Lesson learning workstream
Accidents happen. How we learn from them — or fail to — is one of the defining features of a complex system. I've been very interested in what we do and don't learn since at least The New School of Information Security.
- Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity (2021)
- Over four months in the spring of 2021, over 70 experts participated in a (virtual) workshop on the concept of creating a “Cyber NTSB”. The workshop was funded by the National Science Foundation with additional support from the Hewlett Foundation, and organized by Harvard’s Belfer Center with support from Northeastern University’s Global Resilience Institute. With Rob Knake and Tarah Wheeler. The report, learning from cyber incidents project at the Harvard Kennedy School's Belfer Center.
- That Was Close! Reward Reporting of Cybersecurity 'Near Misses' (2017)
- From the abstract: "While information regarding the causes of
major breaches may become public after the fact, what is lacking is
an aggregated data set, which could be analyzed for research
purposes. This research could then provide clues as to trends in both
attacks and avoidable mistakes made on the part of operators, among
other valuable data... An alternative is a voluntary reporting scheme,
modeled on the Aviation Safety Reporting System housed within NASA,
and possibly combined with an incentive scheme. Under it,
organizations that were the victims of hacks or “near misses” would
report the incident, providing important details, to some neutral
party. This da\ tabase could then be used both by researchers and by
industry as a whole. People could learn what does work, what does not
work, and whe\ re the weak spots are.
Cite: Bair, Jonathan and Bellovin, Steven M. and Manley, Andrew and Reid, Blake E. and Shostack, Adam, "That Was Close! Reward Reporting of Cybersecurity 'Near Misses'" Feb 22, 2018). In Colorado Technology Law Journal 16.2.
Available at Colorado Tech Law Journal (see full issue) - Editorials
- Finally! A Cybersecurity Safety Review Board Steven M. Bellovin, Adam Shostack, Lawfare, June 7, 2021
- The urgent need to stand up a cybersecurity review board, Adam Shostack, Tarah Wheeler, and Victoria Ontiveros, Brookings, December 15, 2021
- Select news coverage
-
- U.S. Anti-Hacking Effort Slowed by Cyberattack Review Board Delay, Andrea Vittorio, Bloomberg Law, Jan 24, 2022
- Mayday: Computer Crash Investigations, Tom Uren, Srsly Risky Biz, Feb 10, 2022