Monday, August 21, 2006

National Digital Security Board

While reading Hacker's Challenge 3, I was reminded of some of my earlier thoughts on digital security disasters. I wrote:

My concept is simple: when a bridge fails in the "analog" world, everyone knows about it. The disaster is visible, and engineers can analyze and learn from the event. The lessons they take away make future bridges stronger and safer. I do not see this happening in the digital world.

When I wrote that post I requested hearing stories from blog readers on their own security disasters. I received zero stories. I was naive to think anyone would want to talk about this issues, unless in a forum like Hacker's Challenge. At least there the authors receive royalities and fame, however meager.

While watching a recent Nova episode on Concorde, it mentioned a terrible crash which occurred in 2000. It occurred to me that if this crash affected an American airline, the National Transportation Safety Board would be involved.

The NTSB Web site says:

The National Transportation Safety Board is an independent Federal agency charged by Congress with investigating every civil aviation accident in the United States and significant accidents in the other modes of transportation -- railroad, highway, marine and pipeline -- and issuing safety recommendations aimed at preventing future accidents...

Since its inception in 1967, the NTSB has investigated more than 124,000 aviation accidents and over 10,000 surface transportation accidents. In so doing, it has become one of the world's premier accident investigation agencies. On call 24 hours a day, 365 days a year, NTSB investigators travel throughout the country and to every corner of the world to investigate significant accidents and develop factual records and safety recommendations.


This is exactly what we need in digital security. Not the NTSB, but the NDSB -- the National Digital Security Board. The NDSB should investigate intrusions disclosed by companies as a result of existing legislation. Like the NTSB, the NDSB would probably need legislation to authorize these investigations.

An Amazon.com search found Safety in the Skies: Personnel and Parties in NTSB Aviation Accident Investigations, which I happened to find online as well. Early on it states:

The NTSB bears a significant share of the responsibility for ensuring the safety of domestic and international air travel. Although it is not a regulatory agency, the NTSB's influence weighs heavily when matters of transportation safety are at issue.

The NTSB is independent from every other Executive Branch department or agency, and its mission is simple and straightforward: to investigate and establish the facts, circumstances, and the cause or probable cause of various kinds of major transportation accidents. The safety board is also charged with making safety recommendations to federal, state, and local agencies to prevent similar accidents from happening in the future.

This responsibility is fundamental to ensuring that unsafe conditions are identified and that appropriate corrective action is taken as soon as possible. However, the safety board has no enforcement authority other than the persuasive power of its investigations and the immediacy of its recommendations.

In the scheme of government, the agency's clout is unique but is contingent on the independence, timeliness, and accuracy of its factual findings and analytical conclusions.


I intend to research this issue further and perhaps write more formally about this idea. Any NTSB people reading this blog?

I also think we should have a United States Cyber Corps, but that's another story...

10 comments:

Anonymous said...

Back when I was the lead security person for a web hosting company. I actually modeled responses to incidents roughly on the NTSB model. I was more concerned to know what had happened, if a security measure had failed and where we could improve to prevent a reoccurrence.

Richard Bejtlich said...

Anonymous,

How did you learn the model? Anything else you can share?

Anonymous said...

You need to research more in to the NTSB before recommending it.

Unfortunately, the NTSB can only make recommendations. This has lead it to be an organization that can be "ignored" by the whole of the aviation industry. This has happened several times, to disasterous consequences. I'd have to research it, but I can remember two or three incidents where the NTSB has made recommendations, but both the airlines, and the aircraft manufacturer have ignored them, or made it "optional" for their customers.

One of the recommendations after TWA flight 800 was to put inert gas in unused fuel tanks (similar to what the U.S. Military has done since the around the 1970s due to fires and explosions). To date, over 10 years later there has been no action on this issue.

They may have great "procedures" but when the recommendations can be "ignored" it's tantamount to being useless.

Also, the agency that supervises the NTSB (e.g. the enforcement end of the NTSB) is suppose to (it's in the charter so look it up) 'help support the industry', and therefore has a dual interest of both safety, and promoting the airline industry.

Sorry, but this isn't a good model IMHO.

Richard Bejtlich said...

Anonymous, we'll see. I think a NDSB is far more than most companies would want, even without power to enforce changes.

Keydet89 said...

... when a bridge fails in the "analog" world, everyone knows about it. The disaster is visible, and engineers can analyze and learn from the event.

As a responder, I would suggest that this is where the analogy falls apart. Often, security incidents go undetected or unrecognized. Further, engineers can analyze the disaster, b/c they understand what it takes to design, build and maintain a bridge. The reason I have the job I do is b/c at least some system admins/engineers do not have comparable skillsets.

Hey, I'm not complaining...I love what I do. It's just that sometimes the way things should be don't match up very well with the way things are.

Richard Bejtlich said...

Note to self: the NTSB Academy is nearby in Ashburn, VA.

Richard Bejtlich said...

Second anonymous,

Try reading Lessons Learned and Lives Saved, 1975 - 2005 for examples of recommendations that have been implemented. NTSB claims an 80% implementation rate.

Richard Bejtlich said...

Their unimplemented recommendations are posted on their Most Wanted list.

Ben said...

I wrote this email to Richard a few months ago and as per his request - I'm posting a modified version of that email here.

I'm an recent alum of an United States Cyber Corps program, but I don't think it's exactly what Richard had in mind here when proposing his version of "United States Cyber Corps" along with his proposed version of the National Digital Security Board (NDSB). The existing program is sponsored by the US government (started by Richard Clarke and Victor Maconachy) for students to attend a graduate school program
(see the participating institutions link at the url linked above). While this blog is focused on NSM, the program itself has a wide variety of focuses (depending on the professors teaching the program). At my program, it was strong enough that you could pretty much choose any particular project whether it be NSM (or simply Network Security), Software Security, Forensics, or any other area of IA. For those of you who are American citizens and would like to get a degree in this field (without having to pay tuition and getting to serve the government for a period of time), you may want to contact some of the institutions in the list at the aforementioned url.

(No, this is not a PSA...Just an attempt at providing some clarification)

DrInfoSec said...

Infosec today feels very much like Software engineering 20-30 years ago. Unless and until we have mechanisms and incentives to share the causes of (and lessons learned from) major security disasters, we are bound to have them repeat.

And much like the National Geographic show called "Seconds from Disaster," the analysis can be made to be appealing to and understood by various audiences (techies, non-techies, managers, executives).