Accidents happen. How we learn from them — or fail to — is one of the defining features of a complex system. I've been very interested in what we do and don't learn since at least The New School of Information Security.
- How to Stand Up a Major Cyber Incident Investigations Board (2022)
- As we wrote the report on Adapting Aviation Safety Models, we also worked on a how-to guide. We realized that many of the lessons and tradeoffs that we learned about or crystalized as we worked on that were worth capturing because listing and explaining them helps people who want to stand up an investigations process move faster and more predictably. The report, How to Stand Up a Major Cyber Incident Investigations Board. We took the name from Steve Bellovin's work to avoid confusion with the newly created CSRB. Suggested citation: Ontiveros, Victoria, Tarah Wheeler and Adam Shostack. “How to Stand Up a Major Cyber Incident Investigations Board.” Paper, June 2022.
- Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity (2021)
- Over four months in the spring of 2021, over 70 experts participated in a (virtual) workshop on the concept of creating a “Cyber NTSB”. The workshop was funded by the National Science Foundation with additional support from the Hewlett Foundation, and organized by Harvard’s Belfer Center with support from Northeastern University’s Global Resilience Institute. With Rob Knake and Tarah Wheeler. The report, learning from cyber incidents project at the Harvard Kennedy School's Belfer Center.
- That Was Close! Reward Reporting of Cybersecurity 'Near Misses' (2017)
- From the abstract: "While information regarding the causes of
major breaches may become public after the fact, what is lacking is
an aggregated data set, which could be analyzed for research
purposes. This research could then provide clues as to trends in both
attacks and avoidable mistakes made on the part of operators, among
other valuable data... An alternative is a voluntary reporting scheme,
modeled on the Aviation Safety Reporting System housed within NASA,
and possibly combined with an incentive scheme. Under it,
organizations that were the victims of hacks or “near misses” would
report the incident, providing important details, to some neutral
party. This database could then be used both by researchers and by
industry as a whole. People could learn what does work, what does not
work, and where the weak spots are.
Cite: Bair, Jonathan and Bellovin, Steven M. and Manley, Andrew and Reid, Blake E. and Shostack, Adam, "That Was Close! Reward Reporting of Cybersecurity 'Near Misses'" Feb 22, 2018). In Colorado Technology Law Journal 16.2.
Available at Colorado Tech Law Journal (see full issue)
- Ten Questions We Hope the Cyber Safety Review Board Answers—and Three It Should Ignore, Steven M. Bellovin, Adam Shostack, Tarah Wheeler, Lawfare, February 9, 2022
- Finally! A Cybersecurity Safety Review Board Steven M. Bellovin, Adam Shostack, Lawfare, June 7, 2021
- The urgent need to stand up a cybersecurity review board, Adam Shostack, Tarah Wheeler, and Victoria Ontiveros, Brookings, December 15, 2021
- Select news coverage
- U.S. Anti-Hacking Effort Slowed by Cyberattack Review Board Delay, Andrea Vittorio, Bloomberg Law, Jan 24, 2022
- Mayday: Computer Crash Investigations, Tom Uren, Srsly Risky Biz, Feb 10, 2022