(Security Europe)

June 18, 2012

The Case for a Cyber-Security Safety Board: A Global View on Risk

by Neil Robinson

Risks and responsibility for cyber-security are high on the agenda for policy-makers and chief executives on both sides of the Atlantic. In Brussels, the relatively nascent European External Action Service (EEAS) is busily preparing a comprehensive European Cyberspace Strategy. Meanwhile, in Washington, the Obama Administration trumpeted its own international strategy for cyberspace last year, while Congress currently debates a range of cyber-bills that address such topics as information sharing and the extent to which government should regulate security of private sector networks.

To address concerns about the legality and economic viability of cyber-security information sharing in this environment, an independent third party should be created to conduct impartial expert investigations—a cyber-security safety board.

The important challenge is how to get a better picture of the state of risk. Experts agree that cyberspace is now so complex that no one organisation has a complete handle on how the different networks that comprise the Internet interact—particularly when they are misused. Key to this is information sharing: a broad term that includes responsible disclosure of software vulnerabilities, the exchange of threat data between intelligence agencies and the private sector; and when and how to share best practices among competitors in critical infrastructure.

A multitude of factors operate in these domains. Chief among them is the economics of liability. There is great fear of reputational damage when providers in the private sector must share information with peers or with government and law enforcement. The private sector often must put its reputation into the hands of an organisation for which it cannot guarantee competence or control of disclosed information. This is particularly the case with hacking incidents and their mitigation. Firms are therefore reluctant to tell others about what incidents happened and how (if at all) they solved related problems.

What could be helpful is an independent third party, modeled on the U.S. National Transportation Safety Board (NTSB). The NTSB, 45 years old, is now an independent agency that serves as an accident investigation bureau. It collects impartial evidence across a variety of modes on the U.S. transportation system, most famously air accidents, with the intent of learning lessons and improving safety. It has managed some 140,000 investigations into aviation incidents since it was formed.

The NTSB is mandated to investigate both accidents (where there is a threshold of death or serious injuries) and incidents, which are defined as "…any occurrence other than an accident which affects or could affect the safety of operations." There are five different types of NTSB investigations, ranging from a major investigation (where a "go-team" is deployed) of a commercial carrier, to regional, local or desk investigations.

Two aspects of the NTSB model are particularly relevant to the cyber-security problem. First, its mandate is to run investigations for fact-finding proceedings in which no formal issues are addressed. This could be applicable in the context of cyber-security because it would enable the process of finding out what happened (attribution) to be independent from the process of establishing liability.

The second important characteristic is known as the party process. A number of stakeholders (air carriers, the airline pilots association, industry) are brought together. This has relevance for cyber-security incidents where a multitude of different stakeholders from the public and private sector are involved. As NTSB investigations often show, no one factor is the single cause of a catastrophe. Sometimes a perfect storm of different issues (weather, fatigue, an electrical malfunction in a minor component) all played a role. An independent third party can critically evaluate the chain of causality leading to significant breaches and create an impartial, objective accident investigation report.

Identifying the many factors that may contribute to incidents would encourage sharing mitigation practices and act as an impartial "firewall" between the private sector and government. This would permit more oversight over the types of information shared. This, in turn, might address concerns that sharing information erodes privacy, or that divulged information would be misused.

The reports could spur useful secondary markets by bringing clarity for the attribution of claims in emergent cyber insurance market, by helping to empirically determine what cyber-security measures are actually effective. The investigation reports of the NTSB affected liability cases; the conclusions of the NTSB helped determine the negligence of an airline or pilot error and were factored into claims against responsible parties.

While such a model might have positive consequences (the firms might be incentivised to improve security, as many did with regards to safety in the airline industry) policy makers must also be aware of likely unintended consequences. For example, a possible adverse consequence of this model is that firms might spend more money settling out of court claims than fixing cyber-security problems. Similarly, firms might be more prepared to invest in reputation management than actually solving the problems.

Regardless of whether the cyber-security experts choose to use the NTSB model, innovative approaches are needed to break the current stalemate of information sharing and to build a solid and reliable evidence base on the state of cyber-security. This crucial step in determining the efficacy of security measures will enable policy-makers to move beyond what currently serves as the basis for decision-making: blind faith.

Neil Robinson is a research leader with a decade of experience in cyber-security research at Cambridge-based RAND Europe, an independent not-for-profit research institution that is part of the global RAND Corporation.

This commentary originally appeared in Security Europe on June 18, 2012. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.