Plane crashes are investigated. Computer crashes should be, too

Biden's executive order calls for (finally!) creation of an NTSB for cybersecurity

The NTSB investigates all kinds of accidents. It’s time cyber got its own NTSB

When a plane crashes, a government agency rushes to the scene looking for answers…and lessons that might prevent the next plane crash. When computers crash — and the economy crashes, as we’ve seen this week — there is no such fact-finding mission. There should be. And now, perhaps, there will be.

The National Safety Transportation Board, while imperfect, has a remarkable track record for getting to the bottom of transportation disasters. Air travel is remarkably safe, in no small part because of all the public hearings and final reports issued by the NTSB through the years. Yes, wounds are exposed and companies take it on the chin after a crash. That’s the price of learning. Lives are at stake.

Cybersecurity could benefit dramatically from this kind of soul-searching after major attacks.

This week’s Colonial Pipeline ransomware incident and resulting run on gas stations is just the latest incident that screams for some kind of independent agency devoted to this kind of soul searching. And I do mean “just the latest.” A quick trip down memory lane had me re-reading essay after essay calling for a “Computer Network Safety Board” or a “National Cybersecurity Safety Board.” This 2016 report that was part of a NIST Commission cites a 1990(!) publication named Computers at Risk: Safe Computing in the Information Age which called for creation of an incident database, saying “one possible model for data collection is the incident reporting system administered by the National Transportation Safety Board.”

So, this is an idea whose time has come. And perhaps it will. In the wake of the pipeline ransomware incident, President Biden issued an executive order this week addressing cybersecurity. These things can seem like pageantry, but they don’t have to be. The list of actions in the order is non-controversial and has been in the works for a while. Things like: raising government security standards, stronger supply chain/vendor oversight, and improved information sharing. But to me, this is the most critical part of the order:

Establish a Cybersecurity Safety Review Board. The Executive Order establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity. Too often organizations repeat the mistakes of the past and do not learn lessons from significant cyber incidents. When something goes wrong, the Administration and private sector need to ask the hard questions and make the necessary improvements. This board is modeled after the National Transportation Safety Board, which is used after airplane crashes and other incidents.

Finally.

This….CSRB?….faces a lot of obstacles. Paul Rosenzweig, one of the essayists who has called for such a thing in the past, laid these obstacles out well in his 2018 paper for R Street. There’s (usually) no wreckage after a computer crash, so investigations will be much harder. There are tens of thousands of important computer hacks every year. Can’t study them all. How will the CSRB pick which ones to examine? Victim companies are notoriously hesitant to share details after an attack, fearing those details will end up in a lawsuit. Sometimes…often…the investigation will be inconclusive. And finally: the “flaw” found by such an investigation will often be a person, not software or hardware.

Good.

I’ve been to 100 conferences where security professionals spend a week talking about fancy new software and then at a closing address, someone ends by saying, “It all comes down to the human element.” I suspect a CSRB will find *many* incidents come down to a mistake made by a person. That’s a good start. Of course, no one person can really screw up something like this. That person is part of a team. S/he is nearly always overworked, part of a flawed system, walking a tightrope without a net, and acting on the wrong incentives. These are the kinds of real problems that can finally be exposed by CSRB reports.

Having covered this industry for 25 years, I am suspicious of the idea that many investigations will be inconclusive. Yes, there are occasional Zero Day hacks and nation-state-sponsored attacks that might elude investigators. But many, many hacks fall into the Equifax camp — they involve an event cascade of errors that should have been caught, like a horror movie where the protagonists miss a dozen or more chances to avert the disaster.

Every one of those movies should be made, and studied, by the CSRB.

Perhaps one conclusion might be limitations on workload, the kind that now protect truck drivers, train engineers and pilots. Perhaps other innovative recommendations will arise from shining such a public light on hacking incidents. Perhaps there will be so many that we’ll move past shaming cybersecurity workers to solving the real problem. If we don’t, we’re going to see a lot more gas lines that result from malicious computer code.