The overarching question imparting urgency to this exploration is: Can U.S.-Russian contention in cyberspace cause the two nuclear superpowers to stumble into war? In considering this question we were constantly reminded of recent comments by a prominent U.S. arms control expert: At least as dangerous as the risk of an actual cyberattack, he observed, is cyber operations’ “blurring of the line between peace and war.” Or, as Nye wrote, “in the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code, or simply the intent of a computer program’s user.”
About the project
The idea of modeling an entity to investigate cyber incidents on the National Transportation Safety Board (NTSB) was first proposed in 1991 in a National Research Council report. Since then, multiple individuals and group reports have proposed its creation yet no in-depth proposal has ever been developed. Among the issues remaining to be examined is the scope of the proposed Cyber NTSB’s authority and investigative powers and its position among the existing investigative agencies including the NSA and FBI.
Similarly, the idea of modeling a learning system for cybersecurity on the aviation industry’s “near miss” reporting efforts has been proposed but no pilot efforts have been undertaken. A principle concern in this area is the need for whistleblower protections and potential conflict with corporations’ disinclination to disclose cybersecurity risks. The Learning From Cyber Incidents project is focused on moving these concepts forward toward implementation through a workshop series and ongoing policy development.
President Biden issued an executive order on May 12, 2021 calling for the Secretary of Homeland Security to establish a Cyber Safety Review Board. The executive order envisions a review board that will convene to review and assess major cybersecurity incidents at the direction of the President or when the Secretary of Homeland Security deems it necessary. Representatives from the Department of Defense, the Department of Justice, CISA, NSA, and FBI, as well as appropriate private-sector cybersecurity or software suppliers determined by the Secretary of Homeland Security, will sit on the Board. The guidance outlined in the executive order will inform the Learning From Cyber Incidents project’s next steps in supporting the development of a Cyber Safety Review Board.