President Joe Biden’s recent executive order on cybersecurity praised the resolution of critical shortcomings in the government’s efforts to protect its digital assets, but lawmakers and experts raise questions about one aspect of the order: the creation of cybersecurity. a cybersecurity security review committee.
The executive order establishes a review board “co-chaired by government and private sector leaders, which can meet after a major cyber incident to analyze what happened and make concrete recommendations to improve cybersecurity.”
The board will be there to “ask the toughest questions” according to the executive order and is based on the National Transportation Safety Board model, which investigates plane crashes and transportation incidents.
The executive’s small print says National Security Secretary Alejandro Mayorkas will work with Attorney General Merrick Garland to create the board, which will examine attacks affecting FCEB information systems or non-federal systems, the threat activity, vulnerabilities, mitigation activities. , and agency responses. “
Both federal police officers and private sector cybersecurity experts will fill the board, with one in two as president and vice president every two years. Within 30 days, Mayorkas must send a report to Biden on who will participate on the board, its scope, responsibilities, structure, “thresholds and criteria for the types of cyber incidents to be assessed,” as well as how they have planned to force companies. or individuals to complete their research.
Democratic congressional leaders expressed support for the effort, but had a number of concerns they hoped would address Mayorkas and Garland once the idea was outlined.
Representative Carolyn Maloney, chair of the Oversight and Reform Committee, told ZDNet that it is “critical that the federal government responds quickly when a significant cyber event occurs.”
But Maloney said the council had to comply with the Federal Advisory Committee Act, which requires boards like this to be “objective and accessible to the public,” while keeping the information it collects secure.
“It is important that sensitive information is adequately protected, but it is also important that the board operates in a transparent manner and in full compliance with ethical laws,” Maloney said.
Other congressional cybersecurity leaders echoed those statements and raised more pressing concerns about the council’s ability to effectively deal with the devastating attacks that now occur weekly.
Congressman Jim Langevin, who helped found the House Cybersecurity Caucus he now co-chairs, said he was in favor of the idea that the cyber review committee was meant to help advocates better understand major incidents.
But as a member of the subcommittee on cybersecurity, infrastructure protection and innovation, he told ZDNet that he was “seriously concerned about the trend toward larger, more frequent cyber incidents that may be excessive for a review board.”
“That’s why I support the creation of a Cyber Statistics Office, so that we can examine incident data in an aggregated way and make more informed decisions about cyber risk management,” Langevin said.
A congressional aide told ZDNet that some on Capitol Hill have questioned how the board could function as the National Transportation Security Board, which has broad authority to investigate transportation incidents and can issue appointments.
It is still unclear what thresholds the cyber review committee will use to decide what violations or attacks they will investigate and what power will be given to force organizations to deliver critical information that some may be reluctant to share.
“With the NTSB, they just show up with their badge and the entity has to produce everything the researcher wants. They don’t always need a subpoena or the court system to get what they want,” the congressional aide said.
“It’s so far from existing legal systems and I think there’s a strong incentive to cooperate because what options do you have otherwise?”
The attendee added that the idea of an NTSB-like effort for cybersecurity incidents has long been presented at Capitol Hill because there is always interest in finding the root causes of attacks and possible mitigations.
But the NTSB deals with far fewer incidents than any cyber review committee, and the incidents often involve dozens, if not hundreds, of different organizations, some of which will not cooperate with federal law enforcement. The NTSB primarily interacts with airlines and maintenance operators, while the review board would attempt to investigate entire software supply chains.
“There are huge advantages in analyzing the root causes, but in terms of access to data, the powers that NTSB has in some respects are quite extraordinary. I don’t think it’s necessarily applicable in a cyber context,” he said. said the assistant.
Anurag Lal, a former director of the U.S. National Broadband Working Group of the Federal Communications Commission under the Obama administration, expressed fear that the council would be “wrapped up in bureaucracy like others have done in the past.” to be obstructed by bureaucracy while investigating cybernetics. incidents that require rapid responses.
The executive order was a step in the right direction to create the processes needed to respond to cyberattacks, Lal explained, but said a more comprehensive cyber response bill is needed to establish laws governing how US responds to attacks.
“While these are comparable tables, I believe the Cybersecurity Security Review Board needs to act much more urgently than the NTSB. In the event of flight incidents, a lot of time needs to be spent investigating However, the nature of cyberattacks forces us to act quickly, so this advice will not have the luxury of time, “Lal said.
“The CSRB needs to respond urgently and expeditiously. This executive order is about how we can respond, but now we need to keep moving forward and determine how we are going on the offensive to prevent these attacks from happening.” “
Christopher Fielder, who spent years as a cryptographic network and systems technician in the U.S. Air Force and as a CIA security analyst contractor, told ZDNet that too many cyber incidents are secretly hidden, resulting in to numerous incidents that could have been predicted earlier. if the information had been shared accordingly.
Fielder said the review board was a good idea because it could quickly identify underlying issues and establish a federal-level transparency basis on future commitments and how to learn from them.
“The use of this postmortem approach for breaches can drive the development of standards based on historical evidence. However, it is important to understand that for a review board like this to be effective it will require a significant purchase from both the private and of the public sector, ”Fielder said.
“We must feel that this is advice that is not a regulatory body intended to punish or blame those who are affected by commitments, but is designed to encourage the exchange of knowledge and good practices that are discovered from of incidents being reviewed “.
The board would be a good first step, but cybersecurity remains the wild west, Fielder said, with many organizations protecting themselves as best they can with the resources they have available.
Post-incident recommendations often differ between cybersecurity companies and investigators, and Fielder said advice like this could help reconcile differing views on the root cause of an incident or the next steps to be able to make agreed and trusted recommendations.
Sounil Yu, head of information security at JupiterOne, said the best version of the review board would include “irreproachable postmortems” that produce “significant lessons learned that reduce the likelihood of repeated events.”
“There are great examples of security-oriented postmortems (e.g., Coinbase and FireEye) that are highly instructive and can serve as a model for the appearance of a Cyber Review Board research report,” he said. Yu.
Several cybersecurity experts praised the idea of the review committee for similar reasons, but questioned what would happen in cases where it was clear the attack was taken advantage of by a state actor, such as the most recent attacks attributed to Russia and China. .
“The NTSB did not put itself at the forefront of the 9/11 investigations because it was clear that the cause was not due to security concerns,” Yu added. “Security incidents are usually treated very differently from security incidents.”