at the time and how it could have been used to spot this earlier," he said. "Because there's been a lot of discussion out there about flags that came up that no one knew how to interpret."