Lesson-learning workstream
Accidents happen. How we learn from them — or fail to — is one of the defining features of a complex system. I've been very interested in what we do and don't learn since at least The New School of Information Security.
- Handling Pandemic-Scale Cyber Threats: Lessons from COVID-19
Abstract: The devastating health, societal, and economic impacts of the COVID-19 pandemic illuminate potential dangers of unpreparedness for catastrophic pandemic-scale cyber events. While the nature of these threats differs, the responses to COVID-19 illustrate valuable lessons that can guide preparation and response to cyber events....
Suggested citation: Adam Shostack, Josiah Dykstra, Handling Pandemic-Scale Cyber Threats: Lessons from COVID-19, pre-print, 15 August 2024, https://doi.org/10.48550/arXiv.2408.08417
- Inaugural workshop on Cyber Public Health (2024)
- The first workshop on Cyber Public Health was hosted by Google in
New York on Jan 9, 2024. The final
report is now available. (For archival purposes, the summary report is
here).
My keynote was Towards a Science
of Cyber Public Health.
Suggested citation: Adam Shostack, Inaugural Workshop on Cyber Public Health, CyberGreen Institute Tech Report 24-01, June, 2024. https://cybergreen.net/workshop-report-24-01-inaugural-workshop-on-cyber-public-health, DOI: 10.13140/RG.2.2.22399.62887
- How to Stand Up a Major Cyber Incident Investigations Board (2022)
- As we wrote the report on Adapting Aviation Safety Models, we also worked on a how-to guide. We realized that many of the lessons and tradeoffs that we learned about or crystalized as we worked on that were worth capturing because listing and explaining them helps people who want to stand up an investigations process move faster and more predictably. The report, How to Stand Up a Major Cyber Incident Investigations Board. We took the name from Steve Bellovin's work to avoid confusion with the newly created CSRB. Suggested citation: Ontiveros, Victoria, Tarah Wheeler and Adam Shostack. “How to Stand Up a Major Cyber Incident Investigations Board.” Paper, June 2022.
- Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity (2021)
- Over four months in the spring of 2021, over 70 experts participated in a (virtual) workshop on the concept of creating a “Cyber NTSB”. The workshop was funded by the National Science Foundation with additional support from the Hewlett Foundation, and organized by Harvard’s Belfer Center with support from Northeastern University’s Global Resilience Institute. With Rob Knake and Tarah Wheeler. The report, learning from cyber incidents project at the Harvard Kennedy School's Belfer Center.
- That Was Close! Reward Reporting of Cybersecurity 'Near Misses' (2017)
- From the abstract: "While information regarding the causes of
major breaches may become public after the fact, what is lacking is
an aggregated data set, which could be analyzed for research
purposes. This research could then provide clues as to trends in both
attacks and avoidable mistakes made on the part of operators, among
other valuable data... An alternative is a voluntary reporting scheme,
modeled on the Aviation Safety Reporting System housed within NASA,
and possibly combined with an incentive scheme. Under it,
organizations that were the victims of hacks or “near misses” would
report the incident, providing important details, to some neutral
party. This database could then be used both by researchers and by
industry as a whole. People could learn what does work, what does not
work, and where the weak spots are.
Cite: Bair, Jonathan and Bellovin, Steven M. and Manley, Andrew and Reid, Blake E. and Shostack, Adam, "That Was Close! Reward Reporting of Cybersecurity 'Near Misses'" Feb 22, 2018). In Colorado Technology Law Journal 16.2.
Available at Colorado Tech Law Journal (see full issue) - Input to the Commission on Enhancing National Cybersecurity
- Steven M. Bellovin, Adam Shostack, Input to the Commission on Enhancing National Cybersecurity. September 2016.
- Editorials
- CSRB Report on Microsoft (blog post, April 15, 2024)
- Ten Questions We Hope the Cyber Safety Review Board Answers—and Three It Should Ignore, Steven M. Bellovin, Adam Shostack, Tarah Wheeler, Lawfare, February 9, 2022
- Finally! A Cybersecurity Safety Review Board Steven M. Bellovin, Adam Shostack, Lawfare, June 7, 2021
- The urgent need to stand up a cybersecurity review board, Adam Shostack, Tarah Wheeler, and Victoria Ontiveros, Brookings, December 15, 2021
- Select news coverage
-
- U.S. Anti-Hacking Effort Slowed by Cyberattack Review Board Delay, Andrea Vittorio, Bloomberg Law, Jan 24, 2022
- Mayday: Computer Crash Investigations, Tom Uren, Srsly Risky Biz, Feb 10, 2022
Incident databases
There are an increasing number of incident databases. The best have explicit perspectives on what they track, what data elements are tracked, and the use cases or people they expect as users.
Cybersecurity incident/event databases
- European Repository of Cyber Incidents (EuRepoC) is an independent research consortium dedicated to providing evidence-based scientific analysis of cyber incidents for a better understanding of the current cyber threat environment.” Seems very focused on attribution of incidents and where they happened. (Methodology page, Lawfare discussion.)
- The Verica Open Incident Database “is a community-contributed collection of software-related incident reports.”
- Adrian Sanabara maintains a list of companies that have gone out of business due a breach.
- Privacy Rights.org maintains a database of data from breaches reported to states Attorneys General and to HHS.
- CSIS maintains a timeline of “significant cyber incidents since 2006, focusing on cyber attacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars.”
- Board Cybersecurity has an incident tracker focused on public company SEC filings.
- Cybersecurity Data Breaches at Databreachdb.com; apparently not updated since June 2020.
- The Atlantic Council maintains a Supply Chain Security dataset. (The page says last updated July 2020, but the spreadsheet has data through May, 2022.)
- A set of researchers led by Jack Cable have released a ransomware dataset showing over 1,000 cryptocurrency addresses.
AI incident/event databases
- AI Incident Database (with many ties to Georgetown’s Center for Security and Emerging Technology.)
- AI Incidents Database by the Partnership on AI.
- AIAAIC (AI, Algorithmic, and Automation Incidents and Controversies) is an independent, non-partisan, public interest initiative.
- OECD run by the OECD for policymakers.
- Sightline, from Protectai, is more vulnerability focused than incident focused.