The overarching question imparting urgency to this exploration is: Can U.S.-Russian contention in cyberspace cause the two nuclear superpowers to stumble into war? In considering this question we were constantly reminded of recent comments by a prominent U.S. arms control expert: At least as dangerous as the risk of an actual cyberattack, he observed, is cyber operations’ “blurring of the line between peace and war.” Or, as Nye wrote, “in the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code, or simply the intent of a computer program’s user.”
About the project
The idea of modeling an entity to investigate cyber incidents on the National Transportation Safety Board (NTSB) was first proposed in 1991 in a National Research Council report. Since then, multiple individuals and group reports have proposed its creation yet no in-depth proposal has ever been developed. Among the issues remaining to be examined is the scope of the proposed Cyber NTSB’s authority and investigative powers and its position among the existing investigative agencies including the NSA and FBI.
Similarly, the idea of modeling a learning system for cybersecurity on the aviation industry’s “near miss” reporting efforts has been proposed but no pilot efforts have been undertaken. A principle concern in this area is the need for whistleblower protections and potential conflict with corporations’ disinclination to disclose cybersecurity risks. The Learning From Cyber Incidents project is focused on moving these concepts forward toward implementation through a workshop series and ongoing policy development.
President Biden issued an executive order on May 12, 2021 calling for the Secretary of Homeland Security to establish a Cyber Safety Review Board. The executive order envisions a review board that will convene to review and assess major cybersecurity incidents at the direction of the President or when the Secretary of Homeland Security deems it necessary. Representatives from the Department of Defense, the Department of Justice, CISA, NSA, and FBI, as well as appropriate private-sector cybersecurity or software suppliers determined by the Secretary of Homeland Security, will sit on the Board. The guidance outlined in the executive order will inform the Learning From Cyber Incidents project’s next steps in supporting the development of a Cyber Safety Review Board.
CO-DIRECTORS
AFFILIATES
FOUNDER, ALUM
WORKSHOPS
In the spring of 2021, the Belfer Center for Science and International Affairs at Harvard University organized a multi-session virtual workshop on creating a cyber incident investigative capacity modeled on the National Transportation Safety Board (NTSB). The goal of the workshop was to develop a research agenda to further the concept.
2021 Workshop Agenda
| ||
| ||
Cyber Incident Reports
Significant past incidents have been investigated by Federal authorities and reports on those investigations released. These reports can inform the development of the Cyber NTSB concept by serving as templates for investigate reports and highlighting the limits of existing authorities.
Sample government reports include:
-
The Equifax Data Breach, Majority Staff Report, 115th Congress, December 2018.
- On September 7, 2017, Equifax announced a cybersecurity incident affecting 143 million consumers. This number eventually grew to 148 million—nearly half the U.S. population and 56 percent of American adults. This staff report explains the circumstances of the cyberattack against Equifax, one of the largest consumer reporting agencies (CRA) in the world.
- Link to official report
-
Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach, GAO-18-559, August 2018.
- In July 2017, Equifax system administrators discovered that attackers had gained unauthorized access via the Internet to the online dispute portal that maintained documents used to resolve consumer disputes. The Equifax breach resulted in the attackers accessing personal information of at least 145.5 million individuals.
- Link to official report
-
Kristin Finklea et al., Cyber Intrusion into U.S. Office of Personnel Management: In Brief, Congressional Research Service, July 17, 2015.
- On June 4, 2015, the U.S. Office of Personnel Management (OPM) revealed that a cyber intrusion had impacted its information technology systems and data, potentially compromising the personal information of about 4.2 million former and current federal employees. Later that month, OPM reported a separate cyber incident targeting OPM’s databases housing background investigation records. This breach is estimated to have compromised sensitive information of 21.5 million individuals.
- Link to official report
-
U.S. Office of Personnel Management, Actions to Strengthen Cybersecurity and Protect Critical IT Systems, June 2015
- The 2015 intrusions into U.S. Office of Personnel Management (OPM) systems that house personnel and background investigation data for Federal employees and other individuals have raised questions about the security of OPM data and the integrity of its Information Technology (IT) assets.
- Link to official report
-
The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation, Majority Staff Report, September 7, 2016
- In June 2015, attackers exfiltrated personnel files of 4.2 million former and current government employees and security clearance background investigation information on 21.5 million individuals.
- Link to official report
-
South Carolina Department of Revenue Public Incident Response Report, Mandiant, November 20, 2012. [Tao Security Case Study]
- On October 10, 2012, a law enforcement agency contacted the South Carolina Department of Revenue (DoR) with evidence that Personally Identifiable Information (PII) of three individuals had been stolen. The Department of Revenue reviewed the data provided and identified that the data provided would have been stored within databases managed by the Department of Revenue. On October 12, 2012, Mandiant was contracted by the Department of Revenue to perform an incident response.
- Link to official report. Link to Tao Security Case Study.
Non-government sample reports include:
-
Analysis of the Cyber Attack on the Ukrainian Power Grid Defense Use Case, SANS/E-ISAC, March 18, 2016
- On December 23, 2015, the Ukrainian Kyivoblenergo, a regional electricity distribution company, reported service outages to customers. It was revealed that three different energy distribution companies were attacked, resulting in several outages that caused approximately 225,000 customers to lose power across various areas. Shortly after the attack, Ukrainian government officials claimed the outages were caused by a cyber attack, and that Russian security services were responsible for the incidents. Following these claims, investigators in Ukraine, as well as private companies and the U.S. government, performed analysis and offered assistance to determine the root cause of the outage. Both the E-ISAC and SANS ICS team was involved in various efforts and analyses in relation to this case since December 25, 2015, working with trusted members and organizations in the community.
- Link to official report
-
Xiaokui Shu, Ke Tian*, Andrew Ciambrone* and Danfeng (Daphne) Yao, Breaking the Target: An Analysis of Target Data Breach and Lessons Learned, January 18, 2017.
- Between November 27 and December 18, 2013, the Target Corporation’s network was breached, which became the second largest credit and debit card breach after the TJX breach in 2007. In the Target incident, 40 million credit and debit card numbers and 70 million records of personal information were stolen. The ordeal cost credit card unions over two hundred million dollars for just reissuing cards.
- Link to official report
-
Hackers hit Norsk Hydro with ransomware. The company responded with transparency, Microsoft, December 16, 2019.
- Norsk Hydro, one of the world’s largest aluminum companies, was targeted in March of 2019. The breach would ultimately affect all 35,000 Norsk Hydro employees across 40 countries, locking the files on thousands of servers and PCs. The financial impact would eventually approach $71 million.
- Link to official report
Law enforcement investigations that lead to indictments can also be a good source of information on significant cyber incidents:
-
Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe, U.S. Department of Justice, February 17, 2021.
- Indictment Expands 2018 Case that Detailed Attack on Sony Pictures and Creation of WannaCry Ransomware by Adding Two New Defendants and Recent Global Schemes to Steal Money and Cryptocurrency from Banks and Businesses while Operating in North Korea, China
- Link to official report
-
Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace, U.S. Department of Justice, October 19, 2020
- Beginning in or around November 2015 and continuing until at least in or around October 2019, the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).
- Link to official report
-
Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally, U.S. Department of Justice, September 16, 2020.
- In August 2019 and August 2020, a federal grand jury in Washington, D.C., returned two separate indictments charging five computer hackers, all of whom were residents and nationals of the People’s Republic of China (PRC), with computer intrusions affecting over 100 victim companies in the United States and abroad, including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments, as well as pro-democracy politicians and activists in Hong Kong.
- Link to official report
-
Two Iranian Nationals Charged in Cyber Theft Campaign Targeting Computer Systems in United States, Europe, and the Middle East, U.S. Department of Justice, September 16, 2020.
- On September 16, 2020, two Iranian nationals were charged in connection with a coordinated cyber intrusion campaign – sometimes at the behest of the government of the Islamic Republic of Iran (Iran) – targeting computers in New Jersey, elsewhere in the United States, Europe and the Middle East.
- Link to official report
-
Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research, U.S. Department of Justice, July 21, 2020.
- On July 21, 2020, a federal grand jury in Spokane, Washington, returned an indictment charging two hackers, both nationals and residents of the People’s Republic of China (China), with hacking into the computer systems of hundreds of victim companies, governments, non-governmental organizations, and individual dissidents, clergy, and democratic and human rights activists in the United States and abroad, including Hong Kong and China. The defendants in some instances acted for their own personal financial gain, and in others for the benefit of the MSS or other Chinese government agencies. The hackers stole terabytes of data which comprised a sophisticated and prolific threat to U.S. networks.
- Link to official report
-
Two Chinese Hackers Associated With the Ministry of State Security Charged with Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information, U.S. Department of Justice, December 20, 2018.
- Zhu Hua (朱华), aka Afwar, aka CVNX, aka Alayos, aka Godkiller; and Zhang Shilong (张士龙), aka Baobeilong, aka Zhang Jianguo, aka Atreexp, both nationals of the People’s Republic of China (China), were members of a hacking group operating in China known within the cyber security community as Advanced Persistent Threat 10 (the APT10 Group). The defendants worked for a company in China called Huaying Haitai Science and Technology Development Company (Huaying Haitai) and acted in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau.
- Link to official report
-
U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations, U.S. Department of Justice, October 4, 2018.
- A grand jury in the Western District of Pennsylvania indicted seven defendants, all officers in the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces of the Russian Federation, for computer hacking, wire fraud, aggravated identity theft, and money laundering. According to the indictment, beginning in or around December 2014 and continuing until at least May 2018, the conspiracy conducted persistent and sophisticated computer intrusions affecting U.S. persons, corporate entities, international organizations, and their respective employees located around the world, based on their strategic interest to the Russian government.
- Link to official report
-
U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage, U.S. Department of Justice, May 19, 2014.
- A grand jury in the Western District of Pennsylvania (WDPA) indicted five Chinese military hackers on May 14, 2014, for computer hacking, economic espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries. The indictment alleges that the defendants conspired to hack into American entities, to maintain unauthorized access to their computers and to steal information from those entities that would be useful to their competitors in China, including state-owned enterprises (SOEs).
- Link to official report
Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity
Over four months in the spring of 2021, over 70 experts participated in a (virtual) workshop on the concept of creating a “Cyber NTSB”. The workshop was funded by the National Science Foundation with additional support from the Hewlett Foundation, and organized by Harvard’s Belfer Center with support from Northeastern University’s Global Resilience Institute.
You can find the report linked here: https://www.belfercenter.org/publication/learning-cyber-incidents-adapting-aviation-safety-models-cybersecurity
Resources on the National Transportation Safety Board
- The National Transportation Safety Board (NTSB) is an independent agency of the United States Government responsible for the investigation of transportation accidents. It was established in 1967 to conduct independent investigations of all civil aviation accidents in the United States and major accidents in the other modes of transportation. It is not part of the Department of Transportation, nor organizationally affiliated with any of DOT's modal agencies, including the Federal Aviation Administration. The Safety Board has no regulatory or enforcement powers.
- The NTSB investigates every civil aviation accident in the United States and significant crashes in other modes of transportation, including ruptures of oil and gas pipelines. Following the investigation, NTSB staff provide a draft report, including probable cause, findings, and recommendations and in a public hearing, the five-member Board votes to approve (or amend) a report which may include safety recommendations.
- Accident Reports are one of the main products of an NTSB investigation. Reports provide details about the accident, analysis of the factual data, conclusions and the probable cause of the accident, and the related safety recommendations. Most reports focus on a single accident, though the NTSB also produces reports addressing issues common to a set of similar accidents. The NTSB's reports can be found here.
- The NTSB holds no authority to require agencies to adopt its recommendations. Instead, it uses its “Most Wanted List” as an advocacy tool to advance transportation safety policies.
- The NTSB’s Aviation Investigation Manual provides information and guidance to NTSB employees who are involved in organizing and conducting investigations.
- The existing NTSB is authorized by Congress through a series of legislative acts including the Transportation Safety Act 1974 with amendments made in a 1996 bill.
- A list of the NTSB's major investigations can be found here.
Additional Resources that Offer Guidance in the Crafting of a Cyber Incident Review Board
- The Chairman of the Joint Chiefs of Staff Manual outlines the Department of Defense's Cyber Incident Handling Program. The manual can be found here.
- The National Institute of Standards and Technology published a Computer Security Incident Handling Guide to offer recommendations to organizations in regards to establishing computer security incident response capabilities and handling security incidents. The guide can be found here.
- "That Was Close! Reward Reporting of Cybersecurity 'Near Misses,'" an article published in the Colorado Law Journal in 2017, examines the long-standing systems of reporting near misses in aviation and proposes the creation of a Cyber Safety Reporting System (CSRS). The authors, Jonathan Bair, Steven M. Bellovin, Andrew Manley, Blake Reid, and Adam Shostack, conclude by considering how a CSRS should be organized and housed. The article can be found here.