• United States




It’s time for a National Cybersecurity Safety Board (NCSB)

Feb 19, 20154 mins
Data BreachIT Leadership

Credit: Thinkstock

In his book The Psychological Edge: Strategies For Everyday Living, clinical psychologist Dr. Samuel Shein writes that while we have a National Transportation Safety Board (NTSB), there is no National Psychological Research Board (NPRB). A group like the NPRB could investigate national disasters caused by those with psychological issues.

Even with tragedies such as the Columbine High School and Sandy Hook Elementary School massacres, to the Heaven’s Gate mass suicide, 9/11 and more; the US still lacks a central agency that deals with psychological-based tragedies. Creating a NPRB could be crucial to avoid future tragedies and senseless deaths.

With regards to information security, the Sony breach of 2014 shows that the time has arrived to create a National Cybersecurity Safety Board (NCSB). The debacle of the FBI prematurely attributing the attack to the North Korean government is still causing embarrassment, especially to information security professionals who note that attribution, and determination of root cause and probable cause, takes time to determine.

As for the NTSB, in 1967, Congress established the NTSB as an independent agency placed within the Department of Transportation (DOT). Based on that, the NCSB would likely be placed within the Department of Commerce, Federal Trade Commission or most likely the Department of Homeland Security.

In creating the NTSB, Congress envisioned that a single organization with a clearly defined mission could more effectively promote a higher level of safety in the transportation system than the individual modal agencies working separately.

In 2000, the NTSB embarked on a major initiative to increase employee technical skills and make its investigative expertise more widely available to the transportation community by establishing the NTSB Academy at George Washington University. To date, it has issued over 13,000 safety recommendations to more than 2,500 recipients.

Based on the success of the NTSB, I think a NCSB that could perform similar tasks when it comes to information security. Transportation disasters and security breaches have many parallels, and by having a body to investigate information security breaches and advise on security safety, the entire industry would benefit.

What would a NCSB look like? As a start, when an investigation of a major breach would occur, there would be a NCSB go team comprised of specialists in fields. The go team would include experts in the following areas: malware, digital forensics, application security, network security, network infrastructure, operating systems and more. They would work in concert with the breached organizations and affected vendors.

Like the NTSB, the NCSB would determine if it needs to hold a public hearing on the breach. After all that is done, it would publish a final report and issue security recommendations. Like the NTSB, the NCSB would likely not have any legal authority to implement, or impose, its recommendations. That burden would fall upon regulators at either the federal or state level.

The NTSB also has a Most Wanted List, which represents the agencies’ advocacy priorities, designed to increase awareness of, and support for, the most critical changes needed to reduce transportation accidents and save lives. The NCSB would also issue its annual cybersecurity most wanted list.

Creating the NCSB in the model of the NTSB would be a benefit to every US organization. After megabreaches at Anthem, Heartland Payment Systems, Evernote, TJX, Target, Home Depot, Sony and much more; it still leaves us in early 2015 at a standstill, when it comes to breach information sharing, cause determination and proposed recommendations.

Creating a NCSB is an idea whose time has come. If it does get created, it will be a crucial step in the growth and maturity of information security.


Ben Rothke, CISSP, CISM, CISA is a senior information security specialist at Tapad and has over 16 years of industry experience in information systems security and privacy.

His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design and implementation of systems security, encryption, cryptography and security policy development.

Ben is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill). He writes security and privacy book reviews for Slashdot and Security Management and is a former columnist for Information Security, Unix Review and Solutions Integrator magazines.

He is a frequent speaker at industry conferences, such as RSA and MISTI, holds numerous industry certifications and is a member of ASIS, Society of Payment Security Professionals and InfraGard.

He holds the following certifications: CISM, CISA, CGEIT, CRISC, CISM, CISSP, SMSP, PCI QSA.

The opinions expressed in this blog are those of Ben Rothke and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author