The Case for a National Cybersecurity Safety Board

Conference:  BlackHat USA 2021



The need for a National Cyber Security Safety Board to investigate and propose improvements to prevent cyber attacks on critical infrastructure.
  • Cyber attacks on critical infrastructure are intentional and require a mix of finding the perpetrator and improving defenses.
  • Transparency is crucial to the NTSB but not normally wanted in criminal proceedings.
  • A survey found that 95% of respondents were concerned about cyber attacks on critical infrastructure and the majority had experienced them in the last three years.
  • 91% of survey respondents reported taking proactive steps to prevent cyber attacks.
  • Establishing a National Cyber Security Safety Board has been proposed for over 30 years and is gaining support.
  • The recent executive order establishes a Cyber Safety Review Board to investigate significant cyber incidents.
The speaker mentioned the SolarWinds supply chain attack as an example of the need for a National Cyber Security Safety Board. The attack affected multiple government agencies and private companies, highlighting the vulnerability of critical infrastructure to cyber attacks.


In the wake of a series of destabilizing and damaging cyber attacks, there has been a growing call for the U.S. government to establish an analogue of the National Transportation Safety Board (NTSB) to investigate cyber attacks. As we recently argued in a letter to the Wall Street Journal, we think that it is past time for such a move. The SolarWinds hack, for example, highlights many vulnerabilities that have gone unaddressed for too long. First, it shows that the nation’s approach to supply-chain cybersecurity is notoriously inadequate. Second, it demonstrates that a go-it-alone strategy for cybersecurity risk management is doomed to failure. Cybersecurity firm FireEye ’s coming forward helped ring the alarm that U.S. early-warning sensors reportedly missed. Third, it highlights the extent to which our nation’s critical infrastructure remains vulnerable, despite decades of efforts aimed at improving our defenses.But how would such a Board function, and could it succeed where past public-private collaborations have fallen short given the rapid pace of technical innovation multifaceted challenges permeating the information security field? This presentation investigates this policy prescription by assessing how it could be used to respond to recent cyber incidents such as SolarWinds, applying lessons from the history and evolution of the original NTSB, examining the challenges (technical, political, and administrative) in establishing a National Cybersecurity Safety Board (NCSB), and globalizing the discussion to ascertain how other nations are approaching this same issue. However, it is not necessary to wait for the U.S. government to act; rather, states, and the private sector, can launch a beta version of this NCSB today. In short, we will make the case that it is time for Congress to create a cybersecurity safety board to investigate breaches to find out why they happened and how to prevent them from happening again. It’s exactly the type of entity that could play a role in preventing future SolarWinds-scale breaches. We recognize that no single reform can make breaches like SolarWinds’ as rare as plane crashes, but this would be a step in the right direction.