Researchers at the University of Indiana suggested that an independent cybersecurity agency board should be established to investigate cyber attacks and data breaches after conducting a comprehensive academic review.
The board’s structure would resemble the National Transportation Safety Board. Scott Shackelford, an associate professor of business law and ethics, and Austin Brady, a law degree candidate, reviewed the series of events that led to the establishment of the NTSB.
In a paper published on Tuesday, the researchers noted that using the same safety board model would allow a National Cybersecurity Safety board to “separate fact-finding proceedings from any questions of liability, allowing attribution to be established, for example, without parties initiating litigation.”
Shackelford and Brady also reviewed other proposals to bolster cybersecurity, including the establishment of a federally-sponsored cyber risk insurance programs that would resemble flood insurance. They concluded that “more robust data breach investigations” was a common theme among every proposal.
“(This) could include on-site gathering of data on why the attack occurred so as to help other companies prevent similar attacks,” the paper stated. “This evokes one of the core functions of the NTSB, that is, to investigate and establish the facts behind an incident, and to make recommendations to help ensure that similar events do not occur in the future.”
The emergence of internet-enabled household devices, and Microsoft’s projection that the number of connected devices could grow from 11 billion in 2013 to 50 billion by 2020, and could provide complex and legal challenges for a cybersecurity agency board. However, researchers suggested that the board could operate as s public-private partnership run by a coalition of companies.
“Funding could come from interested stakeholders, such as insurance companies,” the paper stated. “Because such secondary markets would benefit from greater clarity surrounding the attribution of claims, as well as more information about the utility of various cybersecurity best practices.”
The paper also acknowledged limitations of the safety board model, including concerns that it could be used to manage reputations rather than to prevent attacks. Another concern is that the board’s recommendations could be outdated by the time they’re issued. However, researchers concluded that the board’s benefits would outweigh its limitations.
“Such a model would be an improvement on the existing reliance on Cyber Emergency Response Teams and aid in effective policymaking at both the state and federal level, given the lack of hard, verifiable data on the scope of cyberattacks,” the paper stated. “The creation of a National Cybersecurity Safety Board could also help law enforcement investigations, particularly local and state agencies without the resources and expertise of the FBI.”