Learning from Cyber Incidents

From 2016-2021, the Belfer Center's Cyber Project worked on how lessons can be learned from cyber incidents to better inform defense measures. The focus of this work expanded on the concept of a “Cyber National Transportation Safety Board (NTSB)” and creating a “Near Misses” reporting system, both modeled on how safety improvements are made following an aviation incident.

With support from the National Science Foundation and the Hewlett Foundation, the Belfer Center hosted a series of workshops in 2021.

Tackling the risk of conflict in cyberspace

An initiative part of the Belfer Center's Cyber Project

About the project

The idea of modeling an entity to investigate cyber incidents on the National Transportation Safety Board (NTSB) was first proposed in 1991 in a National Research Council report. Since then, multiple individuals and group reports have proposed its creation yet no in-depth proposal has ever been developed. Among the issues remaining to be examined is the scope of the proposed Cyber NTSB’s authority and investigative powers and its position among the existing investigative agencies including the NSA and FBI.

Similarly, the idea of modeling a learning system for cybersecurity on the aviation industry’s “near miss” reporting efforts has been proposed but no pilot efforts have been undertaken. A principle concern in this area is the need for whistleblower protections and potential conflict with corporations’ disinclination to disclose cybersecurity risks. The Learning From Cyber Incidents project is focused on moving these concepts forward toward implementation through a workshop series and ongoing policy development.

President Biden issued an executive order on May 12, 2021 calling for the Secretary of Homeland Security to establish a Cyber Safety Review Board. The executive order envisions a review board that will convene to review and assess major cybersecurity incidents at the direction of the President or when the Secretary of Homeland Security deems it necessary. Representatives from the Department of Defense, the Department of Justice, CISA, NSA, and FBI, as well as appropriate private-sector cybersecurity or software suppliers determined by the Secretary of Homeland Security, will sit on the Board. The guidance outlined in the executive order will inform the Learning From Cyber Incidents project’s next steps in supporting the development of a Cyber Safety Review Board.

Case Studies

Featured work

Article

Solarwinds Attack

Jun. 21, 2021 by Felipe Bueno
Article

Equifax Data Breach

Jun. 15, 2021 by Victoria Ontiveros
Article

Boeing 737 Max Crashes

Jun. 17, 2021 by Victoria Ontiveros
Article

Positive Train Control

Jun. 23, 2021 by Victoria Ontiveros

The Final Report

Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity

Over four months in the spring of 2021, over 70 experts participated in a (virtual) workshop on the concept of creating a “Cyber NTSB”. The workshop was funded by the National Science Foundation with additional support from the Hewlett Foundation, and organized by Harvard’s Belfer Center with support from Northeastern University’s Global Resilience Institute.

People

Leaders and staff part of the Learning from Cyber Incidents initiative

Adam Shostack

Reports & Papers

How to Stand Up a Major Cyber Incident Investigations Board
Tarah Wheeler

Alumni

Reports & Papers

How to Stand Up a Major Cyber Incident Investigations Board
Article

Bruce Schneier on Office Hours Podcast

Feb. 11, 2019
Victoria Ontiveros

Reports & Papers

How to Stand Up a Major Cyber Incident Investigations Board
Felipe Bueno

Reports & Papers

Toward a Collaborative Cyber Defense and Enhanced Threat Intelligence Structure
Robert Knake

Alumni

Reports & Papers

Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity

- The National Transportation Safety Board (NTSB) is an independent agency of the United States Government responsible for the investigation of transportation accidents. It was established in 1967 to conduct independent investigations of all civil aviation accidents in the United States and major accidents in the other modes of transportation. It is not part of the Department of Transportation, nor organizationally affiliated with any of DOT's modal agencies, including the Federal Aviation Administration. The Safety Board has no regulatory or enforcement powers.
- The NTSB investigates every civil aviation accident in the United States and significant crashes in other modes of transportation, including ruptures of oil and gas pipelines. Following the investigation, NTSB staff provide a draft report, including probable cause, findings, and recommendations and in a public hearing, the five-member Board votes to approve (or amend) a report which may include safety recommendations.
- Accident Reports are one of the main products of an NTSB investigation. Reports provide details about the accident, analysis of the factual data, conclusions and the probable cause of the accident, and the related safety recommendations. Most reports focus on a single accident, though the NTSB also produces reports addressing issues common to a set of similar accidents. The NTSB's reports can be found here.
- The NTSB holds no authority to require agencies to adopt its recommendations. Instead, it uses its “Most Wanted List” as an advocacy tool to advance transportation safety policies.
- The NTSB’s Aviation Investigation Manual provides information and guidance to NTSB employees who are involved in organizing and conducting investigations.
- The existing NTSB is authorized by Congress through a series of legislative acts including the Transportation Safety Act 1974 with amendments made in a 1996 bill.
- A list of the NTSB's major investigations can be found here.
- The Chairman of the Joint Chiefs of Staff Manual outlines the Department of Defense's Cyber Incident Handling Program. The manual can be found here.
  The National Institute of Standards and Technology published a Computer Security Incident Handling Guide to offer recommendations to organizations in regards to establishing computer security incident response capabilities and handling security incidents. The guide can be found here.
  "That Was Close! Reward Reporting of Cybersecurity 'Near Misses,'" an article published in the Colorado Law Journal in 2017, examines the long-standing systems of reporting near misses in aviation and proposes the creation of a Cyber Safety Reporting System (CSRS). The authors, Jonathan Bair, Steven M. Bellovin, Andrew Manley, Blake Reid, and Adam Shostack, conclude by considering how a CSRS should be organized and housed. The article can be found here.

Resources on the National Transportation Safety Board

Additional Resources that Offer Guidance in the Crafting of a Cyber Incident Review Board