Even with tragedies such as the Columbine High School and Sandy Hook Elementary School massacres, to the Heaven's Gate mass suicide, 9/11 and more; the US still lacks a central agency that deals with psychological-based tragedies. Creating a NPRB could be crucial to avoid future tragedies and senseless deaths.
With regards to information security, the Sony breach of 2014 shows that the time has arrived to create a National Cybersecurity Safety Board (NCSB). The debacle of the FBI prematurely attributing the attack to the North Korean government is still causing embarrassment, especially to information security professionals who note that attribution, and determination of root cause and probable cause, takes time to determine.
As for the NTSB, in 1967, Congress established the NTSB as an independent agency placed within the Department of Transportation (DOT). Based on that, the NCSB would likely be placed within the Department of Commerce, Federal Trade Commission or most likely the Department of Homeland Security.
In creating the NTSB, Congress envisioned that a single organization with a clearly defined mission could more effectively promote a higher level of safety in the transportation system than the individual modal agencies working separately.
In 2000, the NTSB embarked on a major initiative to increase employee technical skills and make its investigative expertise more widely available to the transportation community by establishing the NTSB Academy at George Washington University. To date, it has issued over 13,000 safety recommendations to more than 2,500 recipients.
Based on the success of the NTSB, I think a NCSB that could perform similar tasks when it comes to information security. Transportation disasters and security breaches have many parallels, and by having a body to investigate information security breaches and advise on security safety, the entire industry would benefit.
What would a NCSB look like As a start, when an investigation of a major breach would occur, there would be a NCSB go team comprised of specialists in fields. The go team would include experts in the following areas: malware, digital forensics, application security, network security, network infrastructure, operating systems and more. They would work in concert with the breached organizations and affected vendors.
Like the NTSB, the NCSB would determine if it needs to hold a public hearing on the breach. After all that is done, it would publish a final report and issue security recommendations. Like the NTSB, the NCSB would likely not have any legal authority to implement, or impose, its recommendations. That burden would fall upon regulators at either the federal or state level.
The NTSB also has a Most Wanted List, which represents the agencies' advocacy priorities, designed to increase awareness of, and support for, the most critical changes needed to reduce transportation accidents and save lives. The NCSB would also issue its annual cybersecurity most wanted list.
Creating the NCSB in the model of the NTSB would be a benefit to every US organization. After megabreaches at Anthem, Heartland Payment Systems, Evernote, TJX, Target, Home Depot, Sony and much more; it still leaves us in early 2015 at a standstill, when it comes to breach information sharing, cause determination and proposed recommendations.
Creating a NCSB is an idea whose time has come. If it does get created, it will be a crucial step in the growth and maturity of information security.
Ben Rothke CISSP is with Nettitude and the author of Computer Security: 20 Things Every Employee Should Know.