While reading Hacker's Challenge 3, I was reminded of some of my earlier thoughts on digital security disasters. I wrote:
My concept is simple: when a bridge fails in the "analog" world, everyone knows about it. The disaster is visible, and engineers can analyze and learn from the event. The lessons they take away make future bridges stronger and safer. I do not see this happening in the digital world.
When I wrote that post I requested hearing stories from blog readers on their own security disasters. I received zero stories. I was naive to think anyone would want to talk about this issues, unless in a forum like Hacker's Challenge. At least there the authors receive royalities and fame, however meager.
While watching a recent Nova episode on Concorde, it mentioned a terrible crash which occurred in 2000. It occurred to me that if this crash affected an American airline, the National Transportation Safety Board would be involved.
The NTSB Web site says:
The National Transportation Safety Board is an independent Federal agency charged by Congress with investigating every civil aviation accident in the United States and significant accidents in the other modes of transportation -- railroad, highway, marine and pipeline -- and issuing safety recommendations aimed at preventing future accidents...
Since its inception in 1967, the NTSB has investigated more than 124,000 aviation accidents and over 10,000 surface transportation accidents. In so doing, it has become one of the world's premier accident investigation agencies. On call 24 hours a day, 365 days a year, NTSB investigators travel throughout the country and to every corner of the world to investigate significant accidents and develop factual records and safety recommendations.
This is exactly what we need in digital security. Not the NTSB, but the NDSB -- the National Digital Security Board. The NDSB should investigate intrusions disclosed by companies as a result of existing legislation. Like the NTSB, the NDSB would probably need legislation to authorize these investigations.
An Amazon.com search found Safety in the Skies: Personnel and Parties in NTSB Aviation Accident Investigations, which I happened to find online as well. Early on it states:
The NTSB bears a significant share of the responsibility for ensuring the safety of domestic and international air travel. Although it is not a regulatory agency, the NTSB's influence weighs heavily when matters of transportation safety are at issue.
The NTSB is independent from every other Executive Branch department or agency, and its mission is simple and straightforward: to investigate and establish the facts, circumstances, and the cause or probable cause of various kinds of major transportation accidents. The safety board is also charged with making safety recommendations to federal, state, and local agencies to prevent similar accidents from happening in the future.
This responsibility is fundamental to ensuring that unsafe conditions are identified and that appropriate corrective action is taken as soon as possible. However, the safety board has no enforcement authority other than the persuasive power of its investigations and the immediacy of its recommendations.
In the scheme of government, the agency's clout is unique but is contingent on the independence, timeliness, and accuracy of its factual findings and analytical conclusions.
I intend to research this issue further and perhaps write more formally about this idea. Any NTSB people reading this blog?
I also think we should have a United States Cyber Corps, but that's another story...