As the digital landscape becomes more complex and intertwined with our daily lives, the need for robust cybersecurity governance has never been more critical. The recent decision by the U.S. Department of Homeland Security (DHS) to terminate the Cyber Safety Review Board (CSRB) has sparked widespread concern, not only for the future of cybersecurity in the U.S. but also for its global implications. This decision brings to light the importance of independent cybersecurity review entities like the CSRB and raises an important question for Nigeria: Do we need our own version of the CSRB?

The Termination of the CSRB and Why It Matters

The CSRB was established under Executive Order 14028 to investigate significant cybersecurity incidents, such as the Log4j vulnerability and breaches attributed to advanced threat actors.

Modeled after the National Transportation Safety Board (NTSB), the CSRB played a vital role in analysing the root causes of incidents and issuing actionable recommendations to strengthen cybersecurity resilience.

Its sudden termination by the DHS, amidst critical ongoing investigations like the Salt Typhoon breaches targeting U.S. telecommunications firms, threatens to disrupt the momentum gained in enhancing cybersecurity transparency and readiness. This move not only leaves a gap in the U.S.’s cybersecurity ecosystem but also removes an entity that inspired the creation of similar frameworks globally.

Lessons from the NTSB’s Success

The National Transportation Safety Board (NTSB) has been instrumental in reducing aviation accidents by investigating incidents, publishing detailed public reports, and providing actionable recommendations. Its impact on air travel safety is unparalleled, with its findings driving policy changes, infrastructure upgrades, and industry-wide adoption of best practices.

The CSRB, like the NTSB, operated as an independent body that could analyse major incidents without assigning blame. By focusing on lessons learned rather than punishment, the CSRB encouraged organisations to be transparent and proactive in addressing cybersecurity challenges. The absence of the CSRB leaves a vacuum that could delay critical cybersecurity reforms, setting a cautionary tale for other nations.

The Situation in Nigeria: A Critical Gap

Unlike the U.S., Nigeria does not currently have an equivalent to the CSRB or NTSB. While there are entities tasked with various aspects of cybersecurity and incident response, they fall short of the holistic, independent approach that the CSRB provided.

Existing Related Entities in Nigeria:

1. Office of the National Security Adviser (ONSA):

   • Oversees national cybersecurity strategy and coordinates critical infrastructure protection.

   • Limitation: Does not publish detailed public reports on cybersecurity incidents.

2. Nigeria Computer Emergency Response Team (ngCERT):

   • Focuses on detecting and mitigating cybersecurity threats.

   • Limitation: Primarily focused on real-time threat response, lacking a mandate for post-incident analysis and reporting.

3. Central Bank of Nigeria (CBN):

   • Enforces the Risk-Based Cybersecurity Framework and Guidelines for financial institutions.

   • Limitation: Sector-specific and does not address cybersecurity incidents in other industries.

4. Nigerian Communications Commission (NCC):

   • Oversees telecom sector cybersecurity.

   • Limitation: Limited scope to telecommunications, with minimal cross-sectoral impact.

5. Nigeria Data Protection Commission (NDPC)

   • Responsible for enforcing data protection laws in Nigeria under the Nigeria Data Protection Act, 2023.

   • Limitation: Limited scope to privacy and data protection incidents rather than broader cybersecurity threats.

Key Challenge:

None of these entities provide comprehensive public reports detailing the root causes of cybersecurity incidents, lessons learned, and actionable recommendations. This lack of transparency limits nationwide improvements in cybersecurity readiness and resilience.

The Need for a Cyber Security Review Board in Nigeria

Given the increasing reliance on digital infrastructure and the sophistication of cyber threats, Nigeria urgently needs an independent body akin to the CSRB. Such an entity would:

• Investigate Significant Incidents: Provide unbiased analysis of major cybersecurity breaches across sectors.

• Issue Public Reports: Share findings and actionable recommendations to foster transparency and drive nationwide improvements.

• Promote Collaboration: Bring together experts from government, private sector, and academia to tackle cybersecurity challenges collectively.

• Support Compliance: Align national cybersecurity practices with international standards such as ISO 27001 and NIST.

Recommendations for Establishing a Cybersecurity Review Board in Nigeria

1. Government-Led Initiative: Establish the board under the Office of the National Security Adviser (ONSA) to ensure national coverage and authority.

2. Public-Private Collaboration: Engage stakeholders from industries, regulatory bodies, and cybersecurity firms to provide expertise and diverse perspectives.

3. Mandate for Transparency: Require the board to publish detailed, non-punitive reports that prioritise lessons learned and actionable outcomes.

4. Cross-Sector Scope: Ensure the board covers all critical industries, including finance, healthcare, energy, and telecommunications.

5. Capacity Building: Invest in training and resources to equip the board with the skills and tools needed for effective investigations.

6. Mandatory Reporting Requirements: Enforce a regulation requiring all corporate entities and government parastatals to report cybersecurity incidents to the board if they:

   • Exceed a defined financial threshold in impact, or

   • Affect national security or critical infrastructure.

     This would ensure that the board has visibility into high-impact incidents and can act accordingly.

Driving the Conversation Forward

The termination of the CSRB in the U.S. should serve as both a cautionary tale and a call to action for Nigeria. Creating a Cyber Safety Review Board could not only enhance Nigeria’s cybersecurity posture but also position the nation as a leader in cybersecurity governance on the African continent.

What do you think? Should Nigeria establish a Cyber Safety Review Board? What should the financial threshold for mandatory reporting be? Share your thoughts in the comments below!

#Cybersecurity #Nigeria #CSRB #GosuTechnology