Rob Knake, Principal Investigator
Adam Shostack, Co-Principal Investigator
Steve Bellovin, Project Advisor
To learn more about this project please contact:
Sr. Research Scientist in Cybersecurity and Security, Global Resilience Institute
Creating an organization to investigate cyber incidents modeled on the National Transportation Safety Board (NTSB) was first proposed in 1991 and many experts in the field have promoted the idea since then. The related concept of a “near misses” database modeled on the aviation community’s Aviation Safety Reporting System (ASRS) and the Arrival Runway Incursion Alerting System (ARIAS) has also been recommended by the academic and policy community. To date, these models have not been put in to practice. GRI received a small grant from the National Science Foundation (NSF) to hold a workshop on the concept on April 29, 2020. The goal of the workshop is to develop a research agenda on this subject and promote multiple lines of research to move the concept forward.
Related Case Study
Anatomy of a Megabreach: Equifax Report
In April 2018, a group of hackers (whose affiliation is not publicly known) were successful in siphoning 300 to 400 million pesos from Mexican commercial banks, equivalent to $15 to $20 million. This hack was made easier due to a sloppy network design within the Mexican financial system along with security oversights in SPEI – Mexico’s domestic money transfer platform run by central bank, Banco de México. Security holes in the bank systems – particularly the ability to use a single compromised employee’s credentials to get deep into the network – also enabled this hack. Furthermore, the lack of protection around transaction data allowed the hackers to track and manipulate the data.
The hackers would direct phantom funds to real accounts under pseudonyms, then send a cash mule to withdraw the money. The individual transactions were small enough for the hackers to siphon this money under the radar of the banks. The hackers had a clear insight into the technological infrastructure of SPEI, and knew where to target their attacks. Since the attacks, Banco de México has tightened its policies and established minimum cybersecurity standards for Mexican banks that link to SPEI. They hope that through cooperation and knowledge-sharing, they can collectively work on strengthening their cybersecurity.
The hacking group known as Fin7 operates in an organized, professional manner, observed to work on a typical Monday-Friday business schedule. The people working in this group seem to treat this as a typical job, going to work to steal credit card numbers. While this group appears to be Russian speaking, they have yet to be tied to a home country. Fin7 has been successful in various data heists from well known organizations including The Hudson’s Bay Company, Omni Hotels & Resorts, and Whole Foods. Cofounder and CTO of intelligence firm Gemini Advisory Dmitry Chorine says that Fin7 appears to be connected to “almost every major point of sale breach” and makes an estimated $50 million each month.
Fin7 is well-known and associated closely with retail and hospitality credit card number heists. Another group – potentially another division of Fin7 – is known to target financial organizations to steal and launder money, through operations nicknamed Carbanak or Cobalt. One thing that is clear is that these actors all evolved from malware campaigns using the banking trojans Carberp and Anunak from 2013-2015 to attack financial institutions. Among other things, Fin7 is very effective at quickly developing new strategies and tools; for instance, it took them one day to create a fileless malware attack for a new weakness in Microsoft applications. Another big asset is Fin7’s ability to evade antivirus scans, along with their ability to develop their own malware tools and hacking styles. Though Fin7 has largely managed to evade detection, a key figure was arrested by the Spanish police working with Europol, the FBI, and other international agencies in early 2018; even so, Fin7 continues on.
An analysis of the Turkish Airlines Boeing 737 crash near Amsterdam in 2009 reveals that the fault lies not only in the crew, as was widely believed, but also in Boeing’s risky design choices and faulty safety assessments. However, criticisms of Boeing were played down or excluded from the Dutch Safety Board’s final report after pushback from an American team including Boeing and federal safety officials. Rather than publish criticisms by Dr. Dekker – an aviation safety expert commissioned by the Dutch Safety Board to analyze the crash – the board instead emphasized blame on the pilots.
The plane in the 2009 crash was a predecessor to Boeing’s 737 Max plane, which was grounded last year after accidents killed 346 people in Ethiopia and Indonesia. In both the 2009 and 2019 accidents, Boeing’s 737 Next Generation design allowed powerful computer commands to be triggered by a single faulty sensor. In the 2009 crash, an altitude sensor malfunctioned, causing a computer command to cut the plane’s speed right before landing. In the 2019 crashes, a sensor measuring the plane’s angle to the wind malfunctioned, causing a computer control to push down the plane’s nose after takeoff. Boeing did not include information in operations manuals regarding these malfunctions, leaving the pilots unprepared to react appropriately.
Since the 2019 crash, the FAA has required airlines to install a software update for the Next Generation design that compares data from two sensors rather than relying on only one. However, this software had already been developed even before the 2009 crash, and Boeing had included it on new planes starting in 2006; but for older planes, Boeing did not develop a compatible version until after the accident. NTSB officials have acknowledged that the reliance on a single sensor was a contributing factor in both the 2009 and 2019 crashes, but still maintains the argument that there were many complicating factors in the crashes – placing emphasis on the pilots.
- NTSB Authorizing Language: FAA Reauthorization Act of 2018 & H.R.4166 – Safe Landings Act
- NTSB Manual: Major Investigations Processes
National Transport Safety Board Methodology for Investigating Operator Fatigue in a Transportation Accident
The approach of the National Transport Safety Board is to deduce the exact details of an event via a variety of checklists. This particular checklist emphasizes the role of human error – i.e. exhaustion – in various accidents. The methodology begins with establishing four primary questions. These questions center around habits leading up to the accident and segue into initial observations. Within a cyber context, simple behaviors such as lending out passwords, using a USB device, or employee disgruntlement may establish the premise for a consequent cyber incident.
This manual establishes the key points of a large scale accident investigation. An investigation of this caliber is broken up into pre-investigation preparation, notification and initial response, on-scene activities, identifying responsibilities, post-on-scene activities, etc. By laying out the step-by-step processes by which the transportation industry may investigate large scale accidents, the room for error in consequent courses of action drops exorbitantly. Within a cyber-context, laying out a process by which private and public sector entities investigate cyber incidents would mirror the same result.
Six recommendations published by the Commission on Physical Sciences, Mathematics and Applications, the Computer Science and Telecommunications Board, National Research Committee and System Security Study Committee that underscore the need to launch an oversight process to assist in the secure use of computer and communications systems.
Richard Bejtlich, FireEye’s former Chief Security Strategist, proposing the creation of a National Digital Security Board (NDSB) mirrored after the National Transport Safety Board (NTSB).
The RAND Corporation blog calling for the implementation of a committee to undertake impartial expert investigations – a ‘cyber safety board.’
The Major Cyber Incident Investigations Board IEEE alludes to the NTSB being the reason why the aviation industry is remarkably safe. Given that no board of this nature exists for cyber incidents, these incidents will continue.
“It’s time for a National Cybersecurity Safety Board”, following the Sony breach of 2014, calls for the creation of a National Cybersecurity Safety Board (NCSB) to prevent repeated information security breaches.
An analysis in support of a cyber insurance program. A particular emphasis is placed on the lack of private sector transparency, reuse of malware and repeated exploitation of the same vulnerabilities rendering this program difficult to implement at present.
As Americans are moving more data onto cloud servers and external databases, information security requires the creation of a third party investigatory body.
Paul Rosenzweig of R Street floats the proposal of Rep. Denny Heck (D – Wash.) in that a Computer Network Safety Board (CNSB) could be constructed along the same lines as the NTSB.
The Next step in Federal Cybersecurity? Considering an NTSB-Style Computer Safety Board – Jessica L. Beyer, Drake Birnbaum, Thomas Zech
A study done by the Henry M. Jackson School at the University of Washington shows that federal responsibility for cybersecurity is distributed across numerous active agencies. This current system creates a complex and confusing network actors responsible for cybersecurity.
That Was Close! Reward Reporting of Cybersecurity ‘Near Misses’ – Jonathan Bair, Steven M. Bellovin, Andrew Manley, Blake Ellis Reid, and Adam Shostack
To navigate the fears of reputational risk following a cyberattack, this piece in the Colorado Technology Law Journal argues that mandatory reporting and investigations should be implemented. This route, in addition to a rewards system, would provide incentives for transparency.
A report by The Wall Street Journal stating that when there’s an air crash, regulators investigate. As done previously, contributing author Scott J. Shackelford calls for a similar safety committee be created for cyber incidents.
Denny Heck (D. – Wash) puts forth a campaign platform to improve information security practices via the creation of a Computer Network Safety Board (CNSB).
This paper outlines the benefits of creating a cyber incident data repository. It argues that improved information sharing capabilities amongst the federal government, enterprise risk owners, and insurers will increase awareness around current ‘cyber risk conditions’ and help identify emerging cyber risk trends.
Breaking the Target: An Analysis of Target Data Breach and Lessons Learned – Xiaokui Shu, Ke Tian*, Andrew Ciambrone* and Danfeng (Daphne) Yao, Member, IEEE
This paper analyzes the events leading up to the second most devastating data breach in history: the attack on the Target Corporation. It breaks down the timeline, methodology and anatomy of BlackPOS – the malware used in the attack. In addition to a case analysis, this paper discusses the lack of consideration placed on safeguarding credit card information, and the need for improved transparency between large private sector entities and government agencies.