Init0

A pile of destroyed desktops and screens are seen as part of a a performance during the International Telecoms Fair in Madrid on Nov. 6, 2007. (REUTERS/Sergio Perez)

Just as Bill Murray wakes up each morning in Groundhog Day to the tune of Sonny and Cher’s “I Got You Babe,” executives around the world today begin their days with a familiar piece of news: Their company has been breached. It takes Bill Murray’s weatherman character a few days to realize what’s happening to him and even longer to discover that he can change how he behaves. In cybersecurity that realization hasn’t happened, and, instead, we are living the same day over and over again, hoping that the same behavior will lead to a different tomorrow—one free of massive breaches. 

Changing this cycle requires first understanding the problem of widespread cyber vulnerabilities, and the federal government is beginning to take steps to do so—but not fast enough. In May, President Joe Biden signed an executive order that tasked the secretary of homeland security to stand up a Cyber Safety Review Board that would investigate major incidents affecting government computing systems and to disseminate the lessons learned from such incidents. More than six months later, the board exists only on paper, and cyber Groundhog Day marches forward, doomed to repeat the mistakes of the past. Amid widespread computer vulnerabilities, getting this board up and running should be a serious priority, one that has the potential to seriously improve the disastrous state of cybersecurity. 

When planes crash or major aviation incidents occur, an independent National Transportation Safety Board investigates using a multistakeholder model and provides an explanation with lessons learned for pilots and the aviation industry. The cybersecurity industry has no similar respected government body helping us create a shared history with lessons learned for our major incidents. In a recent report authored with Rob Knake, at Harvard University’’s Belfer Center for Science and International Affairs, we detail how to best design a cybersecurity review board capable of studying major breaches and disseminating lessons learned. As it stands, the cybersecurity industry lacks authoritative, independent investigations capable of understanding how breaches occur and how to carry out systematic improvements. Until such a system exists, major breaches are likely to continue, with predictably disastrous consequences.

A slew of major breaches in recent years have inspired an immense body of cybersecurity regulations, with little discernible improvement in computer security. In 2021 alone, the White House issued a new executive order forcing new cybersecurity rules on American …….

Source: https://www.brookings.edu/techstream/the-urgent-need-to-stand-up-a-cybersecurity-review-board/