Former Facebook CISO Alex Stamos proposed building a cyberspace equivalent of the National Transportation Safety Board (NTSB). He said, “such an agency would track attacks, conduct investigations into the root causes of vulnerabilities and issue recommendations on how to prevent them in the future.” Stamos points how the public accounting of hacks like SolarWind do not yield the vital lessons learned that can be applied to minimize the likelihood of a similar event in future.
Beyond creating an NTSB-like entity, the first policy reform step should be around the creation of more fundamental standards setting on the management of technology and disclosure of risks. To use the automobile analogy, after years of unnecessarily fatal incidents on the road, the government enacted laws in the automobile sector to make cars safer and more secure. Such laws don’t exist for digital technology but until they do, breaches that could otherwise be avoided or minimized won’t be. Companies like SolarWind and many other 1-2-Star companies will carry on with inadequate security. They will jeopardize customers and partners while not breaking any laws or violating any standards in the process.
The lesson on the need for some baseline standards of performance, enforced through a mix of policy and regulation has been hard won in all other facets of the economy such as pharmaceuticals, airlines and environmental protection. The same is needed for something that now drives the economy—digital technology.